Data Classification Policy Template
A policy that defines how data is classified, handled, stored, and deleted based on sensitivity levels — essential for DPDP and ISO 27001 compliance.
Purpose & Scope
This Data Classification Policy establishes a framework for classifying data based on its sensitivity and criticality. All employees, contractors, and third parties who handle company data must comply with this policy. Proper data classification ensures that appropriate security controls are applied to each data category and that data handling complies with DPDP Act 2023, IT Act 2000, and contractual obligations with clients and partners.
Data Classification Levels
| Level | Definition | Examples | Access Restriction |
|---|---|---|---|
| Public | Data that can be freely shared with anyone inside or outside the organisation | Marketing materials, job postings, published financial reports, press releases | No restriction |
| Internal | Data that is intended for internal use only but would not cause significant harm if disclosed | Internal policies, org charts, training materials, internal announcements | All employees, NDAd contractors |
| Confidential | Data that could cause moderate harm to the organisation or individuals if disclosed | Customer PII, employee records, financial data, vendor contracts, business plans | Need-to-know basis, authorised roles only |
| Restricted | Data that could cause severe harm to the organisation or legal/regulatory penalties if disclosed | Trade secrets, IP, board materials, M&A data, litigation documents, Aadhaar/PAN copies | Explicit approval, minimum users, additional controls (encryption, audit logging) |
Handling Requirements by Classification
Public: No special handling. Can be published on website, shared on social media, distributed to anyone.
Internal: Store on internal systems only (not public cloud storage). Can be shared with employees via email. Mark documents with "Internal — Not for External Distribution" footer.
Confidential: Encrypt at rest (AES-256) and in transit (TLS 1.2+). Share only via approved channels (encrypted email, secure file share with access control). Never store on personal devices or unapproved cloud services. Mark documents with "Confidential — Authorised Recipients Only" header/footer.
Restricted: All Confidential controls plus: stored in isolated systems with additional access logging, shared only with explicit approval from Data Owner, never transmitted via email (use secure file transfer), access reviewed monthly, and marked with "RESTRICTED — Do Not Duplicate or Distribute" watermark.
Data Retention & Deletion
Public data: retained as long as needed for business purpose, no minimum retention. Internal data: retained for duration of relevance, review annually for deletion. Confidential data: retained per regulatory requirements (e.g., financial records: 8 years under IT Act, employee records: 3 years post-employment). Restricted data: retained per specific legal or contractual requirements, deleted when no longer needed. All data deletion must use secure methods — file deletion for digital, shredding for physical.
Classification Responsibility
Data Owners (typically department heads) are responsible for classifying data created by their teams. Data Custodians (IT) are responsible for implementing technical controls based on classification. All employees are responsible for handling data according to its classification level. Annual training on data classification is mandatory for all employees.
Put this into practice with workro desk.