Data Classification Policy

This content is controlled for compliance requirements. Please contact the owner (Ryan McCue) if you need to make changes.

While we work in the open, not everything we work with is meant for everyone. We work with sensitive data internally, like employee records, as well as customer data we’re entrusted with. These obviously need to be handled differently to things we’re happy to share or even open source.

When we say “data”, we mean documents, databases, messages in Slack, emails, P2 posts, etc – anything that has information. This also includes physical records if you have those (see below for additional notes on that).

The data we work with falls into four categories:

  • Public – Anything we can share with anyone outside the company
  • Internal (our default) – Stuff we share inside the company
  • Confidential – Limited access stuff we need to treat with care
  • Restricted – Really sensitive data which needs to be very tightly controlled

We maintain an inventory of everywhere we store data and what it’s classified as in the Playbook. If you’re in any doubt about which category data falls into, ask the data owner.

Just like our Security Policy, take this policy seriously. Anyone who violates this security policy may be subject to disciplinary action, up to and including termination of employment.

If something goes wrong, email security@humanmade.com with as much detail as you can about what seems to have happened. This will contact everyone who needs to know, including Joe Hoyle, our CTO and security officer.

Public data

Public data is anything we can share broadly outside of the company. There’s no big restrictions on public data, because we assume that once someone has it, everyone has it.

As a rule of thumb, anything that we would put up on our website is public data. It’s up to the owner of the data to determine whether data is public, and you should assume anything not explicitly shared publicly is internal.

Note that when we’re sharing data publicly, we still need to be careful about access – we wouldn’t necessarily want to give people the ability to change something we’ve published for example. Keep an eye on things like Google Docs sharing permissions when sharing this.

Internal data

Internal data is anything we can share internally. This might include things like our business plans, Slack messages in public channels, P2 posts, or commercial contracts.

Where possible, we opt for the internal classification where we can, to encourage our culture of working in the open. Unless data needs to be confidential or restricted, it should be available for others to access so we can work together.

Even though we’re sharing this data internally, it’s not public, so we still need to take care with how we handle it. Sharing this stuff with people outside of the company could reveal our secret plans for global domination, or other commercially-sensitive things.

  • Protection: Don’t share internal data with people outside of the organisation without approval from the data owner. If it’s not tied to someone’s HM account, add a password (e.g. in Keynote).
  • Copying: Don’t keep a copy of it on non-work devices. Avoid taking copies of the data, like printing, saving as a PDF, or copying into other places; if you do need to take a copy, limit what you do with it, and make sure you securely clean it up afterwards.
  • Places: Internal data can be shared in any of our company-wide channels. Take care when sharing it in places that could be public, like shared channels in Slack, and ensure you select “anyone in Human Made can access” in Google Docs rather than “anyone with the link”.
  • External: Some internal data will be shared outside of the organisation. For example, we’ll share contracts with the customer, or pricing with partners. When we share internal data, anyone we’re sharing it with should sign our NDAs, which ensure they handle it the same way we do.

Confidential data

Confidential data is data we need to treat with care. This might be because it represents a significant risk to us if the data is shared more widely, or if it’s customer data we’ve been entrusted to keep safe. This might include things like a customer database, API access keys, employment information like salaries, or hiring applications.

This type of data could cause reputational harm to the company or our customers if it were compromised.

Confidential data should only be shared with people who need access to it, and only the minimum number of people should have access to it. You should be cautious about providing access, but within your ability to do your work.

  • Protection: Don’t share confidential data with people who don’t already have access, even other people at Human Made. If you can, encrypt the data with an additional secure password on to the file or document.
  • Copying: Don’t access or keep a copy of it on non-work devices. Avoid taking copies of the data unless necessary; keep it in the original system if you can. Make sure you securely clean up any copies as soon as you no longer need them.
  • Places: Don’t share confidential data in public Slack channels; private channels are OK, provided that access to those channels is limited. Likewise, limited access in Google Drive/Docs is OK. The exact list of people you’re sharing with should be clear, and only the data owner should invite additional people. Don’t discuss confidential data in public physical spaces.
  • External: Confidential data can only be shared with people outside of the organisation who meet the same requirements for handling this data. For example, an external HR company with appropriate safeguards in place may have access to our confidential data. (These companies must sign an NDA, or include one in their terms.)

