Here at HEALTHBOTICS LTD, we are committed to data security, the privacy of the individual and upholding all our compliance obligations under GDPR. We take our responsibilities seriously, and we recognise that the use of information assets and data form a crucial aspect of our business activity. That is why we’ve devised the following Data Classification Policy to outline the way in which we classify and use data.
Our Data Classification Policy is designed to ensure that:
Data classification is a vital process our company must carry out to ensure the individuals who claim a legitimate right to access information we hold are able to do so. Our data classification process must also ensure our data and any other piece of information we hold is protected from any and all individuals or organisations that should not have access to that information.
HEALTHBOTICS LTD’s Data Classification Policy identifies and elaborates upon the correct handling and classification processes our company must use, as per the regulatory requirements that we:
HEALTHBOTICS LTD’s Data Classification Policy has been developed to meet the following objectives:
To make sure our Data Classification Policy is effective, HEALTHBOTICS LTD will implement the following procedures:
HEALTHBOTICS LTD is committed to meet its regulatory obligations under GDPR and DPA. That is why we are committed to ensure that adequate and appropriate measures are taken to prevent the unauthorised access or illegal processing or storage of data. We are required to do everything we can, within reason, to protect the data we use and hold against destruction, accidental loss or damage.
Data that is sensitive in nature must be adequately protected at all times. To properly assign safeguards, all data that our company collects, processes or stores must be assigned one of the following classification categories:
A vast amount of the data HEALTHBOTICS LTD uses will most likely be classed as being either ‘Public’ or ‘Open’ data. Any information relating to an individual or organisation that could identify them or is personal or private in nature must be assigned a category of either ‘Confidential’ or ‘Strictly Confidential’.
This is to ensure HEALTHBOTICS LTD upholds its regulatory commitment to uphold the rights of individuals, as outlined under GDPR.
On rare occasions, HEALTHBOTICS LTD may wish to class data as ‘Secret’. If an employee is unsure as to whether they should categorise a piece of data as being secret – or if they need assistance in classifying any other piece of data, they should consult a line manager. If no manager is available for consultation, data should default to a ‘Confidential’ classification.
To minimise discrepancies and ensure HEALTHBOTICS LTD does everything it can to uphold its regulatory commitments, the following working definitions should be associated with the aforementioned classification categories.
Public data is information or data that can be accessed by any external individual or organisation.
Types of public data might include:
How to handle public data:
Public data should be formatted to allow for the most basic security measures. Examples might include converting a Word document into a PDF to avoid others editing it, as this could subsequently cause some form of reputational damage.
Anyone is able to access this information.
Types of open data might include:
How to handle open data:
Open data should be formatted to allow for the most basic security measures. Examples might include converting a Word document into a PDF to avoid others editing it, as this could subsequently cause some form of reputational damage.
Access to confidential data must be limited only to individuals who have been granted appropriate authorisation to view or process that information.
Alternatively, there may be occasions in which unauthorised individuals or stakeholders may need to be granted access to confidential data; however, this access must only be provided on a need-to-know basis
Types of confidential data might include:
How to handle confidential data:
As and where required to handle confidential data, employees should exercise the following handling processes:
A minimal number of authorised individuals, authorities or other stakeholders may be permitted access to data that has been classified as being ‘Strictly confidential’
Types of strictly confidential data might include:
How to handle strictly confidential data:
As and where required to handle strictly confidential data, employees should exercise the following handling processes:
Access to data that has been classed as ‘Secret’ or a request to access secret data is subject to the Official Secrets Act.
Various types of secret data may require different controls and circumstances. Bearing that in mind, individual protocols should be reviewed on a case-for-case basis in line with UK Government requirements. Government advice concerning the handling of secret data should be sought.
Data classification markings need to be clearly visible at all times and must match the classification category in which that data has been assigned. Appropriate data classification identification markings should be included either at the top, bottom or centre of each document page.
There may be occasions in which data must be reclassified from one data category to another data category. The need for reclassification could depend upon a content change, or an alteration in terms of the data’s intent, where it is stored or how it is being used. Before reclassifying data, a firm and justifiable rationale must be established. If in doubt, contact the Data Protection Officer or your line manager for guidance.
It is the responsibility of the data owner or the data originator to define the category of data classification for a piece of data. Responsibility also rests with the data owner or originator to ensure that adequate protection has been afforded to that data in line with its relevant classification.
Any data that could or should be defined as being personal in nature must be afforded a higher level of protection and be treated as data that is sensitive. Personal data can be classed as information relating to an individual that could identify them. Aforementioned examples of sensitive personal data might include (among other pieces of data) a person’s name, contact information, race, religion, political affiliations, sexual preference and so on.
Sensitive data must be identified and assessed on a case-for-case basis. In most cases, sensitive data will inherently be classed as confidential; thus, access and/or availability must be limited. Sensitive data which is made available in the public domain can lead to reputational damage for private individuals or company employees. As a company we must ensure that sensitive data is given sufficient protection to protect individuals, company employees and the company itself.
Because data is such an integral aspect of our business, it is everyone’s responsibility at HEALTHBOTICS LTD to do everything within their power to ensure that sensitive data is being collected, processed, backed up, stored and secured in line with company policy.
Prior to the sharing, transfer or disclosure of data, HEALTHBOTICS LTD and its employees must take all necessary steps to ensure that the anonymity of corresponding data subjects is protected and maintained in line with our regulatory commitments.
Necessary steps may include omitting or redacting (deleting) said personal identifiers within a piece of data. Audio visual data or verbally exchanged data recordings should be likewise edited.
Sensitive data that is no longer needed or has reached an ‘end of life’ classification as decided upon by the relevant authorised individuals must be disposed of in a secure fashion. Examples of disposing data as stored on paper would include shredding.
If data is damaged or lost, it must be immediately reported to an appropriate line manager and company Data Protection Officer, and logged as an incident requiring urgent response.