RemitPro Ltd Data Classification Policy
Version: 1.0
Effective Date: August, 2025
Approved By: Data Protection Officer, RemitPro Ltd
1. Purpose
The purpose of this policy is to ensure that all information assets handled by RemitPro Ltd are classified according to their sensitivity, value, and legal/regulatory requirements. This classification enables appropriate security controls to be applied to protect the confidentiality, integrity, and availability of information, in line with ISO/IEC 27001:2022 Control 5.12.
2. Scope
This policy applies to:
- All employees, contractors, and third-party service providers handling RemitPro Ltd data.
- All forms of information, including digital, paper, and verbal communications.
- All information systems, storage devices, and communication channels used by RemitPro Ltd.
3. Classification Levels
RemitPro Ltd classifies information into the following categories:
3.1 Public
- Description: Information intended for public release.
- Examples: Marketing materials, website content, published reports.
- Handling Requirements: No restrictions on distribution.
3.2 Internal
- Description: Non-public information intended for internal use only.
- Examples: Internal memos, standard operating procedures, employee handbooks.
- Handling Requirements: Shared only within authorized personnel.
3.3 Confidential
- Description: Information that, if disclosed without authorization, could harm the company, clients, or partners.
- Examples: Customer transaction records, internal project documents, non-public business plans.
- Handling Requirements: Encryption in transit and at rest, access on a need-to-know basis.
3.4 Restricted (Sensitive)
- Description: Highly sensitive information whose unauthorized disclosure could cause severe harm, breach regulations, or incur legal penalties.
- Examples: Personal Identifiable Information (PII), financial account details, authentication credentials, proprietary algorithms.
- Handling Requirements: Strong encryption, multi-factor authentication, strict access logging, and approval-based sharing.
4. Responsibilities
- Data Owners: Assign appropriate classification to information assets.
- Employees: Follow handling procedures according to classification level.
- IT & Security Team: Implement and maintain technical controls for data protection.
- Compliance Officer: Ensure adherence to regulatory and contractual obligations.
5. Handling Guidelines
| Classification Level | Access Control | Storage | Transmission | Disposal |
|---|---|---|---|---|
| Public | No restriction | Public repositories | No restriction | Normal waste |
| Internal | Role-based | Internal servers | Internal network | Shredding (paper), secure delete (digital) |
| Confidential | Need-to-know | Encrypted storage | Encrypted channels (TLS/SSL) | Secure delete, shredding |
| Restricted | Strict need-to-know, MFA | Strong encryption, isolated storage | End-to-end encryption | Certified secure destruction |
6. Review & Updates
This policy shall be reviewed annually or upon significant changes in legal, regulatory, or operational requirements.
7. Compliance
Violation of this policy may result in disciplinary action, including termination of employment or contract, and potential legal action.