Data Classification Policy
This is a Controlled Document
In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.| Version | Effective | Reviewed | Next review due |
|---|---|---|---|
| 1.0.0 | 2023-08-15 | 2024-09-02 | 2025-09-02 |
Purpose
The purpose of this Data Classification Policy is to establish a framework for classifying Vaxa’s data based on its level of sensitivity, value, and criticality. This policy ensures that data is appropriately protected and accessible only to authorised individuals & systems.
Scope
This policy applies to all employees, contractors, consultants, partners, and any other personnel with access to Vaxa’s information assets. It covers all types of data, regardless of format or medium, including documents, emails, electronic files, and verbal communications.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Employees and Contractors | Classify data according to this policy at the time of creation or acquisition. Handle data according to its classification level. |
| Managers | Ensure team compliance with the data classification policy. Provide guidance on classification levels. |
| Information Owners | Determine the classification of information assets under their control. Approve access requests for sensitive data. |
| Security Officer | Oversee the implementation of the data classification policy. Provide training and support. |
Policy Statements, Standard, or Procedure
Data Classification Levels
All Vaxa data must be assigned a classification level at the time of creation or acquisition. The classification determines the security controls required for handling, transmitting, or storing the data.
These classification levels shall be applied as protective markings to data and information assets where possible.
| Classification Level | Color | Description |
|---|---|---|
| UNOFFICIAL | BLACK | Internal information not requiring specific protective measures. |
| PUBLIC | GREEN | Information authorized for unlimited external access and circulation to the public. Examples include press releases, marketing materials, blogs, webinars, social media posts, and the Vaxa website. |
| OFFICIAL (Default Classification) | GREY | Information that can be freely disclosed within Vaxa and to authorized external parties with a relevant business relationship. Examples include client metadata and proposals, most client data and reports (depending on sensitivity or client requirements), internal communications, policies, procedures, methodologies, photos taken within Vaxa offices, internal messages, and emails. |
| OFFICIAL: Sensitive | YELLOW | OFFICIAL information requiring limited dissemination due to its sensitive nature. Compromise could result in limited damage to individuals or organizations. |
| PROTECTED | BLUE | Valuable, important, and sensitive information. Compromise would be expected to cause damage to the national interest, organizations, or individuals. |
| VAXA RESTRICTED | BLUE | Information available only to authorized groups within Vaxa relevant to their job function. Can only be disclosed externally to specific third parties. Encryption (AES-256 or equivalent) must be used when transmitting or storing this data. Strong passwords are required if sending files. Examples include some client data and reports (depending on sensitivity or client requirements), data protected by state or federal regulations, and data under non-disclosure or confidentiality agreements. |
| VAXA PRIVILEGED | RED | Information disclosed internally on a need-to-know basis and externally only to specific authorized parties. Access must be approved by the information owner. Examples include finance information, sensitive human resources information, company business and strategy plans, board and shareholder reports, and any information subject to legal privilege. |
Alignment between Vaxa’s Data Classification Levels and Australian PSPF Protective Markings
As Vaxa commonly interacts with entities under the Australian Government Protective Security Policy Framework (PSPF), we need to consider how our data classification levels align with the PSPF protective markings.
Vaxa, it’s personnel and systems are not authorised to process, store or interact with information above the classification of PROTECTED, and therefore we don’t include those classifications in this policy. There may be exceptions made under the appropriate legislative instruments, but these are rare and require specific approval. Internally, however, we do have similar classifications for data above PROTECTED, but again these are only for internal use.
Below is a table that steps out the alignment between Vaxa’s data classification levels and the PSPF protective markings.
Table 2 - Alignment between Vaxa’s Data Classification Levels and Australian PSPF Protective Markings
| Vaxa Classification Level | PSPF Protective Marking | Description |
|---|---|---|
| UNOFFICIAL | UNOFFICIAL | Internal information not requiring specific protective measures. |
| PUBLIC | UNOFFICIAL | Information authorized for unlimited external access and circulation to the public. |
| OFFICIAL | OFFICIAL | Information that can be freely disclosed within Vaxa and to authorized external parties with a relevant business relationship. |
| OFFICIAL: Sensitive | OFFICIAL: Sensitive | OFFICIAL information requiring limited dissemination due to its sensitive nature. Compromise could result in limited damage to individuals or organizations. |
| PROTECTED | PROTECTED | Valuable, important, and sensitive information. Compromise would be expected to cause damage to the national interest, organizations, or individuals. |
| VAXA RESTRICTED | No equivalent | This is a Vaxa-specific classification. |
| VAXA PRIVILEGED | No equivalent | This is a Vaxa-specific classification. |
(We note that UNOFFICIAL is not an officially recognsied PSPF Protective Marking, however many entities use this classification for internal information that does not require specific protective measures.)
Data Classification Guidelines
Assignment of classifications:
- Data creators are responsible for assigning the appropriate classification level at the time of creation.
- When in doubt, consult with your manager or the Security Officer for guidance.
Handling of data:
- Handle, transmit, and store data according to its classification requirements.
- Regardless of classification, always protect sensitive information from unauthorised access or disclosure.
- As required, refer to the other Information Security Policies for specific handling requirements for your given classification level.
Review and Reclassification:
- Regularly review data to determine if reclassification is necessary.
- Update classifications if the sensitivity level of the data changes.
Exceptions
Any exceptions to this policy must be approved in writing by the Security Officer and the Managing Director. Requests for exceptions should include a justification and any mitigating controls.
Compliance & Monitoring
Training:
- All personnel must complete training on data classification and handling procedures.
Monitoring:
- The Security Officer will monitor compliance with this policy through regular audits and assessments.
- Non-compliance will be addressed promptly with corrective actions.
Reporting:
- Any breaches or suspected breaches of this policy must be reported immediately to the Security Officer. See the Responsible Disclosure Policy for reporting guidelines.