Information Classification and Handling Policy

The Information Classification and Handling Policy defines the structure and approach to managing data security, confidentiality, and privacy.

 

The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.

 

Example Classification and Handling

 

The classification sets out the types of data and the corresponding level of protection that is applied. When the term “sensitive” is used, this includes Restricted, Private, and Confidential data.

 

Restricted

 

This is the most sensitive information that is intended for use on a “need-to-know” basis. It’s unauthorized disclosure within the company or externally may adversely impact the company, its customers, partners, and/or suppliers. This includes:

  • Board reports
  • Customer data specifically flagged as commercially sensitive
  • Strategic business plans

 

Private

 

All data that relates to an individual person and can reasonably be used to identify that specific person, is classified as private. There are varying levels of sensitivity with private data. The difference between Private data compared to Restricted and Confidential data, is that the appropriate protection and use of Private data is determined by the data subject or person who the data is in relation to. A type of data may be both Private and Restricted or Confidential. This includes:

  • Personal details like name, employee ID, credit card details, bank account number
  • Personal preferences, sexual orientation, health conditions
  • Employee performance reviews, employment contracts

 

Confidential

 

This classification applies to all business information that is not publicly disclosed and should be protected from unauthorized access. This may include:

  • All customer data not specifically tagged as commercially sensitive
  • Customer and third-party contracts 
  • Internal documentation related to company practices that is not approved to be public

 

Public

 

Public information includes that which is already publicly available or has been approved by management for release to the public. This may include:

  • Quotations and proposal information
  • User guides and customer-facing system documentation
  • Contact and company lists and public details

 

Data Handling

 

Data handling is a broad practice that is critically important to protecting the security, confidentiality, integrity, and availability of data used by the company and its customers. The following practices should be applied to ensure effective data handling:

  • Only collecting data where there is a legitimate need;
  • Protecting the security and confidentiality of all data by default, unless known or approved otherwise;
  • Classifying, labeling, and verballing communicating the type of information in accordance with the categories above to ensure awareness by other users;
  • Applying encryption of sensitive data at rest and in transit over networks in line with approved cryptography protocols; and
  • Always store sensitive data in approved and secure storage locations.

 

The CDR Perspective

 

The Information Classification and Handling Policy defines the structure and approach to managing data that supports the information asset lifecycle. The CDR requires that; the accredited data recipient must document and implement processes that relate to the management of CDR data over its lifecycle, including an information classification and handling policy (which must address the confidentiality and sensitivity of CDR data) and processes relating to CDR data backup, retention, and, in accordance with Rules 7.12 and 7.13, deletion and de-identification.

 

About AssuranceLab

 

AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.

Some additional information in one line