Data Classification
This reference defines the classification levels, handling requirements, and labelling standards for categorising data according to sensitivity and impact. Use this page to determine the correct classification for specific data types and to identify the controls required at each level.
Classification Level Definitions
Data classification assigns a sensitivity label to information based on the potential harm that unauthorised disclosure, modification, or loss would cause. The classification determines minimum handling requirements throughout the data lifecycle.
+------------------------------------------------------------------+| CLASSIFICATION HIERARCHY |+------------------------------------------------------------------+| || +------------------------------------------------------------+ || | RESTRICTED | || | Severe harm to individuals or organisation | || | Examples: protection case files, safeguarding allegations | || +------------------------------------------------------------+ || | || +------------------------------------------------------------+ || | CONFIDENTIAL | || | Significant harm if disclosed | || | Examples: staff records, financial accounts, donor data | || +------------------------------------------------------------+ || | || +------------------------------------------------------------+ || | INTERNAL | || | Minor harm or operational disruption | || | Examples: internal policies, meeting notes, project plans | || +------------------------------------------------------------+ || | || +------------------------------------------------------------+ || | PUBLIC | || | No harm from disclosure; intended for release | || | Examples: annual reports, press releases, published data | || +------------------------------------------------------------+ || |+------------------------------------------------------------------+Figure 1: Four-tier classification hierarchy with impact definitions
- Public
- Information approved for unrestricted distribution. Disclosure causes no harm to individuals, operations, or organisational reputation. This classification applies to content explicitly cleared for external release: published reports, marketing materials, public datasets, and press statements. Data defaults to Internal unless explicitly approved as Public through a defined release process.
- Internal
- Information intended for use within the organisation and trusted partners. Unauthorised disclosure causes minor operational disruption, limited reputational impact, or competitive disadvantage, but does not harm individuals or violate legal obligations. Internal represents the default classification for business information not meeting criteria for higher levels. Examples include internal policies, operational procedures, staff directories without contact details, and general project documentation.
- Confidential
- Information whose disclosure causes significant harm to individuals, substantial financial loss, regulatory penalties, or serious reputational damage. Confidential data includes personal data subject to privacy regulations, financial records, contractual information with confidentiality clauses, donor records, and strategic plans. Access requires explicit authorisation and a documented business need.
- Restricted
- Information whose disclosure causes severe or irreversible harm to individuals, critical operational failure, existential organisational risk, or danger to life. Restricted classification applies to protection and safeguarding case data, whistleblower identities, security vulnerability details, and information about individuals facing persecution, violence, or trafficking. Access requires senior management approval and is limited to named individuals with direct operational responsibility.
Handling Requirements
Each classification level mandates specific controls across storage, transmission, access, retention, and disposal. These requirements represent minimums; higher controls are always permissible.
| Requirement | Public | Internal | Confidential | Restricted |
|---|---|---|---|---|
| Storage encryption | Not required | Recommended | Required (AES-256) | Required (AES-256) |
| Transmission encryption | HTTPS | TLS 1.2+ | TLS 1.3 required | TLS 1.3, end-to-end where feasible |
| Access control | None | Authentication required | Role-based, need-to-know | Named individuals, senior approval |
| Sharing external | Unrestricted | NDA or partnership agreement | Written authorisation, DPA | Prohibited without executive approval |
| Sharing internal | Unrestricted | Business need | Documented justification | Named recipient list |
| Cloud storage | Any provider | Approved providers | Approved providers, EU/UK only | On-premises or sovereign cloud |
| Mobile devices | Permitted | MDM required | MDM + encryption | Prohibited except approved devices |
| Printing | Unrestricted | Collect promptly | Secure print release | Prohibited or witnessed collection |
| Retention period | Per policy | Per policy | Maximum necessary | Minimum necessary |
| Disposal method | Standard deletion | Secure deletion | Cryptographic erasure | Physical destruction + certificate |
| Audit logging | Not required | Access logs | Access + modification logs | Full audit trail, tamper-evident |
| Breach notification | Not required | Internal review | 72-hour regulatory assessment | Immediate escalation, 24-hour assessment |
Labelling Standards
Classification labels appear in document headers, footers, metadata, and system interfaces. Consistent labelling enables automated policy enforcement and user awareness.
Document Labelling
Text documents, spreadsheets, and presentations carry classification labels in the header or footer of every page. The label format follows: [CLASSIFICATION] - [Organisation Name]. For multi-page documents, the label appears on each page. Cover pages display the classification prominently, using minimum 14-point font.
