Data Classification

Origin & evolution

The tiered model has military and governmental roots in information classification, and the commercial sector settled on a four-level scheme that most organisations now recognise. Public data carries minimal risk🎲RiskComplianceA risk to the product or businessView reference →, such as press releases🗞️Press ReleaseMarketingA press releaseView reference → and marketing material. Internal data is limited to staff and trusted partners. Confidential data is business-sensitive, covering customer lists and financial reports, with controlled access. Restricted data is the highest tier, holding things like payment-card numbers, medical records, and trade secrets, and it demands the strongest safeguards.

The label is not decorative. Classification levels directly determine which controls apply: permissions, encryption, monitoring, and retention. Regulatory regimes lean on it too, since GDPR, HIPAA, and CCPA all assume an organisation knows where its personally identifiable information (PII) and protected health information (PHI) live before it can claim to handle them lawfully.

How it works in practice

A health-tech product audits its data stores. The marketing blog is tagged public. Internal runbooks📘RunbookDevOps & PlatformA runbook for incident responseView reference → are internal. The customer table holds names and emails, tagged confidential. One column holds diagnosis codes, which is PHI, so the whole table inherits restricted. That single classification cascades into policy: the restricted store gets field-level encryption, access is limited to a named on-call group, every read is logged, and the data is excluded from the analytics warehouse copy by default. The label did the deciding; the controls just followed it.

Data Classification vs. its neighbours

• Data Source🛢️Data SourceData & AnalyticsA data source or integrationView reference → is the store being labelled. Classification is the sensitivity tier applied to that source; the source holds the data, the classification says how carefully to treat it.
• Security Policy🔐Security PolicySecurityA security policyView reference → is the broader set of rules an organisation enforces. Classification is one input that a policy establishes and acts on, turning "restricted" into concrete encryption and access requirements.
• Compliance Requirement⛲Compliance RequirementComplianceA compliance requirementView reference → is an external obligation such as HIPAA. Classification is the internal mechanism that makes the obligation operable, since you meet a PHI rule by first knowing which data is PHI.

In the graph

In the Unified Product Graph, Data Classification sits in the security region. The product applies it through product_classifies_data_with_data_classificationProductclassifies data withData Classificationhierarchy, a security policy gives it force through security_policy_establishes_data_classificationSecurity PolicyestablishesData Classificationhierarchy, and it attaches to the things it governs through data_classification_applies_to_data_sourceData Classificationapplies toData Sourcecross-domain. Modelling it as its own node, rather than a property on a source, lets one tier link to many sources and to the policy that defines it, which mirrors how classification actually works: a single scheme governing the whole estate.