Data Classification Policy document instructions
How should I use my Data Classification Policy document?
This document actively defines the way your company classifies data. This policy can and should apply to any types of data that are used within and across your company. You should fill in this template with your company particulars, and store for safekeeping with the rest of your GDPR documents.
Will I need to update my Data Classification Policy document?
Yes. After completion, you should then review company’s Data Classification Policy document at least every six months, amending where necessary, to ensure your company remains GDPR compliant.
1. Policy introduction
Here at [Psychedelic Soul Sound Limited], we are committed to data security, the privacy of the individual and upholding all our compliance obligations under GDPR. We take our responsibilities seriously, and we recognise that the use of information assets and data form a crucial aspect of our business activity. That is why we’ve devised the following Data Classification Policy to outline the way in which we classify and use data.
Our Data Classification Policy is designed to ensure that:
- [Psychedelic Soul Sound Limited] adheres to all necessary legal obligations
- We implement controls to maximise return on investment
- [Psychedelic Soul Sound Limited] maintains availability, confidentiality and integrity where necessary for all data
- Our company has the ability to chart data protection levels that protect both [Psychedelic Soul Sound Limited] as well as the individuals whose personal data we must collect, process or store
- We are able to avoid threats of disclosure and/or unauthorised access to data
2. Policy values
Data classification is a vital process our company must carry out to ensure the individuals who claim a legitimate right to access information we hold are able to do so. Our data classification process must also ensure our data and any other piece of information we hold is protected from any and all individuals or organisations that should not have access to that information.
[Psychedelic Soul Sound Limited]’s Data Classification Policy identifies and elaborates upon the correct handling and classification processes our company must use, as per the regulatory requirements that we:
3. Policy objectives
[Psychedelic Soul Sound Limited]’s Data Classification Policy has been developed to meet the following objectives:
- To outline the duties and responsibilities of [Psychedelic Soul Sound Limited] employees that ensure data is kept safe and secure
- To establish a robust data classification process that is consistent and compliant with UK regulatory requirements
- To ensure data is sufficiently protected and encrypted so that unwarranted actions will not be taken against [Psychedelic Soul Sound Limited] in the event data is lost, damaged or accessed illegally
- To avoid and minimise reputational or operational damage to [Psychedelic Soul Sound Limited], our stakeholders, clients, customers or partners associated with compromised data
4. Policy implementation
To make sure our Data Classification Policy is effective, [Psychedelic Soul Sound Limited] will implement the following procedures:
- All users of data will be identified and provided access to data in which they have a legitimate need to access
- All data will be classified, managed and controlled in relation to its correct categorisation, as per the processes and requirements outlined within this policy
- [Psychedelic Soul Sound Limited] must ensure control mechanisms are created and implemented to protect data we collect, process or store
- All control mechanisms and classification protocols must be reviewed and amended as required by law on a regular basis
- Data users and data controllers must implement and maintain adequate levels of physical security as required, in relation to computer facilities or access terminals from which data can be viewed or accessed
- [Psychedelic Soul Sound Limited] must ensure that all data and relevant equipment is safely disposed of, as and when required
5. Obligations under GDPR (2018) and Data Protection Act 2018 (DPA)
[Psychedelic Soul Sound Limited] is committed to meet its regulatory obligations under GDPR and DPA. That is why we are committed to ensure that adequate and appropriate measures are taken to prevent the unauthorised access or illegal processing or storage of data. We are required to do everything we can, within reason, to protect the data we use and hold against destruction, accidental loss or damage.
6. Data classifications
Data that is sensitive in nature must be adequately protected at all times. To properly assign safeguards, all data that our company collects, processes or stores must be assigned one of the following classification categories:
A vast amount of the data [Psychedelic Soul Sound Limited] uses will most likely be classed as being either ‘Public’ or ‘Open’ data. Any information relating to an individual or organisation that could identify them or is personal or private in nature must be assigned a category of either ‘Confidential’ or ‘Strictly Confidential’.
This is to ensure Psychedelic Soul Sound Limited [] upholds its regulatory commitment to uphold the rights of individuals, as outlined under GDPR.
On rare occasions, [Psychedelic Soul Sound Limited] may wish to class data as ‘Secret’. If an employee is unsure as to whether they should categorise a piece of data as being secret – or if they need assistance in classifying any other piece of data, they should consult a line manager. If no manager is available for consultation, data should default to a ‘Confidential’ classification.
7. Data classification types and handling procedures
To minimise discrepancies and ensure [Psychedelic Soul Sound Limited] does everything it can to uphold its regulatory commitments, the following working definitions should be associated with the aforementioned classification categories.
Public data
Public data is information or data that can be accessed by any external individual or organisation.
