What is data classification and why is it important?

Data classification is the process of labeling information by its sensitivity level, typically Public, Internal, Confidential, and Restricted. Each level carries specific handling, storage, and sharing rules. Classification matters because it determines who can access data and how it must be protected. Without classification, employees cannot make informed decisions about sharing, and organizations cannot enforce consistent protection across different data types.

What is the difference between Confidential and Restricted data?

Confidential data includes information that could harm the organization if disclosed, such as financial reports, customer lists, or strategic plans. Restricted data carries the highest sensitivity and often has legal or regulatory protection requirements, including personally identifiable information (PII), health records, payment card data, and trade secrets. Restricted data typically requires encryption at rest and in transit, strict access controls, and audit logging.

Data Classification Basics

Label data correctly by sensitivity level.

What You'll Learn

Assign correct classification labels (Public, Internal, Confidential, Restricted) to documents and datasets based on content sensitivity and regulatory requirements
Apply the appropriate handling procedures for each classification level, including storage, encryption, sharing, and disposal requirements
Reclassify information when its sensitivity changes due to publication, project completion, or regulatory developments
Identify common misclassification mistakes that lead to data exposure, including treating regulated personal data as Internal-only
Recognize the organizational and regulatory consequences of misclassification, from compliance violations to data breaches

Training Steps

Welcome to Prism Analytics

Welcome to Prism Analytics! You are Alice, a marketing coordinator who works with client data, campaign metrics, and promotional materials daily. Today you'll complete the annual data classification training - a requirement for all employees who handle company information. Understanding how to classify data correctly is essential for protecting both the company and its clients.
Why Classification Matters

Not all data is created equal. A press release and a client's financial records require very different levels of protection. Data classification helps everyone in the organization understand: What data they're handling How sensitive it is What protections are required Who can access it Without proper classification, employees might accidentally share confidential information or waste resources over-protecting public data.
Training Notification

Alice receives an email from the Information Security team about the mandatory annual data classification training.
Accessing the Security Portal

Alice clicks the link to access the Security Training Portal. This centralized system contains all security training materials and compliance tracking.
The Four Classification Levels

The Security Training Portal displays the four data classification levels used at Prism Analytics: Public - Information intended for public release Internal - General business information for employees only Confidential - Sensitive business or client information Restricted - Highly sensitive data with strict controls Each level has specific handling requirements that increase with sensitivity.
Public and Internal Data

The first level is Public data - information explicitly approved for external release. Examples: Published press releases Marketing brochures and website content Public job postings Published annual reports Handling: No special protections required Can be shared freely with anyone Still requires approval before publishing The second level is Internal data - general business information meant for employees only. Examples: Internal policies and procedures Org charts and employee directories Meeting notes and project plans Internal announcements Handling: Share only with employees who need it Do not post publicly or share externally Use company email for distribution No special encryption required
Confidential Data

The third level is Confidential data - sensitive information that could harm the business or clients if disclosed. Examples: Client contracts and proposals Financial reports and forecasts Business strategies and plans Non-public product information Employee performance reviews Handling: Encrypt when sending externally Password-protect sensitive documents Verify recipient identity before sharing Use secure file sharing, not personal email Mark documents as 'Confidential'
Restricted Data

The highest level is Restricted data - highly sensitive information requiring the strictest controls. Examples: Personal identifiable information (PII): SSN, passport numbers Payment card data (PCI) Health records (PHI) Authentication credentials and encryption keys Trade secrets and intellectual property Handling: Always encrypted at rest and in transit Access limited to specific approved individuals Audit logging required for all access Immediate reporting of any unauthorized access Special disposal procedures required
Classification Practice

The portal presents a document for you to classify. Document: A spreadsheet containing the names, email addresses, and phone numbers of all employees in the marketing department. Think about: Who should have access to this? What would happen if it were leaked?
Training Complete

The portal confirms Alice has completed the data classification training. Her compliance record has been updated. The system displays a quick reference guide for the classification levels that Alice can access anytime.

What You'll Learn

Training Steps

Welcome to Prism Analytics

Why Classification Matters

Training Notification

Accessing the Security Portal

The Four Classification Levels

Public and Internal Data

Confidential Data

Restricted Data

Classification Practice

Training Complete