Information sensitivity

From Wikipedia, the free encyclopedia
  (Redirected from Sensitive information)
Jump to: navigation, search

Information sensitivity is the control of access to information or knowledge that might result in loss of an advantage or level of security if disclosed to others.

Loss, misuse, modification, or unauthorized access to sensitive information can adversely affect the privacy or welfare of an individual, trade secrets of a business or even the security, internal and foreign affairs of a nation depending on the level of sensitivity and nature of the information.[1]

Non-Sensitive Information[edit]

Public information[edit]

This refers to information that is already a matter of public record or knowledge. With regard to government and private organizations, access to or release of such information may be requested by any member of the public, and there are often formal processes laid out for how to do so.[2] The accessibility of government-held public records is an important part of government transparency, accountability to its citizens, and the values of democracy.[3] Public records may furthermore refer to information about identifiable individuals that is not considered confidential, including but not limited to: census records, criminal records, sex offender registration files, and voter registration.

Routine business information[edit]

This includes business information that is not subjected to special protection and may be routinely shared with anyone inside or outside of the business.

Types of Sensitive Information[edit]

Confidential information is used in a general sense to mean sensitive information whose access is subject to restriction, and may refer to information about an individual as well as that which pertains to a business.

Personal and Private Information[edit]

This is information belonging to a private individual, but the individual commonly may share with others for personal or business reasons. This generally includes contact information such as addresses, telephone numbers, e-mail addresses, health records, and so on. It may be considered a breach of privacy to disclose such information, but for most people its disclosure is not considered a serious matter.

However, there are situations in which the release of personal information could have a negative effect on its owner. For example, a person trying to avoid a stalker will be inclined to further restrict access to such personal information. Furthermore, a person's SSN or SIN, credit card numbers, and other financial information may be considered private if their disclosure might lead to crimes such as identity theft or fraud.

Some types of private information, including records of a person's health care, education, and employment may be protected by privacy laws. Unauthorized disclosure of private information can make the perpetrator liable for civil remedies and may in some cases be subject to criminal penalties.

Even though they are often used interchangeably, personal information is sometimes distinguished from private information, or personally identifiable information. The latter is distinct from the former in that private information can be used to identify a unique individual. Personal information, on the other hand, is information belonging to the private life of an individual that cannot be used to uniquely identify that individual. This can range from an individual’s favourite colour, to the details of their domestic life.[4] The latter is a common example of personal information that is also regarded as sensitive, where the individual sharing these details with a trusted listener would prefer for it not to be shared with anyone else, and the sharing of which may result in unwanted consequences.

Confidential business information[edit]

Confidential business information refers to information whose disclosure may harm the business. Such information may include trade secrets, sales and marketing plans, new product plans, notes associated with patentable inventions, customer and supplier information, financial data, and more.[5]

Classified[edit]

Classified information generally refers to information that is subject to special security classification regulations imposed by many national governments, the disclosure of which may cause harm to national interests and security. The protocol of restriction imposed upon such information is categorized into a hierarchy of classification levels in almost every national government worldwide, with the most restricted levels containing information that may cause the greatest danger to national security if leaked. Authorized access is granted to individuals on a need to know basis who have also passed the appropriate level of security clearance. Classified information can be reclassified to a different level or declassified (made available to the public) depending on changes of situation or new intelligence.

Legal Protection from Unauthorised Disclosure[edit]

Personal and Private Information[edit]

Data privacy concerns exist in various aspects of daily life wherever personal data is stored and collected, such as on the internet, in medical records, financial records, and expression of political opinions. In over 80 countries in the world, personally identifiable information is protected by information privacy laws, which outline limits to the collection and use of personally identifiable information by public and private entities. Such laws usually require entities to give clear and unambiguous notice to the individual of the types of data being collected, its reason for collection, and planned uses of the data. In consent-based legal frameworks, explicit consent of the individual is required as well.[6]

