Data Classification Basics
Label data correctly by sensitivity level.
What You'll Learn
- Assign correct classification labels (Public, Internal, Confidential, Restricted) to documents and datasets based on content sensitivity and regulatory requirements
- Apply the appropriate handling procedures for each classification level, including storage, encryption, sharing, and disposal requirements
- Reclassify information when its sensitivity changes due to publication, project completion, or regulatory developments
- Identify common misclassification mistakes that lead to data exposure, including treating regulated personal data as Internal-only
- Recognize the organizational and regulatory consequences of misclassification, from compliance violations to data breaches
Training Steps
-
Welcome to Prism Analytics
Welcome to Prism Analytics! You are Alice, a marketing coordinator who works with client data, campaign metrics, and promotional materials daily. Today you'll complete the annual data classification training - a requirement for all employees who handle company information. Understanding how to classify data correctly is essential for protecting both the company and its clients.
-
Why Classification Matters
Not all data is created equal. A press release and a client's financial records require very different levels of protection. Data classification helps everyone in the organization understand: What data they're handling How sensitive it is What protections are required Who can access it Without proper classification, employees might accidentally share confidential information or waste resources over-protecting public data.
-
Training Notification
Alice receives an email from the Information Security team about the mandatory annual data classification training.
-
Accessing the Security Portal
Alice clicks the link to access the Security Training Portal. This centralized system contains all security training materials and compliance tracking.
-
The Four Classification Levels
The Security Training Portal displays the four data classification levels used at Prism Analytics: Public - Information intended for public release Internal - General business information for employees only Confidential - Sensitive business or client information Restricted - Highly sensitive data with strict controls Each level has specific handling requirements that increase with sensitivity.
-
Public and Internal Data
The first level is Public data - information explicitly approved for external release. Examples: Published press releases Marketing brochures and website content Public job postings Published annual reports Handling: No special protections required Can be shared freely with anyone Still requires approval before publishing The second level is Internal data - general business information meant for employees only. Examples: Internal policies and procedures Org charts and employee directories Meeting notes and project plans Internal announcements Handling: Share only with employees who need it Do not post publicly or share externally Use company email for distribution No special encryption required
-
Confidential Data
The third level is Confidential data - sensitive information that could harm the business or clients if disclosed. Examples: Client contracts and proposals Financial reports and forecasts Business strategies and plans Non-public product information Employee performance reviews Handling: Encrypt when sending externally Password-protect sensitive documents Verify recipient identity before sharing Use secure file sharing, not personal email Mark documents as 'Confidential'
-
Restricted Data
The highest level is Restricted data - highly sensitive information requiring the strictest controls. Examples: Personal identifiable information (PII): SSN, passport numbers Payment card data (PCI) Health records (PHI) Authentication credentials and encryption keys Trade secrets and intellectual property Handling: Always encrypted at rest and in transit Access limited to specific approved individuals Audit logging required for all access Immediate reporting of any unauthorized access Special disposal procedures required
-
Classification Practice
The portal presents a document for you to classify. Document: A spreadsheet containing the names, email addresses, and phone numbers of all employees in the marketing department. Think about: Who should have access to this? What would happen if it were leaked?
-
Training Complete
The portal confirms Alice has completed the data classification training. Her compliance record has been updated. The system displays a quick reference guide for the classification levels that Alice can access anytime.