# Data Classification Policy

**Company:** [Company Name]
**Effective date:** [Date]
**Policy owner:** [Owner / Role]

## Purpose

This policy gives [Company Name] a simple, shared way to label information by how sensitive it is, so everyone knows how to store, share, and dispose of it. Consistent classification means we protect important data without slowing down work on data that needs little protection.

## Scope

This policy applies to all information created, received, stored, or processed by [Company Name], in any format, and to everyone who handles it.

## The Four Levels

| Level | Definition | Examples |
|-------|------------|----------|
| Public | Information meant for anyone; release causes no harm. | Marketing pages, published blog posts, public job listings. |
| Internal | Day-to-day business information not meant for outsiders, low harm if exposed. | Internal memos, team wikis, non-sensitive project notes. |
| Confidential | Sensitive business or personal data; exposure causes real harm. | Customer records, contracts, financials, employee personal data. |
| Restricted | Highly sensitive; exposure could cause serious harm, legal, or regulatory consequences. | Secrets/keys, payment data, health data, credentials, sensitive IP. |

When unsure, classify higher rather than lower, and ask the data owner.

## Handling Requirements

| Requirement | Public | Internal | Confidential | Restricted |
|-------------|--------|----------|--------------|------------|
| Storage | Any approved location. | Company systems only. | Access-controlled company systems. | Strictly access-controlled, isolated where possible. |
| Sharing | Freely. | Inside the company; with outsiders only with reason. | Need-to-know; with outsiders only under agreement. | Tight need-to-know; explicit owner approval. |
| Encryption | Not required. | In transit recommended. | In transit and at rest. | In transit and at rest; strong controls on keys. |
| Retention / disposal | Keep as useful; routine disposal. | Keep per business need; routine secure disposal. | Keep only as needed; secure deletion/shredding. | Minimal retention; verified secure destruction. |

Apply the strictest control any single piece of data within a set requires.

## Roles

- **Data owners** assign the classification for the information their area produces and approve who may access it.
- **All staff** apply the correct handling for the data they touch and re-classify if its sensitivity changes.
- **Policy owner ([Owner / Role])** maintains this policy and the level definitions.

## Review

This policy is reviewed at least annually, and after any major change to the business, systems, or regulations. The policy owner records changes below.

## Version History

| Version | Date | Author | Summary of changes |
|---------|------|--------|--------------------|
| 1.0 | [Date] | [Owner / Role] | Initial version. |
| | | | |

*Template by Cipherwire (cipherwire.biz). An original starting point, not legal advice — adapt it to your environment and have it reviewed before you rely on it.*