In the European Union, the Data Protection Directive provides a rigorous standard for privacy protection legislation across all member states. Although the Directive is not legally binding in itself, all member states are expected to enact their own national privacy legislation within three years of the Directive’s adoption that conforms to all of its standards.[7] Since adoption, the Directive has demonstrated significant influence on the privacy legislation of non-EU nations, through its requirements on the privacy laws of non-member nations engaging in transborder flows of private data with EU member nations.[8]

Presently, the EU is drafting the General Data Protection Regulation (GDPR), which will replace the Directive and account for the privacy implications of recent changes in technology such as social networks and cloud computing. The GDPR is expected to be adopted in 2014, and be implemented by member states by 2016.[9][10]

In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) regulates the collection and use of personal data and electronic documents by public and private organizations. PIPEDA is in effect in all federal and provincial jurisdictions, except provinces where existing privacy laws are determined to be “substantially similar”.[11]

Rather than a comprehensive framework, the United States has in contrast a patchwork of privacy legislation pertaining to different specific aspects of data privacy, relying on a mix of legislation, regulation, and self-regulation.

Additionally, many other countries have enacted their own legislature regarding data privacy protection, and more are still in the process of doing so.[12]

Confidential Business Information[edit]

The confidentiality of sensitive business information is established through non-disclosure agreements, a legally binding contract between two parties in a professional relationship. NDAs may be one-way, such as in the case of an employee receiving confidential information about the employing organization, or two-way between businesses needing to share information with one another to accomplish a business goal. Depending on the severity of consequences, a violation of non-disclosure may result in employment loss, loss of business and client contacts, criminal charges or a civil lawsuit, and a hefty sum in damages.[13] When NDAs are signed between employer and employee at the initiation of employment, a non-compete clause may be a part of the agreement as an added protection of sensitive business information, where the employee agrees not to work for competitors or start their own competing business within a certain time or geographical limit.

Unlike personal and private information, there is no internationally recognized framework protecting trade secrets, or even an agreed-upon definition of the term “trade secret”.[14] However, many countries and political jurisdictions have taken the initiative to account for the violation of commercial confidentiality in their criminal or civil laws. For example, under the US Economic Espionage Act of 1996, it is a federal crime in the United States to misappropriate trade secrets with the knowledge that it will benefit a foreign power, or will injure the owner of the trade secret.[15] More commonly, breach of commercial confidentiality falls under civil law, such as in the United Kingdom.[16] In some developing countries, trade secret laws are either non-existent or poorly developed and offer little substantial protection.[17]

Classified Information[edit]

In many countries, unauthorized disclosure of classified information is a criminal offence, and may be punishable by fines, prison sentence, or even the death penalty, depending on the severity of the violation.[18][19] For less severe violations, civil sanctions may be imposed, ranging from reprimand to revoking of security clearance and subsequent termination of employment.[20]

Whistleblowing is the intentional disclosure of sensitive information to a third-party with the intention of revealing alleged illegal, immoral, or otherwise harmful actions.[21] There are many examples of present and former government employees disclosing classified information regarding national government misconduct to the public and media, in spite of the criminal consequences that await them.

Espionage, or spying, involves obtaining sensitive information without the permission or knowledge of its holder. The use of spies is a part of national intelligence gathering in most countries, and has been used as a political strategy by nation-states since ancient times. It is unspoken knowledge in international politics that countries are spying on one another all the time, even their allies.[22]

Sensitive Information in a Digital World[edit]

Computer security is information security applied to computing and network technology, and is a significant and ever-growing field in computer science. The term computer insecurity, on the other hand, refers to the concept that computer systems are inherently vulnerable to attack, and therefore an evolving arms race between those who exploit existing vulnerabilities in security systems and those who must then engineer new mechanisms of security.

