Sensitive Information Assets
Responsibility for definition and the appropriate protection of an information asset remains with the originator or owner.
A higher level of protection must be provided for sensitive information assets which includes 'personal data' and 'personal identifiable information', which is defined as data relating to ethnic or racial origin, religious beliefs, physical or mental health, sexual life, political opinions, trade union membership or the commission or alleged commission of criminal offences.
Identifying sensitive information is a matter for assessment in each individual case. Broadly speaking, information will be confidential if it is of limited public availability; is confidential in its very nature; has been provided on the understanding that it is confidential; and/or its loss or unauthorised disclosure could have one or more of the following consequences:
- Financial loss e.g. the withdrawal of a research grant or donation, a fine by the ICO or a legal claim for breach of confidence.
- Reputational damage e.g. adverse publicity, demonstrations, complaints about breaches of privacy; and/or
- An adverse effect on the safety or well-being of staff of the organisation or those associated with it e.g. increased threats to staff engaged in sensitive work, embarrassment or damage to participants, benefactors and suppliers.