Identification of confidential data

Key question for evaluation:

Is the data protected by legal or regulatory requirements?.

Your Authority or institution is always subject to the data protection law that applies to it. In some states and at the federal level, there are also freedom of information laws that regulate, among other things, a right for everyone to disclose the data held by an authority. Personal data and trade or business secrets are regularly excluded. This brings data protection law within the scope of freedom of information law.

However, internal regulations, e.g. classified information, must also be observed!

Confidential? Internal? Secret?

First of all, the regulations of data protection law and, if applicable, freedom of information law must be observed.

All personal data requires protection. This is understood to mean “any information relating to an identified or identifiable natural person” (Art. 4 (1) EU General Data Protection Regulation). In addition to name, date of birth and address, this also includes health data and personal preferences.

Furthermore, it is common practice to classify information into confidentiality classes. Assignment to a particular class can then lead to specific rules of conduct. If there are no internal rules in your Authority or institution regarding data protection, the examples on the next pages can serve as orientation.