Confidential and Restricted documents include a distribution statement on the cover page or first page:
CONFIDENTIAL - [Organisation Name]Distribution limited to: [named recipients or role groups]Handling: Do not forward without authorisation from [data owner role]Restricted documents add a unique document identifier for tracking:
RESTRICTED - [Organisation Name]Document ID: REST-2024-00147Authorised recipients: [named individuals]This document must not be copied, forwarded, or discussed outside the named recipient list.Email Labelling
Email subject lines include the classification in square brackets at the start: [CONFIDENTIAL] Q3 Financial Review. Email clients with sensitivity labelling (Microsoft 365, Google Workspace) use native classification features that persist through replies and forwards.
Restricted information is not transmitted via standard email. Where electronic transmission is unavoidable, use encrypted file attachments with passwords communicated through a separate channel, or purpose-built secure messaging platforms.
File Naming
File names incorporate classification abbreviations for Confidential and Restricted documents:
| Classification | Abbreviation | Example filename |
|---|---|---|
| Public | None required | annual-report-2024.pdf |
| Internal | None required | staff-handbook-v3.docx |
| Confidential | CONF | CONF-donor-database-export-2024-03.xlsx |
| Restricted | REST | REST-case-file-2024-00892.pdf |
System Labelling
Databases, file shares, and applications display classification through consistent visual indicators. Systems storing Confidential data display a yellow banner; systems storing Restricted data display a red banner. The banner remains visible during all user interactions and cannot be dismissed.
+------------------------------------------------------------------+| [!] CONFIDENTIAL SYSTEM - Authorised users only |+------------------------------------------------------------------+| || Application Interface || |+------------------------------------------------------------------+Figure 2: System classification banner placement
Metadata Standards
Digital files carry classification in document metadata where the format supports it. Microsoft Office documents use the Sensitivity property. PDFs use custom metadata fields. The metadata classification must match the visual label; discrepancies trigger review.
| File format | Metadata location | Field name |
|---|---|---|
| Microsoft Office | Document Properties > Custom | Classification |
| Document Properties > Custom | Classification | |
| Images (JPEG, PNG) | EXIF/XMP | Classification |
| Email (MSG, EML) | X-Header | X-Classification |
Classification Decision Criteria
Classification follows a risk-based assessment considering confidentiality, integrity, and availability impacts. The highest impact across any dimension determines the classification level.
Confidentiality Impact Assessment
Confidentiality impact measures harm from unauthorised disclosure. Assess against this scale:
| Impact level | Harm description | Classification |
|---|---|---|
| None | Information intended for public release | Public |
| Low | Minor embarrassment, limited operational insight to competitors | Internal |
| Moderate | Regulatory penalty under £100,000, significant reputational damage, individual distress | Confidential |
| High | Regulatory penalty over £100,000, danger to individuals, organisational viability threat | Restricted |
Integrity Impact Assessment
Integrity impact measures harm from unauthorised modification. Data requiring high integrity assurance elevates classification regardless of confidentiality:
| Impact level | Harm description | Minimum classification |
|---|---|---|
| Low | Correction causes minor inconvenience | Internal |
| Moderate | Incorrect data causes financial loss under £50,000 or operational disruption | Confidential |
| High | Incorrect data endangers individuals, causes loss over £50,000, or violates legal obligations | Restricted |
Availability Impact Assessment
Availability impact measures harm from data loss or inaccessibility. While availability primarily drives backup and recovery requirements, extreme availability needs can influence classification:
| Impact level | Harm description | Classification influence |
|---|---|---|
| Low | Disruption under 24 hours tolerable | No elevation |
| Moderate | Disruption over 24 hours causes significant operational impact | Consider Confidential |
| High | Any loss or inaccessibility endangers individuals or violates legal obligations | Consider Restricted |
Combined Assessment
Apply the highest classification indicated by any single dimension:
+------------------------------------------------------------------+| CLASSIFICATION DECISION FLOW |+------------------------------------------------------------------+| || Assess confidentiality impact -----> Classification A || || Assess integrity impact ----------> Classification B || || Assess availability impact -------> Classification C || || Final classification = MAX(A, B, C) || || Example: || Confidentiality: Low (Internal) || Integrity: Moderate (Confidential) || Availability: Low (no elevation) || Result: Confidential || |+------------------------------------------------------------------+Figure 3: Classification determined by maximum impact across dimensions
Aggregation Effect
Individual data elements at a lower classification can aggregate to a higher classification when combined. A staff directory containing names (Internal) combined with home addresses (Confidential) and salary information (Confidential) creates a dataset classified as Confidential overall. When aggregated data additionally reveals organisational vulnerabilities or patterns enabling harm, Restricted classification applies.
Assess aggregation at the dataset level, not individual records. A database containing 10,000 Internal records remains Internal. A database containing 9,999 Internal records and 1 Restricted record becomes Restricted for access control purposes, though individual Internal records may be extracted and handled at their native classification.
Reclassification
Classification is not permanent. Data requires reclassification when circumstances change, time passes, or initial classification proves incorrect.
