Data Classification Policy

IT & Security Security Policies Last reviewed: 2025-10-01 Owner: IT Security Team

Purpose

Data classification is fundamental to protecting Global Bank's information assets. This policy defines the classification levels used to categorise all data created, processed, or stored by the bank, and establishes the handling requirements for each level. Correct classification ensures that data receives an appropriate level of protection throughout its lifecycle.

Policy Reference: IT-SEC-003
Effective Date: 1 March 2024
Review Date: 1 March 2025
Applies To: All employees, contractors, and third-party processors handling Global Bank data

Classification Levels

LevelLabelDescriptionExamples
1PublicInformation approved for external release with no restrictionsPublished annual reports, press releases, marketing materials
2InternalInformation intended for use within Global Bank that is not sensitive but should not be publicly disclosedInternal memos, organisational charts, office procedures, intranet content
3ConfidentialSensitive information that could cause harm to the bank, its clients, or its employees if disclosedClient account data, employee personal data, financial reports (pre-publication), strategic plans
4RestrictedHighly sensitive information requiring the strictest controls; unauthorised disclosure could cause severe damageCryptographic keys, core banking system credentials, regulatory examination findings, M&A data, board-level strategy documents

Classification Responsibilities

Data Owners

Every dataset, document, or information asset must have a designated Data Owner — typically the head of the business unit or function that creates or manages the data. The Data Owner is responsible for:

  • Assigning the appropriate classification level at the point of creation.
  • Reviewing and updating the classification at least annually or when the nature of the data changes.
  • Ensuring that all personnel with access to the data understand and comply with the handling requirements.

All Employees

Every employee is responsible for:

  • Handling data in accordance with its classification level.
  • Applying the correct classification label to documents and emails they create.
  • Reporting suspected misclassification or data handling breaches to the Data Protection Office.

Handling Requirements by Classification Level

RequirementPublicInternalConfidentialRestricted
LabellingOptionalHeader/footer on documentsHeader/footer + email bannerHeader/footer + watermark + email banner
StorageAny approved locationCorporate network or cloudEncrypted storage only (SharePoint, OneDrive)Designated secure repositories with access logging
Email (internal)No restrictionsStandard emailSensitivity label applied; no auto-forwardingEncrypted email; DLP policy enforced
Email (external)No restrictionsNot recommendedEncrypted; manager approval requiredProhibited except with CISO approval
PrintingNo restrictionsSecure print recommendedSecure print mandatoryPrinting prohibited unless CISO exception
DisposalStandard recyclingConfidential shreddingCross-cut shredding; digital: secure deleteCross-cut shredding; digital: cryptographic erasure

Labelling Standards

All documents must be labelled using the Microsoft Information Protection (MIP) sensitivity labels integrated into Microsoft Office 365. When creating or saving a document:

  1. Click the Sensitivity button in the ribbon toolbar.
  2. Select the appropriate classification label (Public, Internal, Confidential, Restricted).
  3. For Confidential and Restricted documents, you may optionally add sub-labels (e.g., "Confidential — Client Data", "Restricted — Board").

Emails are automatically prompted for a sensitivity label before sending if one has not been applied.

Data Handling Breaches

If you become aware that data has been misclassified, stored in an unapproved location, or shared with unauthorised parties, you must:

  1. Report the incident immediately to the Data Protection Office at dpo@globalbank.com.
  2. Do not attempt to retrieve or delete the data yourself, as this may complicate the investigation.
  3. Follow any instructions provided by the Data Protection Office or IT Security.

Training

All employees must complete the Data Classification and Handling training module within 30 days of joining the bank and annually thereafter. The module is available on the Global Bank Learning Portal.

Contact

  • Data Protection Office: dpo@globalbank.com | Ext. 2300
  • IT Security Team: itsecurity@globalbank.com | Ext. 2200

Related Articles

Clean Desk Policy

Policy requiring all employees to secure sensitive documents and materials at their workstations, ensuring a clean desk at the end of each working day.

Updated 2025-06-15

Email Security Guidelines

Guidelines for the secure use of corporate email, including encryption requirements, external communication rules, and data loss prevention controls.

Updated 2025-09-05

Password Policy and Best Practices

Mandatory password requirements for all Global Bank systems, along with best practices for creating and managing strong, secure passwords.

Updated 2026-01-10