Data Classification and Protection Levels
Data Classification and Protection Levels
KindHealth data can be classified in to 4 categories, or protection levels. For the complete classification guide on Protection Levels, including explanations of the classifications and additional examples, see the Data Classification spreadsheet. If you collect it, protect it!
Protection Level
Protection Level
Impact of Disclosure
Impact of Disclosure
Examples
Examples
Minimal (P1)
Minimal (P1)
Summary Definition: Information intended for public access, but whose integrity is important.
Impact: Public information or information intended to be readily obtainable by the public, but whose integrity is important and for which unauthorized modification is the primary protection concern (Public).
Public-facing website
Hours of operation
Press releases
Low (P2)
Low (P2)
Summary Definition: Information and IT Resources that are generally not intended for public use or access and may only be accessed on a need-to-know basis.
Impact: Data may not be specifically protected by statute, regulations or other contractual obligations or mandates, but are generally not intended for public use or access (internal).
Information intended for release only on a need-to-know basis
Business records and documentation not containing P3 or P4 data (email, calendar, meeting notes)
Public Directory Information for employees
Moderate (P3)
Moderate (P3)
Summary Definition: Information and IT Resources whose unauthorized use, access, disclosure, modification, loss or deletion could result in moderate harm or damage.
Impact: Unauthorized disclosure or modification could result in small to moderate fines, penalties or civil actions
KindHealth Security info and plans
KindHealth employee Personnel Records not containing P4 information (i.e., incident reports or disciplinary records).
High (P4)
High (P4)
Summary Definition: Information and IT Resources requiring the highest level of confidentiality or integrity
Impact: Unauthorized disclosure or modification could result in significant fines, penalties, regulatory action, or civil or criminal violations
Consumer or employee SSN, driver’s license, financial account, or credit card numbers, personal medical or personal health insurance information
Passwords, PINs and passphrases
Personally Identifiable Info (PII)
P4 requires the most security controls and P1 requires a minimal set of controls. It is important to classify the information accurately so that appropriate compliance requirements can be identified. Under-classification may result in inadequate protections that could lead to data breaches. Classifications should be applied in compliance requirements as outlined in KindHealth policy, law, regulation or contract.
Page updated
Report abuse