1

Data Governance — Lifecycle from Creation to Destruction

Data governance is the process of managing information over its entire lifecycle — from the moment it's created to the moment it's securely destroyed. Every decision about classification, storage, distribution, retention, and disposal is part of data governance. Security and privacy controls are applied at each phase.

Create
Data is created and immediately classified. Labels are applied (manually or automatically via keyword detection). Classification determines protection requirements for all subsequent phases.
Store
Stored data requires security controls based on its classification: encryption at rest, access control lists, backup and recovery procedures, and appropriate physical/logical access restrictions.
Distribute
Moving data to consumers (internally or externally). Must respect classification — top secret data can't be sent over unclassified email. Distribution method must match the sensitivity level of the data.
Retain / Destroy
Data is kept for a legally or policy-required retention period, then securely destroyed. Retention periods must match legal requirements (SOX, HIPAA, etc.). Destruction must be irreversible — shredding, overwriting, or physical destruction of media.
2

Data Classification — Military, Commercial & Declassification

Data classification is the process of applying confidentiality and privacy labels to information during the creation phase. The label determines how the data must be stored, distributed, accessed, and destroyed. Classification can be applied manually (author labels the document) or automatically (keywords trigger classification rules).

Data Classification Schemes — Military and Commercial Equivalents
Military Label
Commercial
Meaning & restriction
Common subtypes / examples
Unclassified
Public
No restrictions — anyone can view. No risk if disclosed. Army field manuals, public website content.
PII SPI PHI Financial
Confidential
Private / Internal
Restricted to authorised persons. Lowest level of classified. Visible only inside the organisation or under NDA.
Internal memos, HR records, business plans
Secret
Restricted
Valuable data — severely restricted. Stored on dedicated networks not connected to internet. Requires elevated clearance to access.
Intelligence reports, system vulnerabilities, acquisition plans
Top Secret
Top Restricted
Grave danger if disclosed. Need-to-know basis only. Stored on isolated networks. Separate physical facilities. Unauthorised disclosure = criminal offence.
Agent locations, operation details, nuclear codes
Note on unclassified subtypes (PII/SPI/PHI): Although technically "unclassified," data such as personally identifiable information, sensitive personal information, and personal health information should receive additional care. They sit under "unclassified" in the classification hierarchy but are subcategories that trigger specific legal obligations (GDPR, HIPAA, GLBA). Microsoft DLP, for example, includes 70+ sensitive information type subcategories under unclassified.

Declassification

Declassification is the downgrading of a classification label over time, once the information no longer requires the additional security protection its label provided. Example: Operation Overlord (D-Day) plans were top secret BIGOT classification during World War II. Today they're publicly available online — the 80-year-old technology and tactics no longer pose a risk, so the information was declassified. Declassification is part of the data lifecycle — classification isn't permanent.

3

Data Types, Formats & States

Sensitive data types — subcategories of unclassified

PII
Personally Identifiable Information
Any information that can uniquely identify an individual — name, date of birth, national ID number, email address, physical address. The broadest category of personal data.
SPI
Sensitive Personal Information
A subset of PII that requires even more careful handling — race, religion, political views, sexual orientation, biometric data. Higher risk if disclosed.
PHI
Personal Health Information
Medical records, diagnoses, treatment history, prescriptions, insurance data. Protected under HIPAA in the US. Not technically "classified" but requires strict controls.
Financial
Financial Information
Credit card numbers, bank account data, financial statements, salary information. Protected under PCI DSS (payment cards), GLBA (financial institutions), and SOX (public companies).

Data formats — structured vs. unstructured

Structured data
Organised into preset fields or formats — CSV files, databases, spreadsheets. Example: "Jason, Dion, 123 Main St" in a CSV where field 1 = first name, field 2 = last name, field 3 = address. Easier to classify and process automatically.
Unstructured data
No predefined format — emails, PowerPoint files, text files, chat logs, images. The user can put anything anywhere. Harder to automatically classify. Requires more sophisticated DLP (Data Loss Prevention) tools.

Data states — where is the data in the processing cycle?

