IHM Daily Health & Social Care News

Working with our partners, Salix & Co, from 8am each week day you can get a ‘heads up’ on the latest health and social care news, views and events by clicking here.


Cyber and Information Security – How to series #7

Classifying your Data

Gary Peace

Why do it? Were not in the Secret Service!

Just as you might lock away or hide your valuable jewellery at home, whilst leaving the everyday jewellery and non-sentimental trinkets on the dressing or bedside table. You should be doing the same with your data. 

But how do you tell what is valuable to the organisation and what isn’t? How do you work out what your crown jewels are? Quite simply, by working out what is important, valuable or sensitive to your organisation and then classifying it accordingly.

What actually do we mean by Data Classification?

Data classification is the process of organising data based upon the following criteria:

  • Value of Information – based on impacts assessed during risk assessment
  • Sensitivity and Criticality of information – based on the highest risk calculated for each information item during risk assessment
  • Legal and contractual obligations – based on Legal, Regulatory, Contractual and other obligations.

The process is of particular importance when it comes to risk management, compliance, and data security. And on a basic level, the classification of data makes it easier to secure, locate and retrieve.

It is important to state that he amount of information that falls into a “Confidential” category (or whatever terminology you use for the most sensitive data) should be carefully limited; the cost and operational inconvenience of protecting it properly is such that it needs only to be information whose release can significantly damage your organisation.


Alongside the classification aspect is also “Marking” and “Handling”. Marking is simply labelling (physically) the documents, drawings, scans and emails according to your classification.

Stickers, Footer and Heading templates. Watermarks and others can all be used.

What it means in practice is that when the last person before you has gone home for the day and you are locking up, just as the contract cleaners are coming in and you notice a document on a desk that is marked as “Confidential”. That you will know, without doubt that it should not be left on that desk, and that you know that it needs to be locked away thereby preventing a possible data breach or theft of intellectual property from taking place.


The reason you know that the confidential document should not be left on a desk overnight and in full view of unauthorised persons (the outsourced cleaning company) is because attached to the classification determination there are also handing restrictions (what you can and cannot do with the document) that apply. These restrictions are more restrictive the greater the level of classification given to the information and less so for the lower grade material.

Types of data   (the classifications shown are illustrative – you can choose your own)


I’ve talked about data mapping previously. Those information assets identified as part of that process have a value to the organisation. They also need to have an “owner”. Someone who is responsible for its classification, for ensuring it is correctly labelled and for its correct handling in line with its classification. HR will own personnel records, Finance, the financial records etc.

Information received from outside of the organisation belongs to its intended recipient and should be reclassified by that new owner.

The next in this series of 10 articles to help you build cyber resilience in your organisation will be “Identifying Assets and Ownership”

Gary Peace is the CEO & Founder of ESID Consulting, specialising in Insider Threat, Cyber / Information Security and e-Discovery.

He was for 18 years a Police Officer in New Scotland Yards, Metropolitan Police. Is a former Head of Digital Forensics at the Competition & Markets Authority. And currently serves as a County Councillor and is also Vice-Chair of Governors at The Island Free School on the Isle of Wight.

Email: garypeace@esid.co.uk   Tel 07973 333 106      Website www.esid.co.uk


Recommended Reads

You can now find this week’s ‘Recommended Reads’ as well as our archive of previous weeks’ reads within the Resources section of our Members Area or by clicking here.


Births by parents’ country of birth – ONS

Statistician’s comment “In 2018, just over one in three children born in England and Wales had at least one parent who was born outside the UK. These parents could be long-time residents who moved here

10 October 2019|

IHM Leadership Arrangements

The Institute of Healthcare Management is pleased to announce that it will be strengthening and extending its operational and governance arrangements from 1st October 2019 with the appointment of a new Board. From 1st October'19

4 October 2019|

New sources and methods transforming GDP

The Office for National Statistics has today published indicative revisions to quarterly gross domestic product (GDP) for 1997 to 2016 that will first be included in headline estimates from the end of September 2019. The

21 August 2019|