Data Classification: Public, Internal, Confidential, Restricted
Learn how organizations classify data by sensitivity, who is responsible for classification decisions, and how labels drive handling and encryption requirements.
Why Classify Data?
Data classification is the process of organizing data into categories based on its sensitivity and the impact of unauthorized disclosure, modification, or loss. Classification drives every downstream security decision: what encryption is required, who can access the data, how it must be stored and transmitted, and how long it must be retained. Without classification, organizations apply either too many controls (wasting resources) or too few (leaving sensitive data unprotected).
The Four Classification Levels
Most commercial organizations use four classification levels. Public data can be freely shared with anyone — marketing materials, press releases. Internal (or Private) data is not secret but should not be shared outside the organization — employee directories, internal policies. Confidential data requires protection because unauthorized disclosure harms the organization — financial reports, contracts. Restricted (or Highly Confidential) data carries the strictest controls — trade secrets, PII, protected health information, credentials.
# Commercial data classification scheme
Level Examples Handling
------------ ------------------------- ----------------
PUBLIC Marketing, press releases No restrictions
INTERNAL HR policies, org charts Internal only
CONFIDENTIAL Contracts, financial data Encrypted, NDA
RESTRICTED PII, PHI, credentials Encrypted + MFA
Trade secrets, source code Strict access logAll lessons in this course
- Data Classification: Public, Internal, Confidential, Restricted
- GDPR and Data Subject Rights
- HIPAA, PCI-DSS, and Sector-Specific Regulations
- Privacy by Design and Data Retention Policies