The first step in establishing safeguards that are required for a particular type of data is to determine the level of sensitivity applicable to such data. Data classification is a method of assigning such levels.
The purpose of this document is to establish a framework for classifying company data based on its level of sensitivity, value, and criticality to Health Note as required by Health Note’s ongoing Information Security practices & Compliance efforts. This document will establish a baseline for determining what security controls are appropriate for safeguarding that data.
This policy applies to all employees of Health Note as well as any other parties authorized to access Health Note data.
| Classification | Definition | Risk | Examples |
|---|---|---|---|
| Proprietary | Health Note created/owned software & processes, Personal Health Information, Personally Identifiable Information | Extreme (could put Health Note at financial or legal risk) | User PHI, Health Note source code, intellectual property |
| Private | Internal employee data, company finances, confidential information of clients and organizational partners | Serious (negative impact on internal operations) | Employee SSN, Salary information, Client contact lists, confidential corporate and/or operations information provided by clients or partners of Health Note about their organizations |
| Sensitive | Not for public release, or data not yet classified | Moderate (could damage Health Note mission) | Org charts, revenue reports, pilot projects or commercialized deals in production or development |
| Public | Already available, publicly online | None | Marketing materials, Pricing lists, work history or bios of staff (via LinkedIn and/or company website or other company-related webpages |
| Revision Date | Revision Description | Notes |
|---|---|---|
| 5/27/2021 | Initial | No changes |
| 2/24/2022 | Reviewed | No changes |
| 4/10/2023 | Reviewed | No changes |
| 05/1/2024 | Reviewed | No changes |