Information sensitivity

Last updated

Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others. [1]

Contents

Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security and international relations of a nation depending on the level of sensitivity and nature of the information. [2]

Non-sensitive information

Public information

This refers to information that is already a matter of public record or knowledge. With regard to government and private organizations, access to or release of such information may be requested by any member of the public, and there are often formal processes laid out for how to do so. [3] The accessibility of government-held public records is an important part of government transparency, accountability to its citizens, and the values of democracy. [4] Public records may furthermore refer to information about identifiable individuals that is not considered confidential, including but not limited to: census records, criminal records, sex offender registry files, and voter registration.

Routine business information

This includes business information that is not subjected to special protection and may be routinely shared with anyone inside or outside of the business.

Types of sensitive information

Confidential information is used in a general sense to mean sensitive information whose access is subject to restriction, and may refer to information about an individual as well as that which pertains to a business.

However, there are situations in which the release of personal information could have a negative effect on its owner. For example, a person trying to avoid a stalker will be inclined to further restrict access to such personal information. Furthermore, a person's SSN or SIN, credit card numbers, and other financial information may be considered private if their disclosure might lead to crimes such as identity theft or fraud.

Some types of private information, including records of a person's health care, education, and employment may be protected by privacy laws. [5] Unauthorized disclosure of private information can make the perpetrator liable for civil remedies and may in some cases be subject to criminal penalties.

Even though they are often used interchangeably, personal information is sometimes distinguished from private information, or personally identifiable information. The latter is distinct from the former in that Private information can be used to identify a unique individual. Personal information, on the other hand, is information belonging to the private life of an individual that cannot be used to uniquely identify that individual. This can range from an individual's favourite colour, to the details of their domestic life. [6] The latter is a common example of personal information that is also regarded as sensitive, where the individual sharing these details with a trusted listener would prefer for it not to be shared with anyone else, and the sharing of which may result in unwanted consequences.

Confidential business information

Confidential business information (CBI) refers to information whose disclosure may harm the business. Such information may include trade secrets, sales and marketing plans, new product plans, notes associated with patentable inventions, customer and supplier information, financial data, and more. [7]

Under TSCA, CBI is defined as proprietary information, considered confidential to the submitter, the release of which would cause substantial business injury to the owner. The US EPA may as of 2016, review and determine if a company´s claim is valid. [8]

Classified

Classified information generally refers to information that is subject to special security classification regulations imposed by many national governments, the disclosure of which may cause harm to national interests and security. The protocol of restriction imposed upon such information is categorized into a hierarchy of classification levels in almost every national government worldwide, with the most restricted levels containing information that may cause the greatest danger to national security if leaked. Authorized access is granted to individuals on a need to know basis who have also passed the appropriate level of security clearance. Classified information can be reclassified to a different level or declassified (made available to the public) depending on changes of situation or new intelligence.

Classified information may also be further denoted with the method of communication or access. For example, Protectively Marked "Secret" Eyes Only or Protectively Marked "Secret" Encrypted transfer only. Indicating that the document must be physically read by the recipient and cannot be openly discussed for example over a telephone conversation or that the communication can be sent only using encrypted means. Often mistakenly listed as meaning for the eyes of the intended recipient only [9] the anomaly becomes apparent when the additional tag "Not within windowed area" is also used.

Personal and private information

Data privacy concerns exist in various aspects of daily life wherever personal data is stored and collected, such as on the internet, in medical records, financial records, and expression of political opinions. In over 80 countries in the world, personally identifiable information is protected by information privacy laws, which outline limits to the collection and use of personally identifiable information by public and private entities. Such laws usually require entities to give clear and unambiguous notice to the individual of the types of data being collected, its reason for collection, and planned uses of the data. In consent-based legal frameworks, explicit consent of the individual is required as well. [10]

The EU passed the General Data Protection Regulation (GDPR), replacing the earlier Data Protection Directive. The regulation was adopted on 27 April 2016. It became enforceable from 25 May 2018 after a two-year transition period and, unlike a directive, it does not require national governments to pass any enabling legislation, and is thus directly binding and applicable. [11] "The proposed new EU data protection regime extends the scope of the EU data protection law to all foreign companies processing data of EU residents. It provides for a harmonisation of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations; however, this comes at the cost of a strict data protection compliance regime with severe penalties of up to 4% of worldwide turnover." [12] The GDPR also brings a new set of "digital rights" for EU citizens in an age when the economic value of personal data is increasing in the digital economy.

