Handling Private & Confidential Data
Not all data is equal — how to tell public from private, and the rules for sharing each.
What you'll learn
- Recognise data classification levels
- Identify personal data (PII) and protect it
- Share information with the right people only
Not all information is equally sensitive, and treating it as if it were would make work impossible — you can’t lock everything in a vault. So companies sort information into classification levels, a shared shorthand that tells everyone how carefully to handle a given piece of data. The simple rule running through every level is this: the higher the classification, the fewer people should see it and the more rules apply to how it’s stored and shared. Learn to recognise the levels, and most “can I send this?” questions answer themselves.
When unsure, treat data as more sensitive, not less — and share on a need-to-know basis.
The classification levels
Most schemes use four broad tiers. Public is information anyone is meant to see — your marketing site, press releases, published prices. Internal is for people inside the company but not the outside world: team documents, project plans, routine processes. Leaking it isn’t catastrophic, but it isn’t meant to wander off either. Confidential is where care steps up: finances, contracts, strategic plans, and personal data fall here, and access is limited to those who genuinely need it. Restricted is the tightest tier — secrets, credentials, system keys — where exposure could cause serious harm and only a small, named group should ever touch it.
The exact labels vary between organisations, but the logic is always the same funnel: as you move down the levels, the circle of people shrinks and the rules tighten. When you’re not sure which tier something belongs to, treat it as more sensitive, not less. Over-protecting a document costs you a little inconvenience; under-protecting one can cost the company a breach.
PII: the data the law cares about
PII (Personally Identifiable Information) is any information that identifies a real person — names, email addresses, home addresses, phone numbers, national ID or account numbers, and similar details. Whether it belongs to customers, colleagues, or job applicants, PII is specially protected by both company policy and privacy law, and mishandling it can bring real legal and financial consequences as well as a loss of trust. As a rule, PII should be treated as confidential at minimum, and the more of it that’s gathered in one place, the more sensitive that collection becomes.
Before you share anything, run a quick three-part check: Is this mine to share? With this person? Through this channel? All three need a confident yes. A customer’s details might be fine to discuss with the teammate handling their account, but not to forward to a personal email, drop into a group chat, or read aloud where others can overhear.
Everyday habits that protect data
A few concrete practices keep sensitive information where it belongs. Don’t forward confidential files to personal email or copy them onto personal devices and drives — once data leaves the company’s protected systems, IT can no longer secure it, and you’ve quietly created a copy nobody is watching. Store sensitive data in approved, access-controlled locations rather than scattering it across desktops, USB sticks, or personal cloud accounts. Don’t discuss restricted information in public places like cafés, trains, or open video calls where others can listen in.
Two small habits round it out. A clean desk means you don’t leave printouts, notebooks, or sticky notes with sensitive details sitting out for anyone to read — lock them away when you step off. And a locked screen keeps whatever’s on your monitor private the moment you walk away. Both are tiny actions that close gaps attackers and casual snoops rely on.
Default to need-to-know: share the minimum information, with the minimum people, through the right channel, to get the job done. If sharing more doesn’t help anyone do their job, don’t.
Spot it: Data Classification Calls
Read each situation and decide for yourself, then tap a card to flip it and check your answer.
Sort the Data & Sharing Scenarios
Drag each scenario into the bucket it belongs to — or tap an item, then tap a bucket. Hit Check placement when you’re done.
Here's where each one goes:
- Lock a document containing employee PII in a cabinet when you step away → Secure practice — PII must be protected both digitally and physically when not in use.
- Email a customer's home address to a colleague who asks "just to have on file" → Data leak risk — sharing violates need-to-know; they shouldn't have PII they don't need for their job.
- Share team project plans only with people directly working on that project → Secure practice — internal documents should follow need-to-know; only share with those who need it.
- Leave printouts with contract details on your desk while you're at lunch → Data leak risk — a clean desk means locking away sensitive materials when you step away.
- Copy confidential data to a personal cloud drive to work from home → Data leak risk — once data leaves approved systems, IT can no longer secure or monitor it.
- Keep your screen locked whenever you step away from your desk → Secure practice — a locked screen is a small action that closes a big gap for casual snoops and attackers.
Tip: drag with a mouse, or tap an item then tap a bucket on touch screens. Get one wrong and the answer key appears.
How to use it
When you create or receive a document, pause to ask what classification it deserves, and err on the side of caution if you’re unsure. Recognise PII the moment you see it and handle it as confidential. Before sending anything, run the three-part check — mine to share, right person, right channel. Keep sensitive data in approved systems, keep your desk clear, and keep your screen locked.
Why it matters
Data is one of the most valuable things your organisation holds, and a single careless share can expose customers, break the law, and damage hard-won trust. Classification and need-to-know give you a clear, low-effort way to handle information correctly without having to weigh every decision from scratch. Get into the habit, and protecting sensitive data becomes second nature rather than a worry.
Quick check
1. Customer names, emails and IDs are an example of…
2. "Need-to-know" means you share…
3. Unsure how sensitive a document is? You should…
Certificate of Completion
This certifies that
Your Name
has successfully completed
Security Essentials
Corporate Decoded