Any data posted in the following places is classified as confidential:

  • Slack private channels and DMs
  • Workable
  • Private H2
  • Anything labelled “Confidential” or “HM-Confidential” (for documents with multiple pages, it should be clearly labelled on each page)

Only keep confidential data as long as you need it. When you’re finished with confidential data, clean it up securely, using tools like macos’ Securely Delete functionality. (See below for more about physical copies of this data.)

Restricted data

Restricted data is really sensitive data which needs to be very tightly controlled. This may be because it is highly sensitive personal data, or legally protected. This might include things like health data, criminal background checks, employee passwords, and anything under the GDPR’s Special Categories of Personal Data.

Most data will not fall into this category, and this should only be used where there is a strict requirement for this categorisation. (This occurs mostly in HR.) Data in this category could typically cause harm to individual people, or put the survival of the company at risk.

Restricted data must only be shared with people who need access to it, and only the minimum number of people should have access to it. Exercise extreme caution about who can access this data.

  • Protection: Don’t share restricted data with people who don’t already have access, even other people at Human Made. If you can, encrypt the data with an additional secure password directly to the file or document, and share the password in a different (secure) place to the data itself.
  • Copying: Don’t access or keep a copy of restricted data on non-work devices under any circumstances. Don’t take copies of the data unless absolutely necessary, and keep it within the original system as much as possible. Ensure any copies are securely destroyed as soon as possible.
  • Places: Only share restricted data directly with the people who need it, using the most secure channel possible. Don’t use team drives in Google Drive. Don’t discuss restricted data in public physical spaces.
  • External: Restricted data can only be shared when absolutely necessary with people outside of the organisation who meet the same requirements for handling this data. For example, an external HR company with appropriate safeguards in place may have access to restricted data. (These companies must sign an NDA, or include one in their terms.)

Restricted data should be clearly labelled as such, either as “Restricted” or “HM-Restricted”. For documents with multiple pages, it should be clearly labelled on each page.

Working with sensitive data

We often need to work with confidential (or restricted) data in the course of doing work. It’s important that this data is treated properly, and we take steps to protect this data.

Where possible, you should look to take only the minimal amount of data you need, and to minimise the number of places you work with it.

If the data you’re working with contains personal information (i.e. information about people), you should look to perform pseudonymisation or anonymisation of that data to remove that sensitive data if you don’t need it. (For developers, check the Secure Engineering Policy for more information on how to build tools that do this.)

Physical copies

While most of what we do happens on the World Wide Web, some data may need to be in physical form, like accounting records or legal documents.

For public data, no worries, do what you want with this; just please don’t litter!

For internal data, treat this like your laptop, and apply the same physical security. Lock it in your house, keep it in a locked cabinet in your co-working space, and don’t leave it unattended in public.

Confidential and restricted data in physical form should be treated with extra care, and should be further protected physically. Where possible, protect this data with additional protections, such as in a locked filing cabinet with separate keys, and ensure access is tightly controlled. This data should not be left unattended, and should be returned to secure storage as soon as possible.

Confidential and restricted documents must be destroyed with a cross-cutting shredder when no longer needed. Single-use disks or drives should be securely destroyed following industry practices.

Exceptions

In some cases, we may need exceptions to this policy. The leadership team may override this policy, taking into consideration appropriate controls and mitigating factors. We’ll record those exceptions and review them on a regular basis.

In all cases, the law overrides any policy we have.

Data Leakage Prevention

All data we control must be classified to ensure we control it and prevent leaking sensitive data. Anyone with access to data must have the appropriate security awareness training when handling categorised data.

Any tools and services which send data out of the service (like email or external publication) need to make sure that the data classification remains clear. For example, this might mean explicitly labelling the data.

Regular access reviews for these tools must be performed to verify only those who should have access to data do so; see our Tools and Services policy for more about that.

If something goes wrong

If something goes wrong, email security@humanmade.com with as much detail as you can about what seems to have happened. This will contact everyone who needs to know, including Joe Hoyle, our CTO and security officer.

If confidential or restricted data relating to people, we may have legal obligations to fulfil under the GDPR or other local laws. This may include contacting the ICO to inform them of a data breach.

If confidential data about or from our customers are leaked, we have an obligation to inform any affected customers as soon as we know. We may also have additional legal obligations such as contacting the ICO to inform them of a data breach.

The data breach playbook [link tbd] covers how we handle breached confidential or restricted data in more detail.

This page is reviewed every 1 year. It was last reviewed on October 25, 2024 and will expire on October 24, 2025.

Accessed Tue, 22 Oct 2024 13:53:19 +0000 from https://handbook.hmn.md/working-here/security/data-classification-policy/

Made by Humans