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the collection and use of personal data and electronic documents by public and private organizations. PIPEDA is in effect in all federal and provincial jurisdictions, except provinces where existing privacy laws are determined to be “substantially similar”. [13]

Even though not through the unified sensitive information framework, the United States has implemented significant amount of privacy legislation pertaining to different specific aspects of data privacy, with emphasis to privacy in healthcare, financial, e-commerce, educational industries, and both on federal and state levels. Whether being regulated or self regulated, the laws require to establish ways at which access to sensitive information is limited to the people with different roles, thus in essence requiring establishment of the "sensitive data domain" model [14] and mechanisms of its protection. Some of the domains have a guideline in form of pre-defined models such as "Safe Harbor" of HIPAA, [15] based on the research of Latanya Sweeny and established privacy industry metrics.

Additionally, many other countries have enacted their own legislature regarding data privacy protection, and more are still in the process of doing so. [16]

Confidential business information

The confidentiality of sensitive business information is established through non-disclosure agreements, a legally binding contract between two parties in a professional relationship. NDAs may be one-way, such as in the case of an employee receiving confidential information about the employing organization, or two-way between businesses needing to share information with one another to accomplish a business goal. Depending on the severity of consequences, a violation of non-disclosure may result in employment loss, loss of business and client contacts, criminal charges or a civil lawsuit, and a hefty sum in damages. [17] When NDAs are signed between employer and employee at the initiation of employment, a non-compete clause may be a part of the agreement as an added protection of sensitive business information, where the employee agrees not to work for competitors or start their own competing business within a certain time or geographical limit.

Unlike personal and private information, there is no internationally recognized framework protecting trade secrets, or even an agreed-upon definition of the term “trade secret”. [18] However, many countries and political jurisdictions have taken the initiative to account for the violation of commercial confidentiality in their criminal or civil laws. For example, under the US Economic Espionage Act of 1996, it is a federal crime in the United States to misappropriate trade secrets with the knowledge that it will benefit a foreign power, or will injure the owner of the trade secret. [19] More commonly, breach of commercial confidentiality falls under civil law, such as in the United Kingdom. [20] In some developing countries, trade secret laws are either non-existent or poorly developed and offer little substantial protection. [21]

Classified information

In many countries, unauthorized disclosure of classified information is a criminal offence, and may be punishable by fines, prison sentence, or even the death penalty, depending on the severity of the violation. [22] [23] For less severe violations, civil sanctions may be imposed, ranging from reprimand to revoking of security clearance and subsequent termination of employment. [24]

Whistleblowing is the intentional disclosure of sensitive information to a third-party with the intention of revealing alleged illegal, immoral, or otherwise harmful actions. [25] There are many examples of present and former government employees disclosing classified information regarding national government misconduct to the public and media, in spite of the criminal consequences that await them.

Espionage, or spying, involves obtaining sensitive information without the permission or knowledge of its holder. The use of spies is a part of national intelligence gathering in most countries, and has been used as a political strategy by nation-states since ancient times. It is unspoken knowledge in international politics that countries are spying on one another all the time, even their allies. [26]

Digital sensitive information

Computer security is information security applied to computing and network technology, and is a significant and ever-growing field in computer science. The term computer insecurity, on the other hand, is the concept that computer systems are inherently vulnerable to attack, and therefore an evolving arms race between those who exploit existing vulnerabilities in security systems and those who must then engineer new mechanisms of security.

A number of security concerns have arisen in the recent years as increasing amounts of sensitive information at every level have found their primary existence in digital form. At the personal level, credit card fraud, internet fraud, and other forms of identity theft have become widespread concerns that individuals need to be aware of on a day-to-day basis. The existence of large databases of classified information on computer networks is also changing the face of domestic and international politics. Cyber-warfare and cyber espionage is becoming of increasing importance to the national security and strategy of nations around the world, and it is estimated that 120 nations around the world are currently actively engaged in developing and deploying technology for these purposes. [27]

Philosophies and internet cultures such as open-source governance, hacktivism, and the popular hacktivist slogan "information wants to be free" reflects some of the cultural shifts in perception towards political and government secrecy. The popular, controversial WikiLeaks is just one of many manifestations of a growing cultural sentiment that is becoming an additional challenge to the security and integrity of classified information. [28]

See also

Related Research Articles

<span class="mw-page-title-main">Privacy</span> Seclusion from unwanted attention

Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.

