1. Document Control

• Document Title: Data Classification Policy

• Document Identifier: POL-ALL-006

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <Chief Information Security Officer>

• Approved By: <Information Security Governance Committee>

2. Purpose

The purpose of this Data Classification Policy is to establish a standardized approach for classifying and handling data based on its level of sensitivity, value, and criticality to . Proper classification enables the organization to apply proportionate levels of security and ensure that information is handled and protected according to its risk profile.

This policy supports 's compliance with ISO/IEC 27001:2022 controls A.5.12 and A.5.13, which require classification and appropriate labelling of information. It also aligns with SOC 2 Trust Criteria CC6.1, which mandates that access to sensitive information be limited to authorized personnel. By classifying data accurately, the organization can reduce exposure to legal, financial, and reputational risks and ensure that privacy, confidentiality, and regulatory requirements are met.

3. Scope

This policy applies to all data created, accessed, stored, transmitted, or processed by personnel, systems, or service providers. It encompasses:

• Structured and unstructured data (e.g., databases, documents, spreadsheets, email)

• Electronic and physical formats

• Internal, customer, and third-party data

• Cloud-hosted, on-premises, and hybrid environments

The policy applies to all employees, contractors, vendors, and third parties with access to ’s information assets.

4. Policy Statement

All data within must be classified into one of the following categories:

1. Restricted – Data that, if disclosed, could cause significant harm (e.g., PII, PHI, trade secrets, financial data, legal records). Requires encryption, strict access control, and monitoring.

2. Confidential – Internal-use-only data that, if exposed, could impact operations or competitiveness (e.g., internal emails, project plans, partner information).

3. Internal – General business data not intended for public consumption but not highly sensitive (e.g., policies, training materials).

4. Public – Data approved for release to the public (e.g., marketing brochures, published reports).

All data owners must ensure their data is classified upon creation and reviewed periodically to reflect changes in use, sensitivity, or regulatory relevance.

5. Safeguards

enforces classification safeguards as follows:

Labelling standards include metadata tagging, classification banners in documents, and automated DLP rules based on content sensitivity.

6. Roles and Responsibilities

• Data Owners: Responsible for assigning, reviewing, and updating data classifications.

• CISO and Information Security Team: Define classification categories, provide training, and monitor adherence.

• All Users: Understand the classification system, apply correct labels, and protect data according to its classification.

• IT Operations: Implement technical controls (e.g., encryption, DLP, backup) aligned to classification levels.

7. Compliance and Exceptions

Compliance is assessed through:

• Quarterly audits of shared drives, DLP incidents, and encryption settings

• User training assessments

• Documentation checks for classification metadata

Requests for exception must include justification and mitigation steps and be approved by the CISO. Exceptions are subject to quarterly review.

8. Enforcement

Failure to comply with this policy may result in:

• Revocation of system access

• Disciplinary action up to and including termination

• Breach reporting to regulatory bodies where required

• Contract termination or legal consequences for vendors

All incidents of mishandling classified data will be investigated and recorded.

9. Related Policies/Documents

• POL-ALL-001: Information Security Policy

• POL-ALL-005: Encryption Policy

• PRC-ALL-004: Classification and Labelling Procedure

• ISO/IEC 27001:2022: A.5.12–A.5.13

• SOC 2 Criteria: CC6.1

10. Review and Maintenance

This policy will be reviewed annually or upon any material changes in regulatory, legal, or business requirements. The CISO will coordinate the review and update process with the data governance team and key business stakeholders. Updated versions will be published and communicated to all users.