Data Classification


Data and other information are assets with a variety of value to the business, its partners and customers. The value of each data type, and therefore the way it is handled needs to be defined as each should be handled differently.


The scope of this document is all data and information held and processed by the business.


Some data can be in multiple classification groups. If in doubt where the data in question sits, it should always be treated as more confidential / critical. Any data that contains any patient data should be treated as confidential.

Types of Data

Personal Data

Personal data is the type of data managed by an individual, containing no operational, critical or confidential information. Examples include personal emails and documents. 

Public Data

Some data held, managed or published by the company is inbak the public domain. For example marketing material that has already been published.

Operational Data

Operational data is everyday business data used for the running of the business. The majority of the data held, managed and created by the business (excluding patient data) falls into this category.

Business Critical Data

Business critical data is generally a subset of the operational data, a set of data that is deemed critical to the running of the business. This could include the data used to generate an algorithm, or the source code for the company's web application. Business critical data could be that of the company's or be information shared by 3rd parties. To remove any doubt, this data is always treated as confidential.

Patient Confidential Data

The bulk of the data held by the company are personal health records from our customers. The way this data is managed is a special case and is detailed more thoroughly in the Confidential Data Policy.

Data Storage

Robust and secure storage of any data is critical to the efficient running of the business. This policy will deal with the areas of data storage that are critical to the running of the business.

Personal Data Storage

This policy does not cover the storage of personal data. It is however important to state that no other data should be bundled with personal data when it is stored. It is vital that users of the company systems employ a clear demarcation of personal and other data types to eliminate the risk of storing non personal data in the wrong way.

Public Data Storage

Once data has become public, the ability to control how it is stored is lost. This policy does not cover the storage of public data.

Operational Data Storage

Operational data should be stored where access is appropriate for all users in the business to access. The backup schedule is appropriate to the importance of the data held.

Business Critical Data Storage

Access to business critical data should be restricted as much as possible to those users who REQUIRE access. This access should be provided at an appropriate level with the avoidance of blanket privileges. 

Titles and positions in the company do not dictate access levels.

Wherever possible, business critical data should not be printed out - if it is, it is the responsibility of the user to ensure it is shredded after use.

The backup policy shows more detail of how this data should be backed up.

Patient Confidential Data Storage

The storage of patient confidential data is dealt with in detail in the Confidential Data Policy. In summary, access to this data should be restricted only to those users who require access to operate the business.

The data should be stored on the live secure server environment only. Access to one record at a time is granted for operational reasons, and on the whole is done directly through the application. As the application is web based, there is the possibility of capturing this data from the screen. This should be avoided unless necessary. Any access to the live secure server environment is logged via a google form and saved in the Signum Health Google Drive.

Identifiable patient data should not be stored on any system other than the secure servers of the application. Storage on removable media is detailed in the Removable Media Policy.

If there is a requirement to print any patient confidential data, it should be stored under lock and key, and removed from desks and common areas.

Data Transmission

Personal data transmission

There are no requirements for personal data transmission.

Public data transmission

There are no requirements for public data transmission.

Operational data transmission

Operational data should only be transmitted where necessary for business purposes.

Business Critical data transmission

Business critical data should only be transmitted where necessary for business purposes.

Patient Confidential data transmission

Strong encryption must always be used when transmitting patient confidential data, whether this transmission is done inside or outside of the company's network.

Details of the encryption requirements can be found in the Encryption Policy.

Data Destruction

Data destruction is covered in the Data Destruction Policy.

Personal, Public & Operational data destruction

There are no requirements for data destruction, although best practice (to avoid things like identity theft) would be to ensure all paper copies are shredded, and electronic storage is removed completely from any storage devices before disposal (and physical destruction is always recommended).

Critical Business Data Destruction

Critical Business data should be destroyed as per the Data Destruction Policy, which will involve shredding and physical destruction of any other storage media.

Confidential Patient Data Destruction

Confidential Patient data should be destroyed as per the Data Destruction Policy, which will involve shredding and physical destruction of any other storage media.


This policy will be enforced by the CTO. Violations may result in disciplinary action, which may include suspension, restriction of access, or more severe penalties up to and including termination of employment. Where illegal activities or theft of company property (physical or intellectual) are suspected, the company may report such activities to the applicable authorities.