Data Classification and Governance Policy

Purpose:

To establish a framework for classifying and managing data within Pitaka, ensuring that information is handled appropriately based on its sensitivity, value, and applicable Philippine laws and regulations, such as the Data Privacy Act of 2012.

Scope:

This policy applies to all Pitaka employees, contractors, and third-party service providers who handle, process, or manage data in any form within the Pitaka ecosystem.

Policy

1. Data Classification:

Pitaka categorizes all data into distinct classifications to ensure proper handling, storage, and protection based on its sensitivity and importance. The data classifications are as follows:

a. Public Data:

Information that is intended for public access or is made available to the general public. Examples: Marketing materials, product descriptions, publicly available financial reports. Handling: No specific restrictions, but data integrity should be maintained.

b. Internal Data:

Information that is non-sensitive but intended for internal use within Pitaka. Examples: Internal emails, staff directories, non-critical operational data. Handling: Access limited to Pitaka employees and authorized personnel. Should not be shared externally without permission.

c. Confidential Data:

Sensitive information that, if disclosed, could cause harm to Pitaka or its users. Examples: Transaction histories, customer account details, financial statements, employee information. Handling: Access restricted to specific roles based on the principle of least privilege. Must be encrypted during transmission and storage.

d. Restricted Data:

Highly sensitive information that requires the highest level of protection. Examples: Personally Identifiable Information (PII), financial data, legal documents, encryption keys. Handling: Access granted only to individuals with a critical need to know. Must be encrypted at rest and in transit. Multi-factor authentication (MFA) required for access.

2. Data Ownership:

Each dataset must have a designated Data Owner responsible for its classification, protection, and governance. Data Owners are tasked with ensuring that data is classified correctly and handled in accordance with this policy and applicable laws.

3. Data Handling and Access:

Access to data will be governed by Role-Based Access Control (RBAC) to ensure that only authorized personnel can view or modify specific classifications of data. Pitaka will enforce encryption protocols, multi-factor authentication, and other security measures to protect sensitive and restricted data from unauthorized access. External access to Pitaka’s data (e.g., by third-party service providers) must be governed by data-sharing agreements that outline how the data will be protected.

4. Data Storage:

Data storage systems must be designed to ensure that each classification of data is stored securely and in compliance with applicable regulations. Confidential and restricted data must be encrypted at rest, and backups of sensitive data must also follow encryption protocols. Data retention periods will be defined based on legal requirements, operational needs, and the classification of the data.

5. Data Governance Committee:

Pitaka will establish a Data Governance Committee responsible for overseeing the data classification and governance process. The committee will periodically review data handling practices, enforce compliance with this policy, and recommend improvements based on evolving legal, operational, and technical requirements.

6. Data Breach Reporting and Management:

Any suspected data breach must be reported to the Incident Response Team (IRT) immediately. In the event of a breach involving confidential or restricted data, affected parties, as well as regulatory bodies (e.g., the National Privacy Commission), must be notified as per the Data Privacy Act of 2012. A root cause analysis will be conducted to prevent future incidents and ensure compliance with reporting regulations.

7. Data Retention and Disposal:

Data retention schedules will be determined based on the classification of the data, operational needs, and regulatory requirements. Confidential and restricted data must be securely disposed of once it is no longer needed, ensuring that no unauthorized parties can recover it. Data Owners are responsible for enforcing data retention and disposal policies within their areas of responsibility.

8. Legal and Regulatory Compliance:

This policy is aligned with the Data Privacy Act of 2012, Anti-Money Laundering Act (AMLA), and other relevant Philippine regulations. Regular audits will be conducted to ensure compliance with data classification and handling standards. The audits will also assess adherence to privacy and security guidelines.

9. Data Classification Training:

All employees and contractors with access to Pitaka’s data must undergo mandatory training on data classification, protection, and handling protocols. Training will include guidance on how to handle sensitive and restricted data, as well as the potential consequences of data breaches.

10. Policy Enforcement:

Any violations of this policy, whether intentional or accidental, will result in disciplinary action, which may include revocation of access, termination of employment, or legal action. Pitaka’s Data Governance Committee and legal team will oversee the enforcement of this policy and ensure that it remains up to date with legal and regulatory changes.

Purpose:​

Scope:​

Policy​

1. Data Classification:​

a. Public Data:​

b. Internal Data:​

c. Confidential Data:​

d. Restricted Data:​

2. Data Ownership:​

3. Data Handling and Access:​

4. Data Storage:​

5. Data Governance Committee:​

6. Data Breach Reporting and Management:​

7. Data Retention and Disposal:​

8. Legal and Regulatory Compliance:​

9. Data Classification Training:​

10. Policy Enforcement:​