Data Classification Policy

1. Purpose

This Data Classification Policy outlines the framework for classifying data collected and processed by Yazi. It aims to ensure that all company data is appropriately classified and handled according to its level of sensitivity and corresponding requirements for confidentiality, integrity, and availability.

2. Classification Levels and Data Types

Public (Level 1)

  • Data that is intended for public release.

  • Includes marketing materials, published survey results, or any data that is not deemed sensitive.

  • Public data may be shared via company website, press releases, or social media.

Internal (Level 2)

  • Internal operational data not meant for public release.

  • Includes internal policies, employee schedules, or nonsensitive survey data.

  • Should be shared internally using company-sanctioned methods such as company email or internal document management systems. It should not be shared on public platforms, like personal social media accounts.

Confidential (Level 3)

  • Sensitive data that could harm individuals or Yazi if disclosed.

  • Includes personal data of survey respondents, HR records, and customer information.

  • Sharing should only be done through secure channels, such as encrypted emails or secure file transfer protocols. Confidential data must not be shared over messaging apps like WhatsApp or unsecured email.

Highly Confidential (Level 4)

  • Highly sensitive data that would cause severe damage if disclosed.

  • Includes proprietary research, legal documents, trade secrets, and detailed personal information.

  • Strictly controlled access on a need-to-know basis. Distribution should be done through encrypted databases with access logging. No external sharing without explicit authorization.

3. Data Handling Guidelines

Email

  • Public: Can be shared via company or personal email without restriction.

  • Internal: Can be shared via company email; should be clearly marked as Internal.

  • Confidential: Must be shared via company email with encryption, and the subject line should indicate it's confidential.

  • Highly Confidential: Prohibited from being sent via email unless encrypted with the highest security standards and approved by the Data Protection Officer.

Messaging Apps (e.g., WhatsApp)

  • Public: Allowed.

  • Internal: Allowed for non-sensitive communication; not for sharing documents or detailed data.

  • Confidential & Highly Confidential: Strictly prohibited.

Excel, Databases, and Other Data Storage

  • Public: Can be stored and shared without restriction.

  • Internal: Stored on internal secure servers; shared with necessary access controls.

  • Confidential: Stored in secure databases with encryption; access granted on a limited basis and tracked.

  • Highly Confidential: Stored in the most secure databases with multi-factor authentication and encryption; access is heavily restricted and monitored.

Granting Access

  • Public: Open access.

  • Internal: Access granted by managers or team leads.

  • Confidential: Access granted only by the Security Officer or Data Protection Officer with documented approval.

  • Highly Confidential: Access is highly restricted and requires executive approval. Access is granted only for specified time frames and specific purposes.

4. Training and Awareness

  • All employees will receive training on this policy.

  • Refresher training will be conducted annually or when significant changes to the policy are made.

  • New employees will be trained on this policy as part of their induction program.

5. Policy Maintenance

  • This policy will be reviewed at least annually.

  • The review will be conducted by the Security Officer, with changes proposed to reflect evolving best practices and regulatory requirements.

6. Compliance

  • Compliance with this policy is mandatory.

  • Any breaches of this policy must be reported immediately and may result in disciplinary action.

7. Data Declassification and Retention

Data is declassified according to legal and operational requirements. Retention periods are defined for each classification level, after which the data is securely destroyed or anonymized.

8. Policy Governance

  • This policy is governed by Yazi's Security Officer, Mzwandile Sotsaka, who is responsible for its implementation, enforcement, and review.

Last updated