What are the rules and regulations used for compilation of sensitive information?

Sensitive information is the classified information that should be protected and is inaccessible to external parties unless specifically granted permission. The data can be in physical or electronic form, but sensitive information is regarded as private information or data. An ethical or legal reason can warrant the need to have complex restrictions on person who can access personal or an organization sensitive information, particularly when it pertains to individual privacy and property rights.

For example, a data breach in a government commission can expose government secrets to foreign powers. The same can be used to individual or organisation data, which can pose grave risks like corporate spying, insurance risk, cyber threats or a breach in the privacy of the clients, and that of the workers.

The legal description of sensitive information describes it as information that should be protected against unauthorized disclosure, including PII (Personally identifiable information), PHI (Protected health information), etc.

When it can say that information is sensitive, then its sensitivity must have levels. The sensitivity of data can be classified into multiple types and their classifications can be determined by federal regulations as procured by the security control units, industry specific or an individual including an Information Security Officer can determine this.

Therefore, Compilation of sensitive information is firmly defined. The IPPs allows for a larger level of defense for sensitive information. This means data or opinion concerning an individual −

  • Political options

  • Religious or philosophical beliefs

  • Sexual preferences or practices

  • Membership of professional relationship, trade unions or political groups

  • Racial or ethnic origin

  • Criminal information.

This principle includes the following −

  • An agency should not gather sensitive information concerning an individual unless −

    • The individual approval to the collection.
    • The organization is essential by law to gather the data.
    • The individual is physically or lawfully unable of providing consent to the compilation or physically not capable to converse the consent to the collection and gathering the information is important to avoid or lessen a serious and approaching threat to the life or health of the individual or another individual.
    • Gathering the information is necessary to create, exercise or defend a legal or equitable claim. Though, an agency can collect sensitive information concerning an individual if the compilation is important for research, or the compilation or examination of statistics, relevant to government funded targeted welfare or instructive services or is of information linking to an individual’s racial or ethnic origin and is for the reason of providing government funded targeted welfare or educational services.
    • There is no other sensibly practicable alternative to collecting the data for that reason.
    • It is impossible for the association to seek the individual’s approval to the collection.