💾
Data at Rest
Stored on a hard drive, SSD, tape, cloud storage. Protected by encryption at rest (BitLocker, AES-256). Control: who can access the storage medium.
📡
Data in Motion
Actively moving across a network from one system to another. Protected by TLS/SSL, VPN, or other transport encryption. Control: encrypt the channel.
⚙️
Data in Use
Loaded into RAM or the CPU for active processing. Hardest to protect. Secure enclaves (Intel SGX, AMD SEV) protect data in use. Control: processor-level security extensions.
4

Legal Requirements — GDPR, SOX, GLBA, FISMA, HIPAA & COSO

Privacy is distinct from security. Security protects CIA attributes (encryption = confidentiality, hashing = integrity, redundancy = availability). Privacy is a data governance requirement ensuring the rights of data subjects — that data collected about them is used only as consented, and protected from unwanted disclosure.

RegulationFull NameScopeKey requirements
GDPR General Data Protection Regulation EU/EEA — applies to any organisation handling EU citizens' data Informed consent required before collecting personal data. Data used only for stated purpose. Plain language privacy policies (no legalese). Right to inspect/amend/erase data (right to be forgotten). Breach notification within 72 hours. Strongest privacy protections globally.
SOX Sarbanes-Oxley Act US — publicly traded companies with market cap ≥$75M Mandates storage and retention of financial and business documents. Defines document types and retention periods. Born from Enron and WorldCom scandals (early 2000s). Financial records must be available for audit and e-discovery.
GLBA Gramm-Leach-Bliley Act US — financial institutions (banks, stockbrokers, mortgage companies) Protects privacy of individuals' financial information held by financial institutions. Requires financial entities to explain data sharing practices and allow customers to opt out.
FISMA Federal Information Security Management Act US — federal government agencies and their contractors Requires federal organisations to adopt information assurance controls. Applies to DoD, SSA, HHS, HUD, and all government departments. If you work for the government or a government contractor in the US, FISMA applies to you.
HIPAA Health Insurance Portability and Accountability Act US — healthcare providers, hospitals, insurance companies Protects privacy of individual health information (PHI) held by covered entities. Defines security safeguards required for electronic PHI. Breach notification requirements. Governs when and how PHI can be shared.
COSO Committee of Sponsoring Organizations Industry best practice framework (not law) Provides guidance on fraud prevention, internal controls, financial reporting, and ethics. Uses COSO ERM (Enterprise Risk Management) integrated framework. Not a regulation but widely adopted as best practice for corporate governance.
Privacy vs. Security distinction (exam tested): Security = CIA triad controls (encryption, hashing, redundancy). Privacy = data governance requirement — ensuring personal data is only collected with consent and used only for the stated purpose. You can have encrypted data that violates privacy (if it's being used for purposes the user didn't consent to). Both must exist together.
5

Data Policies — Purpose Limitation, Minimisation & Sovereignty

Purpose Limitation
Personal information can be collected and processed only for the stated purpose to which the subject consented. A company that collects your address to ship a product cannot use that address to send direct marketing — unless they specifically stated that in their consent form. Restricts data sharing with third parties unless that was the stated purpose. The Privacy Act of 1974 is a US example for government use.
Data Minimisation
Only collect and process the minimum data necessary for the stated purpose. If buying a voucher online — name, email, credit card. That's it. Don't collect home address, date of birth, or mother's maiden name if you don't need it for that transaction. Less data collected = less data to protect = smaller breach impact. Each data collection process should be documented to verify minimisation.
Data Sovereignty
Countries and states may impose individual data requirements on data collected or stored within their jurisdiction. The physical location of your servers determines which laws apply. Servers in Germany = GDPR. Servers in the US = US federal and state law. Data sovereignty follows the server, not necessarily the user — a EU citizen in Thailand is under Thai law, not GDPR, for data collected by a local Thai company.

Pseudonymisation and de-identification

Even without a user's consent to share personal data, organisations can often share de-identified or pseudonymised data. De-identification removes any information that can uniquely identify an individual, leaving only aggregated or statistical data. Example: "Of our 100,000 students, 99% passed on their first attempt" — this doesn't identify any individual. "Males aged 35–40 pass at 80%" — still de-identified. This allows organisations to generate business intelligence from data they couldn't otherwise share.

