Resource Center-APPENDIX B - Data Classification and Handling Guidelines

APPENDIX B - Data Classification and Handling Guidelines

Pdf Summary

This document outlines Oakleaf’s four-level data classification scheme and the required handling controls for each level to protect information assets. The classifications are: <strong>Restricted</strong> (most sensitive, often driven by legal/contractual obligations; includes client NPI/PII such as SSNs, financial account numbers, ePHI), <strong>Confidential</strong> (high-value internal sensitivity such as employee PII, accounting/payroll/financial data), <strong>Private</strong> (default for most business information not intended for public release), and <strong>Public</strong> (approved for general release).

General rules include: all job-related information is <strong>Private by default</strong> unless designated otherwise; when datasets are combined, the <strong>most restrictive classification</strong> applies to the entire system; and data may not be moved to a new format or medium unless equivalent security controls exist. Restricted/Confidential/Private data must not be released publicly, but may be shared with third parties when there is a business need and appropriate controls. Exceptions require CEO and CISO approval.

The policy defines NPI/PII as a person’s name combined with identifiers such as government-issued IDs (SSN/TIN, passport, resident card), driver’s license, financial account/payment card numbers, or ePHI.

Handling requirements vary by class. <strong>Restricted</strong> requires encryption at rest and in transit, prohibits storage on mobile devices and cloud services, disallows IM/FTP, limits transmission to SFTP or encrypted email, restricts printing/copying/faxing (fax prohibited), requires strict physical mailing procedures, shredding for disposal, labeling, and CEO/Managing Director approval plus NDA for third-party release. <strong>Confidential</strong> is similar but allows secure cloud storage, still prohibits mobile storage and faxing, and requires owner approval for third-party release. <strong>Private</strong> recommends encryption (including mobile with remote wipe where possible) and generally lighter controls. <strong>Public</strong> has minimal restrictions, with labeling and release date where applicable. The document also provides example data types mapped to classifications and notes client engagement data may have additional client-specific requirements.

Keywords

Oakleaf data classification policy

four-level data classification scheme

Restricted data handling controls

Confidential information handling

Private data default classification

Public data release guidelines

PII NPI ePHI definitions

encryption at rest and in transit

third-party data sharing approvals

data labeling and secure disposal