Resource Center-APPENDIX B - Data Classification and Handling Guidelines

APPENDIX B - Data Classification and Handling Guidelines

Pdf Summary

This document defines Oakleaf’s four-level data classification scheme and the required handling controls for each level. By default, any information created or received by employees for work is classified as <strong>Private</strong> unless it needs greater protection or is approved for public release. If multiple classifications are combined in one system or dataset, the entire asset must be treated as the <strong>most restrictive</strong> classification present. Restricted, Confidential, and Private data must never be released to the general public, though sharing with third parties is allowed when there is a business need and appropriate controls are in place. Data may not be moved to a new format or medium unless equivalent security controls exist (e.g., do not export Restricted data to an unencrypted spreadsheet). Exceptions require CEO and CISO approval.

<strong>Classifications and impact:</strong>
- <strong>Restricted:</strong> Most sensitive (often driven by legal/contractual requirements), including client NPI/PII such as SSNs, government IDs, financial account numbers, and ePHI. Unauthorized disclosure would cause significant damage.
- <strong>Confidential:</strong> Highly valuable internal business information (e.g., employee PII/NPI, accounting, payroll, financials). Loss causes moderate damage.
- <strong>Private:</strong> Internal information that should not be public; disclosure generally causes minimal or no damage.
- <strong>Public:</strong> Approved for public release; no damage if disclosed.

<strong>PII/NPI definition:</strong> First name/initial + last name combined with identifiers such as SSN/TIN, passport, driver’s license, financial account numbers, or ePHI.

<strong>Handling requirements (high-level):</strong>
- <strong>Restricted:</strong> Encryption required for storage and transmission; no mobile device or cloud storage; IM/FTP/fax prohibited; printing/copying tightly restricted; certified mail and labeling required; third-party release needs CEO/Managing Director approval and NDA.
- <strong>Confidential:</strong> Encryption required for storage and external transmission; no mobile storage; secure cloud allowed; IM/FTP/fax prohibited; controlled printing/copying; owner approval for third-party release (NDA recommended).
- <strong>Private/Public:</strong> Fewer controls; encryption recommended in some cases; standard labeling and disposal guidance.

Keywords

Oakleaf data classification

four-level classification scheme

Restricted data handling

Confidential information controls

Private vs Public data

most restrictive classification rule

PII NPI definition

ePHI protection requirements

encryption for storage and transmission

third-party data sharing approvals