Data Classification, Handling and Disposal Policies

AL Refs: CON01, IAL03, PMN12, PRV21

Purpose

The confidentiality policies define the approach to classifying, handling and disposing of data to ensure it is managed consistently and in line with compliance requirements. 

Example Data Classification, Handling and Disposal Policies

Data Classification

The following classification sets out the types of data and the corresponding level of protection that is applied. When the term “sensitive” is used, this includes Restricted, Private and Confidential data.

Restricted

This is the most sensitive information that is intended for use on a “need-to-know” basis. It’s unauthorized disclosure within AssuranceLab employees or externally may adversely impact AssuranceLab, its customers, partners, and/or suppliers. This includes:

  • Board reports
  • Customer data specifically flagged as commercially sensitive
  • Strategic business plans

CDR Data

Data that is collected from Data Holders under the Consumer Data Right Rules 2020. This data is subject to compliance with those Rules, including Schedule 2, Part 2 security requirements. This data can only be used in line with the ACCC-approved use case(s), in line with the consumer consent obtained, and only with other accredited parties or as otherwise allowed by the CDR Rules.

Private

All data that relates to an individual person and can reasonably be used to identify that specific person, is classified as private. There are varying levels of sensitivity with private data. The difference between Private data compared to Restricted and Confidential data, is that the appropriate protection and use of Private data is determined by the data subject or person who the data is in relation to. A type of data may be both Private and Restricted or Confidential. This includes:

  • Personal details like name, employee ID, credit card details, bank account number
  • Personal preferences, sexual orientation, health conditions
  • Employee performance reviews, employment contracts

Confidential

This classification applies to all business information that is not publicly disclosed and should be protected from unauthorized access. This may include:

  • All customer data not specifically tagged as commercially sensitive
  • Customer and third-party contracts
  • Internal documentation related to company practices that is not approved to be public

Public

Public information includes that which is already publicly available or has been approved by AssuranceLab management for release to the public. This may include:

  • Quotations and proposal information
  • User guides and customer facing system documentation
  • Contact and company lists and public details

Data Handling

Data handling is a broad practice that is critically important to protecting the security, confidentiality, integrity and availability of data used by AssuranceLab and its customers. The following practices should be applied to ensure effective data handling:

  • Only collecting data where there is a legitimate need;
  • Protecting the security and confidentiality of all data by default, unless known or approved otherwise;
  • Classifying, labelling and verballing communicating the type of information in accordance with the categories above to ensure awareness by other users;
  • Applying encryption of sensitive data at rest and in transit over networks in line with approved cryptography protocols; and
  • Always store sensitive data in approved and secure storage locations.

 

Data Disposal

When system assets, devices and hard copy documents are disposed of, the information security practices that otherwise apply, are removed. It is important to ensure all sensitive data is completely and effectively erased prior to the removal of these protections. The following practices should be applied to ensure effective asset disposal and data erasure:

  • Shred, incinerate or otherwise dispose of sensitive hard copy documents in an approved way.
  • Report any loss, damage or theft of AssuranceLab information assets and devices immediately to the security team;
  • Log all asset disposals in the media disposal log to maintain an audit trail including data, person who completed the disposal and the method of disposal performed;
  • Notify the security team and provide any assets to the security team prior to disposal to complete or verify the data erasure is complete;