Professional Documents
Culture Documents
Data Protection Policy Template
Data Protection Policy Template
Data Protection
Policy # IS-XX Effective Date 20XX-XX-XX Email [Contact E-mail Address]
Version 1.X Contact [Name] Phone (xxx) xxx-xxxx
Table of Contents
1.0 PURPOSE............................................................................................................................................. 1
1.1 SCOPE.................................................................................................................................................. 1
1.2 POLICY.................................................................................................................................................. 1
1.2.1 Data Protection............................................................................................................................. 1
1.2.2 Confidential Data.......................................................................................................................... 2
1.3 PROCEDURES...................................................................................................................................... 2
1.3.1 Responsibility for Data Privacy..................................................................................................... 2
1.3.2 Data Storage/Encryption.............................................................................................................. 2
1.3.3 Consent for Disclosure................................................................................................................. 2
1.3.4 Mailing of Confidential Information............................................................................................... 2
1.3.4 Data Transmission/Transfer......................................................................................................... 3
1.3.5 Third Party Vendors/Service Providers........................................................................................ 3
1.3.6 Changes to Confidentiality Policy................................................................................................. 3
1.4 VIOLATIONS......................................................................................................................................... 3
1.5 REFERENCES...................................................................................................................................... 3
1.6 RELATED DOCUMENTS...................................................................................................................... 3
1.7 APPROVAL AND OWNERSHIP............................................................................................................ 4
1.8 REVISION HISTORY............................................................................................................................. 4
1.9 SOC 2 MAPPING................................................................................................................................... 4
DATA DISCLOSURE LOG.......................................................................................................................... 7
1.0 PURPOSE
To provide guidance pertaining the protection of confidential data including, but not limited to, storage,
transmission, and encryption.
1.1 SCOPE
This policy applies to all [Company] computer systems and facilities, with a target audience of [Company]
Information Technology employees and partners.
1.2 POLICY
Responsibility – [Company] Management shall formally appoint a person who is responsible for
establishing and maintaining the privacy of confidential information.
Management Consent – Certain types of confidential information require expressed consent from
Management, Supervisor, or the Security Officer prior to disclosure to an outside entity. Prior to emailing,
faxing, communicating via telephone, or any other transmission method, consent must be received.
Confidential Data Protection – Any confidential data being stored by [Company] shall be protected from
threats to confidentiality and integrity using an encryption method appropriate to the storage medium. If
Management opts to store confidential data un-encrypted, a business justification shall be documented,
approved, and maintained by the Security Officer or their designee.
Transmission of Confidential Data – Confidential data being transmitted across public networks to any
outside entity must be securely protected during transfer. The Security Officer shall ensure the methods
are in place for secure transfer of data to outside entities lawfully collecting data.
Removal of Confidential Data – Documents and media containing confidential information shall not be
removed from [Company] premises without express permissions from a supervisor of the Security Officer
or their designee. Confidential information requiring transport shall be packaged securely and tracked to
help protect against the unauthorized use or disclosure of the documents or media being sent.
Management shall maintain a listing of where confidential information can be stored.
1.3 PROCEDURES
Management has appointed XX, [TITLE] as the workforce member responsible for the privacy of
confidential data in the [Company] environment.
Any data stored, while at rest, shall be stored using an encryption method appropriate for the medium of
storage. The following encryption methods are in place for stored confidential data:
Consent must be obtained from Management, a Supervisor, or Security Officer prior to the disclosure of
the following types of confidential information via email, telephone, fax, or other communication method:
[List the types of confidential data required to have consent for disclosure here.]
Disclosures of information shall be logged on the [Company] Disclosure Log.
Confidential information being removed from facilities requires express permission from a supervisor or
Security Officer or their designee.
Documents or media being mailed shall be packed in secure envelopes or other secure packaging
material so that no covered information is readable or obtainable by unauthorized parties.
