The Information Classification and Handling Policy defines the structure and approach to managing data security, confidentiality, and privacy.
The Consumer Data Right gives Australian’s control of their data. That enables innovation in new products and services to those consumers. To participate as a data recipient, there are five governance requirements and 24 information security requirements. These are independently audited by a qualified firm like AssuranceLab, and included in an assurance report for accreditation.
Example Classification and Handling
The classification sets out the types of data and the corresponding level of protection that is applied. When the term “sensitive” is used, this includes Restricted, Private, and Confidential data.
Restricted
This is the most sensitive information that is intended for use on a “need-to-know” basis. It’s unauthorized disclosure within the company or externally may adversely impact the company, its customers, partners, and/or suppliers. This includes:
Private
All data that relates to an individual person and can reasonably be used to identify that specific person, is classified as private. There are varying levels of sensitivity with private data. The difference between Private data compared to Restricted and Confidential data, is that the appropriate protection and use of Private data is determined by the data subject or person who the data is in relation to. A type of data may be both Private and Restricted or Confidential. This includes:
Confidential
This classification applies to all business information that is not publicly disclosed and should be protected from unauthorized access. This may include:
Public
Public information includes that which is already publicly available or has been approved by management for release to the public. This may include:
Data Handling
Data handling is a broad practice that is critically important to protecting the security, confidentiality, integrity, and availability of data used by the company and its customers. The following practices should be applied to ensure effective data handling:
The CDR Perspective
The Information Classification and Handling Policy defines the structure and approach to managing data that supports the information asset lifecycle. The CDR requires that; the accredited data recipient must document and implement processes that relate to the management of CDR data over its lifecycle, including an information classification and handling policy (which must address the confidentiality and sensitivity of CDR data) and processes relating to CDR data backup, retention, and, in accordance with Rules 7.12 and 7.13, deletion and de-identification.
About AssuranceLab
AssuranceLab is a modern cybersecurity audit firm that provides assurance reports (ASAE 3150, SOC 1/2). We're experts in the latest software and cloud providers. We guide your team through the compliance practices in a way that fits your environment and culture. We work closely with clients through our agile and collaborative approach; saving time, costs, and headaches along the way.