Most legal authorities are quite clear in determining the protected category of information, but others are broad and give a lot of room for interpretation to the agency or corporation. Procedures for protecting sensitive unclassified information vary depending on the kind of information and, in certain situations, differ from one government or firm to the next. Generally speaking, there are three ways that information can be protected: by law, which applies to classified information; by rule, which applies to sensitive but unclassified information; and by decision, which applies to private documents.
In order to protect sensitive information, most governments and companies have laws that regulate the handling and disclosure of such information. These laws typically include provisions that address confidentiality, security, retention, and destruction of records. Companies must ensure that they comply with these requirements when deciding how to protect sensitive information.
Sensitive information includes names, addresses, social security numbers (SSNs), financial data, and medical records. This type of information can be found in many different types of documents, including but not limited to employee files, databases, notebooks, laptops, mobile phones, tablets, and personal computers (PCs). Employees should never store credit card numbers or other similar sensitive information in their PCs. Instead, they should use password-protected filing systems and keep those files off site if possible.
Companies must also consider how to protect sensitive information when disposing of old materials.
The EO has specified all of the key terminology used to denote the secret classification level...
In the U.S., information is "classified" if it has been assigned one of the three levels: confidential, secret, or top secret. Information that is not so labeled is called "unclassified information".
Classified information includes documents, tapes, CDs, DVDs, computer hardware, software, and any other material. People who handle classified information are called "classifiers". They may be employees or contractors of the government agency that classified the information or they may be individuals who contract with that agency to classify information. Classifiers should know what information is classified at each level of classification and how to protect sensitive information.
Information can be classified at any time by any person or organization. Common reasons for classifying information include protecting sensitive data, limiting access to certain people, and maintaining security. The FBI uses several methods to identify information that should be classified, including the use of code words in communications and during interviews. Code words are used instead of ordinary words to ensure security during transmissions over unsecure networks and when discussing sensitive issues. For example, the word "nuclear" could be replaced with the code word "plutonium" when talking about tests involving nuclear materials.
People who handle unclassified information are called "unclassified handlers".
Secret Knowledge The Secret classification "must be used to material whose unauthorized disclosure may reasonably be expected to cause substantial harm to national security." This includes military plans and tactics, scientific or technological developments, and commercial trade secrets.
There are two components to the definition of a Secret: what knowledge can not be disclosed without causing harm to the nation's security and what degree of secrecy must be applied to this knowledge. For example, the formula for Coca-Cola's secret recipe is not considered Secret information because its disclosure could potentially cause Coke economic damage—even though protection of such information would be appropriate in some cases.
The mere possession of secret information does not make something Secret. It must also be classified Secret in order to protect national security interests. For example, documents that contain sensitive information but which have been declassified by their originators cannot be kept Secret anymore. They will be maintained with other declassified materials in the National Archives and Records Administration (NARA) system.
In general, information that would provide an advantage to an enemy could be harmful to national security. Thus, confidential business information (CBI), including financial data, customer lists, and technology trade secrets should be protected even if they aren't necessarily classified.
"Sensitive information" includes facts or views concerning a person's racial or ethnic origin, political beliefs, religious beliefs, sexual orientation, or criminal record, as long as the information or opinion otherwise fulfills the definition of personal information. The term also applies to information about an individual's health, including but not limited to his or her mental health condition, HIV status, and history of cancer.
Under Washington law, "a public body shall not disclose any sensitive information about an individual without first obtaining that individual's written consent." A "public body" includes all branches and levels of government, as well as certain agencies and officers within them. These include legislative bodies, executive departments, judicial branches, administrative offices, boards, commissions, councils, committees, and tribunals.
Disclosure of sensitive information without consent may be prohibited even if the disclosure would not violate any other statute or regulation. For example, the state Patrol has said it will not release details of drivers who have been arrested for driving under the influence of alcohol or drugs unless the driver consents to having their records disclosed.
The law allows exceptions for disclosures that are required by law, in connection with a court order, or when necessary to protect someone's health or safety. However, even then, the agency must try to obtain the subject's consent before disclosing the information.