6

Data Retention — Short/Long-Term, RPO & Secure Disposal

Data retention defines how long data must be kept and the processes used to manage it. Retention requirements come from two sources: legal/regulatory requirements (SOX, HIPAA, GLBA) and internal business policies. Always involve legal counsel when establishing retention policies — lawyers know exactly how long each regulation requires you to keep specific data types.

Short-term retention
Determined by how often the youngest media backup sets are overwritten. This is your online/active storage — typically 7 days to 1 month. Data that needs to be kept longer must be archived before it's overwritten by new backups. Short-term = fast access, limited storage.
Long-term retention
Data moved to archive storage to prevent overwriting. Used to meet multi-year legal requirements (SOX may require 7 years). Can be tape, external drives, or cloud cold storage (AWS Glacier). Slower to retrieve but much cheaper per GB than online storage.
RPO and retention
Recovery Point Objective (RPO) drives your retention decisions. RPO = what's the maximum age of data you can restore to? If you can tolerate losing 24 hours of data, your RPO is 24 hours. If you can only tolerate 5 minutes, your RPO is 5 minutes — which requires much more aggressive backup infrastructure and affects retention cost significantly.
Secure disposal
When the retention period expires, data must be securely and irreversibly destroyed. Paper: shredding or incineration. Hard drives: degaussing, secure erase, or physical destruction (drill through platters). Hard drives cannot simply be formatted — forensic tools can recover formatted data. Third-party certified shredding services are available for drives that can't be handled internally.
7

Data Ownership — Owner, Steward, Custodian & Privacy Officer

Data ownership identifies the person responsible for the confidentiality, integrity, availability, and privacy of an information asset. It is not the person who created the file — it's a defined organisational role. IT should not be the data owner; they should be the data custodians. Business domain experts who understand the content should own it.

Data Owner
Senior executive — ultimate accountability. Responsible for labelling the asset and ensuring it's protected with appropriate controls. Sets the classification requirements for their department's data. Shouldn't be the IT department — should be the business domain leader (CFO for financial data, CISO for security data, head of HR for employee data). If the data is the accounting department's records, the accounting department leader is the data owner.
Data Steward
Focused on data quality and metadata. Works for the data owner. Ensures data is appropriately labelled and classified according to the owner's policies. The operational role that makes sure classification rules are actually applied day-to-day. If the owner says "all financial data must be labelled Financial/Confidential," the steward verifies that happens.
Data Custodian
System administrators — responsible for the technical systems storing the data. Enforces access controls, encryption, and backup/recovery based on the data owner's requirements. This is the IT role in data governance. The custodian doesn't decide what classification the data gets — the owner does. The custodian implements the technical controls the owner mandates.
Privacy Officer
Oversees all privacy-related data (PII, SPI, PHI). The person who is on the hook when a data breach occurs involving personal data. Responsible for compliance with GDPR, HIPAA, GLBA, and other privacy regulations. Ensures the organisation maintains correct purpose limitations, consent, data minimisation, sovereignty, and retention for personal data. Also responsible for breach notification processes.
8

Data Sharing Agreements — SLA, ISA, NDA & Data Use

When data or systems are shared with third parties, formal agreements govern the relationship and establish accountability. Remember the key principle: you can outsource a task but not the legal responsibility. If your hosting provider loses your customer data, you are still liable to your customers — not the provider (unless your SLA specifically includes that).