Types of public data might include:
How to handle public data:
Public data should be formatted to allow for the most basic security measures. Examples might include converting a Word document into a PDF to avoid others editing it, as this could subsequently cause some form of reputational damage.
Open
Anyone is able to access this information.
Types of open data might include:
How to handle open data:
Open data should be formatted to allow for the most basic security measures. Examples might include converting a Word document into a PDF to avoid others editing it, as this could subsequently cause some form of reputational damage.
Confidential data
Access to confidential data must be limited only to individuals who have been granted appropriate authorisation to view or process that information.
Alternatively, there may be occasions in which unauthorised individuals or stakeholders may need to be granted access to confidential data; however, this access must only be provided on a need-to-know basis.
Types of confidential data might include:
-
Someone’s personal details or any information that could be used to identify them. Examples of identifiable or personal details include:
- Name
- Date of birth
- Address
- Telephone number
- Email address
- National Insurance number
- Race
- Religion
- Health details
- Political affiliations
- Trade union membership
- Criminal offences
- Employee contracts
- Non-Disclosure Agreements
- Employee contracts
- Unfinished or unapproved company documents
- Employee wage slips
- Death certificates
- PDR documentation
How to handle confidential data:
How to handle confidential data:
-
Paper documents must be:
- In secure locked storage
- Transported in sealed envelopes only
- Transported by an approved third-party courier service
- Securely disposed of
-
Electronic data must be:
- Encrypted
- Password-protected wherever possible
- Transportation must follow secure file transfer protocol
- Storage must be limited to secure file stores
- Securely disposed of
Strictly confidential data
A minimal number of authorised individuals, authorities or other stakeholders may be permitted access to data that has been classified as being ‘Strictly confidential’.
Types of strictly confidential data might include:
How to handle strictly confidential data:
As and where required to handle strictly confidential data, employees should exercise the following handling processes:
-
Paper documents must be:
- In secure locked storage
- Transported in sealed envelopes only
- Transported by an approved third-party courier service
-
Electronic data must be:
- Encrypted
- Password-protected wherever possible
- Transportation must follow secure file transfer protocol
- Storage must be limited to secure file stores
- Tagged
Secret data
Access to data that has been classed as ‘Secret’ or a request to access secret data is subject to the Official Secrets Act.
Various types of secret data may require different controls and circumstances. Bearing that in mind, individual protocols should be reviewed on a case-for-case basis in line with UK Government requirements. Government advice concerning the handling of secret data should be sought.
8. Data classification markings
Data classification markings need to be clearly visible at all times and must match the classification category in which that data has been assigned. Appropriate data classification identification markings should be included either at the top, bottom or centre of each document page.
9. Reclassifying data
There may be occasions in which data must be reclassified from one data category to another data category. The need for reclassification could depend upon a content change, or an alteration in terms of the data’s intent, where it is stored or how it is being used. Before reclassifying data, a firm and justifiable rationale must be established. If in doubt, contact the Data Protection Officer or your line manager for guidance.
10. Sensitive data
It is the responsibility of the data owner or the data originator to define the category of data classification for a piece of data. Responsibility also rests with the data owner or originator to ensure that adequate protection has been afforded to that data in line with its relevant classification.
Any data that could or should be defined as being personal in nature must be afforded a higher level of protection and be treated as data that is sensitive. Personal data can be classed as information relating to an individual that could identify them. Aforementioned examples of sensitive personal data might include (among other pieces of data) a person’s name, contact information, race, religion, political affiliations, sexual preference and so on.
Sensitive data must be identified and assessed on a case-for-case basis. In most cases, sensitive data will inherently be classed as confidential; thus, access and/or availability must be limited.
Sensitive data which is made available in the public domain can lead to reputational damage for private individuals or company employees. As a company we must ensure that sensitive data is given sufficient protection to protect individuals, company employees and the company itself.
11. Data storage and backup
Because data is such an integral aspect of our business, it is everyone’s responsibility at [COMPANY NAME] to do everything within their power to ensure that sensitive data is being collected, processed, backed up, stored and secured in line with company policy.
12. Data anonymisation
Prior to the sharing, transfer or disclosure of data, [COMPANY NAME] and its employees must take all necessary steps to ensure that the anonymity of corresponding data subjects is protected and maintained in line with our regulatory commitments.
Necessary steps may include omitting or redacting (deleting) said personal identifiers within a piece of data. Audio visual data or verbally exchanged data recordings should be likewise edited.
13. Secure data disposal
Sensitive data that is no longer needed or has reached an ‘end of life’ classification as decided upon by the relevant authorised individuals must be disposed of in a secure fashion. Examples of disposing data as stored on paper would include shredding.
14. Data security response
If data is damaged or lost, it must be immediately reported to an appropriate line manager and company Data Protection Officer, and logged as an incident requiring urgent response.