<span class="mw-page-title-main">Paper shredder</span> Device used to cut paper into pieces

A paper shredder is a mechanical device used to cut sheets of paper into either strips or fine particles. Government organizations, businesses, and private individuals use shredders to destroy private, confidential, or otherwise sensitive documents.

Consumer privacy is information privacy as it relates to the consumers of products and services.

Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data privacy or data protection.

<span class="mw-page-title-main">Classified information</span> Material that government claims requires confidentiality

Classified information is material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and need to know. Mishandling of the material can incur criminal penalties.

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 150 national constitutions mention the right to privacy. On 10 December 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR), originally written to guarantee individual rights of everyone everywhere; while right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks."

Medical privacy, or health privacy, is the practice of maintaining the security and confidentiality of patient records. It involves both the conversational discretion of health care providers and the security of medical records. The terms can also refer to the physical privacy of patients from other patients and providers while in a medical facility, and to modesty in medical settings. Modern concerns include the degree of disclosure to insurance companies, employers, and other third parties. The advent of electronic medical records (EMR) and patient care management systems (PCMS) have raised new concerns about privacy, balanced with efforts to reduce duplication of services and medical errors.

<span class="mw-page-title-main">Data Protection Act 1998</span> United Kingdom legislation

The Data Protection Act 1998 (DPA) was an Act of Parliament of the United Kingdom designed to protect personal data stored on computers or in an organised paper filing system. It enacted provisions from the European Union (EU) Data Protection Directive 1995 on the protection, processing, and movement of data.

Data security means protecting digital data, such as those in a database, from destructive forces and from the unwanted actions of unauthorized users, such as a cyberattack or a data breach.

<span class="mw-page-title-main">Privacy laws of the United States</span>

Privacy laws of the United States deal with several different legal concepts. One is the invasion of privacy, a tort based in common law allowing an aggrieved party to bring a lawsuit against an individual who unlawfully intrudes into their private affairs, discloses their private information, publicizes them in a false light, or appropriates their name for personal gain.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

<span class="mw-page-title-main">Sensitive but unclassified</span> American federal information sensitivity designation

Sensitive But Unclassified (SBU) is a designation of information in the United States federal government that, though unclassified, often requires strict controls over its distribution. SBU is a broad category of information that includes material covered by such designations as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive Homeland Security Information, Sensitive Security Information (SSI), Critical Infrastructure Information (CII), etc. It also includes Internal Revenue Service materials like individual tax records, systems information, and enforcement procedures. Some categories of SBU information have authority in statute or regulation while others, including FOUO, do not.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

The United States government classification system is established under Executive Order 13526, the latest in a long series of executive orders on the topic of classified information beginning in 1951. Issued by President Barack Obama in 2009, Executive Order 13526 replaced earlier executive orders on the topic and modified the regulations codified to 32 C.F.R. 2001. It lays out the system of classification, declassification, and handling of national security information generated by the U.S. government and its employees and contractors, as well as information received from other governments.

Privacy law is the body of law that deals with the regulating, storing, and using of personally identifiable information, personal healthcare information, and financial information of individuals, which can be collected by governments, public or private organisations, or other individuals. It also applies in the commercial sector to things like trade secrets and the liability that directors, officers, and employees have when handling sensitive information.

Classified information in the United Kingdom is a system used to protect information from intentional or inadvertent release to unauthorised readers. The system is organised by the Cabinet Office and is implemented throughout central and local government and critical national infrastructure. The system is also used by private sector bodies that provide services to the public sector.

Source protection, sometimes also referred to as source confidentiality or in the U.S. as the reporter's privilege, is a right accorded to journalists under the laws of many countries, as well as under international law. It prohibits authorities, including the courts, from compelling a journalist to reveal the identity of an anonymous source for a story. The right is based on a recognition that without a strong guarantee of anonymity, many would be deterred from coming forward and sharing information of public interests with journalists.

The Personal Data Privacy and Security Act of 2009, was a bill proposed in the United States Congress to increase protection of personally identifiable information by private companies and government agencies, set guidelines and restrictions on personal data sharing by data brokers, and to enhance criminal penalty for identity theft and other violations of data privacy and security. The bill was sponsored in the United States Senate by Patrick Leahy (Democrat-Vermont), where it is known as S.1490.

