Data Classification Policy

In line with the Protection of Personal Information Act, 4 of 2013

    1. Purpose

    This Policy establishes a framework for classifying information based on sensitivity and risk to ensure appropriate protection of Personal Information and business data.

    2. Scope

    This Policy applies to all employees, contractors, and third parties who access or process information in any format (electronic or physical).

    3. Data Classification Levels

    All information must be classified into one of the following categories:

    • Restricted (High Risk)
      Sensitive information requiring strict protection.
      Examples: ID numbers, financial data, passwords, health information.
    • Confidential (Medium Risk)
      Internal business and operational information.
      Examples: contracts, employee records, supplier agreements.
    • Public (Low Risk)
      Information approved for public disclosure.
      Examples: marketing materials, website content.

    4. Responsibilities

    Information Officer:

    • Oversee implementation of this Policy
    • Ensure compliance with POPIA

    Data Owners:

    • Classify information appropriately
    • Review classifications regularly

    Data Custodians (IT):

    • Implement technical controls
    • Ensure secure storage and backups

    Users:

    • Handle data according to its classification
    • Report any misuse or breaches

    5. Classification Process

    Information must be classified based on:

    • Sensitivity of the data
    • Risk of unauthorised disclosure
    • Legal and regulatory requirements

    Where uncertainty exists, the higher classification level must be applied.

    6. Handling Requirements

    Restricted:

    • Encryption required
    • Strict access control
    • Secure transmission

    Confidential:

    • Access limited to authorised users
    • Protected storage

    Public:

    • No special restrictions

    7. Storage And Access

    •  Access must follow a “least privilege” principle
    • Systems must enforce access controls
    • Data must be stored securely

    8. Review

    Data classifications must be reviewed periodically and updated where necessary.

    9. Non-Compliance

    Failure to comply with this Policy may result in disciplinary action.

    Updates to this Policy

    The Company reserves the right to amend this Policy at any time to ensure ongoing compliance with applicable legislation and best practices.

     

    Updated March 2026

    Ready to transform insights into action?
    Contact Emergence Human Capital to design, deploy, and drive meaningful change through intelligent employee engagement surveys.

    Office: +27 11 026 3442

    eMail: [email protected]

    https://emergencegrowth.com/hr-reward-services/hr-surveys-data-insights/