Data Classification & Handling Policy
1. Purpose
To ensure data is classified by sensitivity and handled with appropriate controls.
2. Classification levels
- Public. Information intended for public release (e.g. marketing content).
- Internal. Day-to-day business information not intended for public release.
- Confidential. Client data, source code, designs, and business-sensitive information.
- Restricted. Secrets, credentials, and personal data subject to legal protection.
3. Handling rules
| Level | Storage | Sharing | Encryption |
|---|---|---|---|
| Public | Any approved system | Unrestricted | Optional |
| Internal | Approved systems | Internal only | In transit |
| Confidential | Approved systems, access-controlled | Need-to-know | In transit & at rest |
| Restricted | Secrets manager / encrypted store | Strictly need-to-know | In transit & at rest |
4. Responsibilities
All personnel must classify data they create or handle and apply the corresponding controls.
5. Review
This policy is reviewed at least annually.