A number of security concerns have arisen in the recent years as increasing amounts of sensitive information at every level have found their primary existence in digital form. At the personal level, credit card fraud, internet fraud, and other forms of identity theft have become widespread concerns that individuals need to be aware of on a day-to-day basis. The existence of large databases of classified information on computer networks is also changing the face of domestic and international politics. Cyber-warfare and cyber espionage is becoming of increasing importance to the national security and strategy of nations around the world, and it is estimated that 120 nations around the world are currently actively engaged in developing and deploying technology for these purposes.[23]

Philosophies and internet cultures such as open-source governance, hacktivism, and the popular hacktivist slogan “information wants to be free” reflects some of the cultural shifts in perception towards political and government secrecy. The popular, controversial Wikileaks is just one of many manifestations of a growing cultural sentiment that is becoming an additional challenge to the security and integrity of classified information.[24]

See also[edit]

External links[edit]

Notes[edit]

  1. ^ "Sensitive Information" (definition) Aug. 23, 1996. Retrieved Feb. 9 2013.
  2. ^ "Accessing Public Information" Information and Privacy Commissioner, Ontario, Canada. Retrieved Feb. 11 2013.
  3. ^ "Accountability and Transparency: Essential Principles" Democracy Web. Retrieved Feb. 11, 2013.
  4. ^ "Private and Personal Information" Common Sense Media Inc., 2013. Retrieved Feb. 9 2013.
  5. ^ "Confidential information and trade secrets" MaRS, Dec. 8 2009. Retrieved Feb. 9 2013.
  6. ^ "Basic Privacy" (lecture). University of Toronto, Jan. 24, 2012. Retrieved Feb. 9 2013.
  7. ^ "Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data" European Parliament, Council. Nov. 23 1995. Retrieved Feb. 9 2013.
  8. ^ Mason, J. "The Influence of the European Commission Data Privacy Protection Directive on 'Third Countries'" Paper presented at the annual meeting of the International Communication Association, TBA, San Francisco, CA, May 24, 2007. Retrieved Feb. 9, 2013.
  9. ^ "EU Sets Timeline for Consideration of Data Protection Reform" Hogan Lovells LLP, May 24, 2012. Retrieved Feb. 9 2013.
  10. ^ "REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)" European Commission, Jan. 25 2012. Retrieved Feb. 9 2013.
  11. ^ "DEPARTMENT OF INDUSTRY: PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT" Canada Gazette, Apr. 03 2002. Retrieved Feb. 9 2013.
  12. ^ "International Privacy Laws " InformationShield. Retrieved Feb. 9 2013.
  13. ^ Niznik, J. S. "Non-Disclosure Agreement" About.com, 2002. Retrieved Feb. 9 2013.
  14. ^ Magri, K. A. "International Aspects of Trade Secrets Law" 1997. Retrieved Feb. 9 2013.
  15. ^ 104th US Congress. "ECONOMIC ESPIONAGE ACT OF 1996" PUBLIC LAW 104–294, OCT. 11, 1996. Retrieved Feb. 9 2013.
  16. ^ Bently, L. "Breach of confidence - the basics" (lecture). Retrieved Feb. 9 2013.
  17. ^ Kransdorf, G. "Intellectual Property, Trade, and Technology Transfer Law: The United States and Mexico" Boston College Third World Law Journal 7(2): 277-295. 1987. Retrieved Feb. 9 2013.
  18. ^ 113th US Congress. "Disclosure of classified information" Legal Information Institute, Cornell University Law School. Retrieved Feb. 9 2013.
  19. ^ "Charges in Classified Information and National Security Cases" James Madison Project, Retrieved Feb. 9 2013.
  20. ^ Elsea, J. K. "The Protection of Classified Information: The Legal Framework" Congressional Research Service, Jan. 10 2013. Retrieved Feb. 9 2013.
  21. ^ Morley, H., Cohen-Lyons, J. "WHISTLEBLOWING IN THE PUBLIC SECTOR: A BALANCE OF RIGHTS AND INTERESTS" Public Sector Digest, Spring 2012. Pp 16-18. Retrieved Feb. 9 2013.
  22. ^ Woolsey, R. J. "Why We Spy on Our Allies" The Wall Street Journal: Mar. 17 2000. Retrieved Feb. 9 2013.
  23. ^ Brodkin, J. "Government-sponsored cyberattacks on the rise, McAfee says" Networked World: Nov. 29 2007. Retrieved Feb. 9 2013.
  24. ^ Ludlow, P. "WikiLeaks and Hacktivist Culture" The Nation: Sep. 15 2010. Retrieved Feb. 9 2013.