Protecting Confidential Information
Protecting Our Information
You wouldn’t leave your credit card details lying around an open area would you? Or post your bank details on your Facebook page? No, because you know that you need to protect that kind of confidential, sensitive information. Like you, our company needs to protect our confidential information and sensitive data. Any information you receive in the course of your work is private company information and you are responsible for protecting it.
However, some information is particularly sensitive – such as information that is not generally known in the industry, our intellectual property, or even our trade secrets!
Protecting Confidential Information and Sensitive Data
Accidents happen… laptops are stolen, mobile devices are lost, emails are sent to the wrong recipients – but if you follow the correct procedures, then accidents don’t have to become security incidents.
Here’s what you need to do to protect our confidential information and sensitive data:
• Identify the classification of the data you handle.
• Use the handling protocols for that class of data to:
- Share data appropriately
- Store data securely
- Properly dispose of data
Please also note that in some circumstances disclosure of confidential information is required by law.
Assigning a classification level to information is the first step in protecting our information appropriately. Classification is a business decision based on how sensitive the information is. Once information has been classified, it must be correctly labelled so that everyone who works with it is aware of its sensitivity level. It’s up to you to know the classification of the information you are handling and to treat it appropriately. The classification identifies the security
There are four main classes of information:
Public – Information that can be freely shared with any individual or group.
Internal – Potentially sensitive information that should not be shared outside our organization.
Confidential – Information (whether in oral, written, or electronic form) that may adversely affect employees, individuals, or our business if disclosed to unauthorized parties. For example, business strategies, marketing plans, manufacturing techniques, etc.
Restricted – Information that we have a regulatory or legal obligation to maintain and protect. Trade secrets are also sometimes classified as restricted information.
Our policy governs external communications across all forms of media including print, online platforms, and public forums. When using the firm’s electronic communications system, including the internet, or engaging in social media activities, you must not send or otherwise disclose confidential information, trade secrets, or other confidential data of the company. If you are unsure of our policy, you can find out who to contact with questions here. Never discuss sensitive, confidential, or restricted information in public areas or social conversation, and always use project “code names” in your discussions.
Before sending an email, you should double-check the recipient before pressing the send button – not only can it be embarrassing if a message is sent to the wrong person, but it can also result in the unintentional disclosure of confidential information about the company – this may also be an infringement of data protection law. If you have to send an attachment that contains sensitive, confidential, or restricted information, you must ensure that the file is password protected.
Consider inserting the recipient’s email address only once you are ready to send the email. You should never assume that internal or external messages are private and confidential, even if marked as such. The internet is not a secure means of communication and third parties may be able to access or alter messages that have been sent or received. Do not send any information in an email that you would not be happy being publicly available. Matters of a sensitive or personal nature should not be transmitted by email unless absolutely unavoidable and if so, should be clearly marked in the message header as highly confidential.
Social Media Use
Be careful when using social media – even when you are chatting with your colleagues; always remember the potential risks to you and to our company. When you post a message using social media, you should assume you are making a public statement even if you have set your “privacy settings” to only include known parties. Your messages will not be private and can be forwarded to third parties without your consent. Once sensitive or confidential information (or offensive or defamatory information) has been posted, it cannot be recovered and this may result in damage or liability both for the firm and also you personally. Never discuss internal, confidential, or restricted information on social media.
The confidentiality of internal communications can only be ensured if they are sent by internal company mail in a properly marked and sealed envelope, delivered personally by hand, or included in a password-protected online document such as WINZIP. Under no circumstances should information of a confidential or sensitive nature be placed on the internet. You should exercise the same care when using the telephone or fax, as when using email or other forms of written communication.
Consult & Report
If you are uncertain about a particular confidentiality issue or you become aware of a confidentiality problem (including where this involves other members of staff), you can find out who to contact here. If there is an incident such as the loss or theft of a laptop, tablet, or smartphone, this may constitute a data breach under data protection rules which may in turn need to be reported to a regulator – in such an instance you must immediately report the incident. The loss of a device may also be a breach of a CDA or NDA applicable to another party’s information on the device, which may need to be reported to the other party.
Arthur is working on a new project and needs to share company information with a marketing consultant. He knows he needs to classify the information before sharing it, but he’s not sure what classification he needs to assign to the information. The information he needs to share relates to an upcoming marketing plan.
How should Arthur classify the information?
- Public – Information that can be freely shared with any individual or group.
- Internal – Potentially sensitive information that should not be shared outside our organization.
- Confidential – Information that may adversely affect employees, individuals, or our business if disclosed to unauthorized parties.
- Restricted – Information that we have a regulatory or legal obligation to maintain and protect.
Thanks for helping Arthur
Choosing a classification level to apply to your data is a business decision based on how sensitive the data is. The more sensitive the information is, the higher the classification level and the more protection required. When you classify information and then follow the rules that apply, you help protect our company in the event of a security incident. By following the rules, we will be able to prove to a customer, a regulator, or in a court of law that we have taken reasonable precautions to protect our data. It’s vital to ensure that there is a valid NDA in place before discussing information with a third party. The Legal department can advise you if an NDA is already in place.
This content is an extract from the Data Privacy Training Booklet.