Downgrade Triggers
| Trigger | Action | Example |
|---|---|---|
| Public release | Reclassify to Public | Financial results after publication |
| Time expiry | Reclassify per schedule | Strategic plans after implementation |
| Relationship end | Assess continued sensitivity | Partner data after partnership concludes |
| Individual consent | Reclassify per consent scope | Case study approved for publication |
| Legal obligation expires | Reclassify to lower level | Investigation data after retention period |
Downgrade requires approval from the data owner. Restricted-to-Confidential downgrade requires senior management approval. Bulk downgrades require documented justification and spot-check verification.
Upgrade Triggers
| Trigger | Action | Example |
|---|---|---|
| Aggregation | Elevate combined dataset | Combining datasets reveals sensitive patterns |
| Context change | Reassess impact | Staff location data during security incident |
| New information | Reassess harm potential | Subject identified as at-risk individual |
| Regulatory change | Apply new requirements | Data brought under new privacy regulation |
| Threat change | Reassess adversary interest | Data targeted by threat actor |
Upgrade takes effect immediately upon identification. Users discovering data requiring upgrade must report to the data owner within 24 hours. Pending upgrade decision, treat data at the higher classification.
Reclassification Records
Maintain reclassification records for Confidential and Restricted data:
| Record field | Content |
|---|---|
| Data identifier | Document ID, database name, or file path |
| Previous classification | Classification before change |
| New classification | Classification after change |
| Trigger | Reason for reclassification |
| Approver | Name and role of approving authority |
| Date | Effective date of reclassification |
| Review date | Next scheduled review (upgrades: immediate; downgrades: 12 months) |
Classification by Data Type
This section provides classification guidance for common data categories. Apply the decision criteria above when data does not fit listed categories or when specific circumstances warrant different treatment.
Personnel Data
| Data type | Default classification | Notes |
|---|---|---|
| Staff names and job titles | Internal | Public if in published materials |
| Staff contact details (work) | Internal | |
| Staff contact details (personal) | Confidential | |
| Salary and compensation | Confidential | |
| Performance reviews | Confidential | |
| Disciplinary records | Confidential | Restricted if safeguarding-related |
| Medical information | Confidential | Restricted if affects safety decisions |
| Background check results | Confidential | |
| Next-of-kin and emergency contacts | Confidential | |
| Whistleblower identity | Restricted | |
| Staff under threat | Restricted |
Financial Data
| Data type | Default classification | Notes |
|---|---|---|
| Published financial statements | Public | After publication |
| Draft financial statements | Confidential | Until publication |
| Bank account details | Confidential | |
| Donor payment information | Confidential | |
| Individual transaction records | Confidential | |
| Budget documents | Internal | Confidential if strategic |
| Audit reports | Confidential | |
| Fraud investigation records | Restricted |
Programme Data
| Data type | Default classification | Notes |
|---|---|---|
| Published programme reports | Public | After publication |
| Beneficiary aggregate statistics | Internal | If non-identifiable |
| Beneficiary contact details | Confidential | |
| Beneficiary assessment data | Confidential | |
| Beneficiary biometric data | Restricted | |
| Protection case files | Restricted | See Protection Data Classification |
| Needs assessment raw data | Confidential | |
| Distribution records with names | Confidential | |
| Location data of vulnerable populations | Restricted |
Organisational Data
| Data type | Default classification | Notes |
|---|---|---|
| Published policies | Public | If externally shared |
| Internal policies | Internal | |
| Strategic plans (current) | Confidential | Internal after implementation |
| Board minutes | Confidential | |
| Legal advice | Confidential | |
| Contracts | Confidential | |
| Insurance policies | Confidential | |
| Security assessments | Restricted | |
| Incident reports | Confidential | Restricted if protection-related |
Technical Data
| Data type | Default classification | Notes |
|---|---|---|
| System documentation | Internal | |
| Network diagrams | Confidential | |
| Vulnerability scan results | Restricted | Until remediated |
| Penetration test reports | Restricted | |
| Security configurations | Confidential | |
| Encryption keys | Restricted | |
| Access credentials | Restricted | |
| Audit logs | Confidential | Restricted if containing sensitive actions |
| Backup media | Same as source data |
Ownership and Responsibilities
Each data asset has a designated data owner accountable for classification decisions. Data owners are typically the senior manager of the function generating or primarily using the data.
| Role | Classification responsibilities |
|---|---|
| Data owner | Assign initial classification, approve reclassification, define access requirements, conduct periodic review |
| Data custodian | Implement technical controls matching classification, maintain labelling, report classification anomalies |
| Data user | Handle data per classification requirements, report misclassification, request reclassification when warranted |
| Information security | Define classification framework, audit compliance, provide guidance on edge cases |
Data owners review classification of Confidential and Restricted data annually. Internal data review occurs every three years or upon significant change to data use.