"Ground Control to Major Tom: Your data classification seems to be drifting..."
Let's not sugarcoat it—data is a mess. It's sprawling across your org like glitter after a kids' birthday party. You've got CSVs, reports, logs, backups, JSON blobs from who-knows-where—and half of it contains stuff that would give your CISO a nosebleed.
So here's the deal: classification isn't paperwork. It's the difference between "we got this" and "we're on the front page of the Courier-Mail."
What Even Is Classification?
It's not magic. It's not theoretical. It's just tagging your data with a label that says "if this leaks, how cooked are we?"
If you're in the Queensland Government (or trying to play nicely with it), there's a handy thing called the QGISCF. It gives you three core levels:
- UNCLASSIFIED – No big deal. Share away.
- PROTECTED – Getting spicy. Mishandling this gets you audits.
- CONFIDENTIAL – Very spicy. Legal, reputational, and operational nightmares.
The guideline helps you figure out where your data sits. Use it.
OK But How Do You Actually Do It?
You can:
- Stare at spreadsheets and manually mark them up.
- Use tagging in tools like Microsoft Purview or Talend (they're not awful).
- Set up automated scans to catch PII/PHI/IP using regex, AI, or sheer brute force.
- Build a catalogue so you can finally stop asking "what's in this bucket?"
None of this is rocket science. It's just boring. But do it anyway.
Tips from the Burn Unit
- Label early. Don't wait for a perfect policy. Start with good enough.
- Update often. If your infra changes, so should your labels.
- Educate the humans. Engineers and analysts can't follow rules they don't know.
- Automate, but don't overdo it. A badly configured scanner is worse than none.
- Don't overthink it. If you need three workshops to name a folder, you're doing it wrong.
The Big Finish
Classify your data like it matters—because it does. It's the first step in actually understanding your environment, not just reacting when something breaks.
You don't need a 12-month strategy. You need someone to take five minutes, look at the bloody file, and tag it properly.
Oh, and when you finally decommission that 2009-era Access database that's been holding together your reporting stack? Say thank you. Then torch it.