SLA
Service Level Agreement
Contractual agreement defining detailed service terms — uptime guarantees, storage, bandwidth, support hours, security requirements. If the provider misses these terms, there are financial or legal consequences. Example: 99.99% uptime SLA = financial penalty for any additional downtime. Governs ongoing service relationships.
ISA
Interconnection Security Agreement
Used by federal agencies when allowing a third party to connect to government networks. Sets out security risk awareness processes and commits both parties to implementing specific security controls. Example: a training company connecting to the federal network must agree to quarterly vulnerability scans, patch within 30 days, and meet defined security standards.
NDA
Non-Disclosure Agreement
A contract establishing the legal basis for protecting information assets between two parties — "I'll keep your secrets and you'll keep mine." Prevents either party from disclosing information to those outside the agreement. Common with contractors, business partners, and pre-release product work. Both parties are bound — third parties are not covered.
DSA
Data Sharing and Use Agreement
Sets the terms under which personal data can be shared or used. Required when one organisation wants to share personal data with another — defines what data is shared, for what purpose, and what the receiving party can do with it. Must align with the privacy policy under which the data was originally collected (purpose limitation).
Outsource the task, not the responsibility. Hosting your website with an ISP means if the site gets hacked, your company still answers to customers and regulators — not the ISP. Hiring an HVAC contractor whose network bridges to yours means if they get breached (Target 2013), you bear reputational and legal consequences. Always ensure third-party agreements cover security obligations, audit rights, and breach notification — and verify they actually comply.

Exam

Quick Reference Cheat Sheet

Data classification
Military: Unclassified → Confidential → Secret → Top Secret. Commercial: Public → Private/Internal → Restricted → Top Restricted. Applied at creation (manually or auto via keywords). Higher classification = more restrictions + fewer authorised viewers. Declassification = downgrading when information no longer needs high protection. PII/SPI/PHI are subtypes under unclassified that still require care.
Data types & states
PII = personally identifiable. SPI = sensitive personal (race/religion/sexual orientation). PHI = personal health (HIPAA). Financial (PCI DSS/GLBA/SOX). Format: Structured (CSV/database, predefined fields) vs. Unstructured (email/slides/chat, freeform). States: at rest (storage, encrypt), in motion (network, TLS/VPN), in use (RAM/CPU, secure enclaves). Each state requires different security controls.
Privacy vs. security
Security = CIA triad (encryption=C, hashing=I, redundancy=A). Privacy = data governance requirement ensuring data is collected with consent and used only for stated purpose. You can have secure (encrypted) data that violates privacy (used without consent). Both must coexist. Privacy = right of the data subject; security = technical protection of the data.
Key regulations
GDPR = EU, all sectors, strongest protections, right to be forgotten, 72hr breach notification, informed consent, plain language. SOX = US publicly traded ≥$75M, financial document retention. GLBA = US financial institutions, protects financial privacy. FISMA = US federal govt + contractors, info assurance controls. HIPAA = US healthcare providers/hospitals/insurers, protects PHI. COSO = best practice framework, not a law.
Data policies (3 principles)
Purpose Limitation = data can only be used for the stated collection purpose (Privacy Act 1974 for US govt). Data Minimisation = collect only what is strictly necessary; document every collection process. Data Sovereignty = laws of the country where data is stored apply — server in Germany = GDPR; server in US = US law. Pseudonymisation/de-identification = remove identifiers to share aggregated data without consent.
Data retention
Short-term = online/active backup cycle (7 days to 1 month). Long-term = archive to prevent overwrite; meets multi-year legal requirements (SOX = 7 years). RPO drives retention design — can you afford to lose 5 minutes of data? 24 hours? Secure disposal when retention expires: paper = shred/burn; drives = degauss/physical destruction (drill/shred — format is NOT sufficient). Always involve legal counsel in retention policy development.
Data ownership roles
Data Owner = senior executive, ultimate accountability, sets classification (should be business domain leader, NOT IT). Data Steward = ensures labels and classifications are actually applied (works for owner). Data Custodian = IT/sysadmin, implements technical controls (access controls, encryption, backups) per owner's requirements. Privacy Officer = oversees PII/SPI/PHI, answers to regulators, manages breach notification, ensures GDPR/HIPAA compliance.
Data sharing agreements
SLA = Service Level Agreement (contractual, specific service terms, penalties for breach). ISA = Interconnection Security Agreement (federal agencies + third-party connections, mandates specific security controls). NDA = Non-Disclosure Agreement (legal protection of shared secrets between two parties only). DSA = Data Sharing and Use Agreement (terms under which personal data can be shared, must align with original consent). Key rule: outsource the task, never the legal responsibility.