Documents or media being mailed should be sent via certified US Postal Service (USPS) mail and a
tracking mechanism should be obtained to ensure delivery to the correct party.
Any data being transferred to an outside entity must be securely protected during transfer. A secure email
service is provided to all employees and is enabled by default for each user’s Exchange mailbox.
Additional encrypted file transfer methods, such as SFTP, can be put in place with approval from the
Security Officer or their designee.
[Company] shall obtain confidentiality agreements from vendors and other third-party service providers
whose products and services are part of [Company]’s systems and compliance with [Company]’s
confidentiality commitments will be assessed on a periodic and as-needed basis with corrective actions
taken as determined necessary.
1.4 VIOLATIONS
Any violation of this policy may result in disciplinary action, up to and including termination of
employment. [Company] reserves the right to notify the appropriate law enforcement authorities of any
unlawful activity and to cooperate in any investigation of such activity. [Company] does not consider
conduct in violation of this policy to be within an employee’s or partner’s course and scope of
employment, or the direct consequence of the discharge of the employee’s or partner’s duties.
Accordingly, to the extent permitted by law, [Company] reserves the right not to defend or pay any
damages awarded against employees or partners that result from violation of this policy.
Any employee or partner who is requested to undertake an activity which he or she believes is in violation
of this policy, must provide a written or verbal complaint to his or her manager, any other manager or the
Human Resources Department as soon as possible.
1.5 REFERENCES
Revision Reviewer/Approver
Version Description Review Date
Date Name
1.0 Initial Version
CC6.1 The entity implements logical access Logical access controls covering the
security software, infrastructure, and following:
architectures over protected information Identify and manage inventory of
assets to protect them from security events information assets
to meet the entity's objectives. Restricts logical access to info assets,
software, mobile devices, and offline
systems
Identifies and authenticates users
Considers network segmentation
Manages Points of Access
Manages credentials for infrastructure
and software
Uses encryption to protect data (at-
rest, and other)
Protects encryption keys (generation,
storage, use, and destruction)
CC6.3 The entity authorizes, modifies, or removes The entity authorizes, modifies, or revokes
access to data, software, functions, and logical access to protected information
other protected information assets based on assets based on a role-based access
control
roles, responsibilities, or the system design
and changes, giving consideration to the
concepts of least privilege and segregation
of duties, to meet the entity’s objectives.
CC6.5 The entity discontinues logical and physical Data disposal policies and procedures are
protections over physical assets only after in place for information assets and
the ability to read or recover data and physical assets.
software from those assets has been
diminished and is no longer required to
meet the entity’s objectives.
CC6.7 The entity restricts the transmission, Restricts the transmission, movement, and
movement, and removal of information to removal of information and protects during
authorized internal and external users and transmission, movement, and removal.
processes, and protects it during
transmission, movement, or removal to
meet the entity’s objectives.
C1.1 The entity identifies and maintains Procedures are in place to identify
confidential information to meet the entity’s confidential information.
objectives related to confidentiality. Standards are set to define the
retention period for confidential
information.
Procedures are in place to protect
confidential information from
destruction or erasure.
P4.2 The entity retains personal information Retention of personal information is
consistent with the entity’s objectives defined, and policies and procedures are
related to privacy. in place to protect against erasure or
destruction of personal information within
the retention timeframe.
P5.1 The entity grants identified and A data subject's access request to their
authenticated data subjects the ability to personal information requires
access their stored personal information for authentication prior to granting access to
information and is provided in a timely
review and, upon request, provides physical
manner. Denied access requests are
or electronic copies of that information to informed to the requestor with a reason for
data subjects to meet the entity’s objectives denial.
related to privacy. If access is denied, data
subjects are informed of the denial and
reason for such denial, as required, to meet
the entity’s objectives related to privacy.
2/28/19 John Doe Personal accounting of data. Name, DOB, SSN, and 3/4/19 Encrypted Jane Doe
address. email