References

  1. Mothersbaugh, David L.; Foxx, William K.; Beatty, Sharon E.; Wang, Sijun (2011-12-20). "Disclosure Antecedents in an Online Service Context: The Role of Sensitivity of Information". Journal of Service Research. 15 (1): 76–98. doi:10.1177/1094670511424924. ISSN   1094-6705. S2CID   168122924.
  2. "2.2 - Information Classification | Unit 2 | OCR Cambridge Technicals". CSNewbs. Retrieved 2023-05-20.
  3. "Accessing Public Information" Information and Privacy Commissioner, Ontario, Canada. Retrieved Feb. 11 2013.
  4. "Accountability and Transparency: Essential Principles" Democracy Web. Retrieved Feb. 11, 2013.
  5. Rights (OCR), Office for Civil (2008-05-07). "Your Rights Under HIPAA". HHS.gov. Retrieved 2022-08-28.
  6. "Private and Personal Information" Common Sense Media Inc., 2013. Retrieved Feb. 9 2013.
  7. "Confidential information and trade secrets" MaRS, Dec. 8 2009. Retrieved Feb. 9 2013.
  8. US EPA, OCSPP (2015-04-22). "CBI Claims and Reviews Under TSCA". www.epa.gov. Retrieved 2023-03-01.
  9. "Eyes-only".
  10. "Basic Privacy" (lecture). University of Toronto, Jan. 24, 2012. Retrieved Feb. 9 2013.
  11. Blackmer, W.S. (5 May 2016). "GDPR: Getting Ready for the New EU General Data Protection Regulation". Information Law Group. InfoLawGroup LLP. Archived from the original on 14 May 2018. Retrieved 22 June 2016.
  12. "New draft European data protection regime". Law Patent Group . February 2, 2012. Retrieved January 9, 2018.
  13. "DEPARTMENT OF INDUSTRY: PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT" Archived 2013-06-02 at the Wayback Machine Canada Gazette, Apr. 03 2002. Retrieved Feb. 9 2013.
  14. "Sensitive Data Discovery"
  15. "Methods for De-identification of PHI". 7 September 2012.
  16. "International Privacy Laws " InformationShield. Retrieved Feb. 9 2013.
  17. Niznik, J. S. "Non-Disclosure Agreement" About.com, 2002. Retrieved Feb. 9 2013.
  18. Magri, K. A. "International Aspects of Trade Secrets Law" 1997. Retrieved Feb. 9 2013.
  19. 104th US Congress. "ECONOMIC ESPIONAGE ACT OF 1996" PUBLIC LAW 104–294, OCT. 11, 1996. Retrieved Feb. 9 2013.
  20. Bently, L. "Breach of confidence - the basics" (lecture). Retrieved Feb. 9 2013.
  21. Kransdorf, G. "Intellectual Property, Trade, and Technology Transfer Law: The United States and Mexico" Boston College Third World Law Journal 7(2): 277-295. 1987. Retrieved Feb. 9 2013.
  22. 113th US Congress. "Disclosure of classified information" Legal Information Institute, Cornell University Law School. Retrieved Feb. 9 2013.
  23. "Charges in Classified Information and National Security Cases" James Madison Project, Retrieved Feb. 9 2013.
  24. Elsea, J. K. "The Protection of Classified Information: The Legal Framework" Congressional Research Service, Jan. 10 2013. Retrieved Feb. 9 2013.
  25. Morley, H., Cohen-Lyons, J. "WHISTLEBLOWING IN THE PUBLIC SECTOR: A BALANCE OF RIGHTS AND INTERESTS" Public Sector Digest, Spring 2012. Pp 16-18. Retrieved Feb. 9 2013.
  26. Woolsey, R. J. "Why We Spy on Our Allies" The Wall Street Journal: Mar. 17 2000. Retrieved Feb. 9 2013.
  27. Brodkin, J. "Government-sponsored cyberattacks on the rise, McAfee says" Archived 2013-06-17 at the Wayback Machine Networked World: Nov. 29 2007. Retrieved Feb. 9 2013.
  28. Ludlow, P. "WikiLeaks and Hacktivist Culture" The Nation: Sep. 15 2010. Retrieved Feb. 9 2013.