1.1 This policy establishes a comprehensive framework for the management, classification, storage, retention, and disposal of all organizational data assets throughout their lifecycle. The policy ensures that data is treated as a strategic corporate asset and is managed consistently, securely, and in compliance with applicable data protection legislation, industry standards including ISO 27001, and contractual obligations. All employees, contractors, and third-party processors who create, access, store, or transmit organizational data are bound by the provisions of this policy regardless of the medium or format in which the data resides.

1.2 This policy applies to all structured and unstructured data created, received, maintained, or transmitted by the Organization across all business functions and geographic locations. Coverage extends to electronic records, physical documents, databases, data warehouses, cloud-hosted repositories, backup media, and any data processed by third-party service providers on behalf of the Organization. The policy encompasses personal data, financial data, intellectual property, operational data, and any other information that has value to the Organization or is subject to regulatory protection. Where local data protection laws impose requirements that exceed those set forth in this policy, the more stringent standard shall prevail.

1.3 The Chief Information Officer, or such senior technology leader as may be designated by the Chief Executive Officer, shall serve as the executive sponsor for data governance and shall bear ultimate accountability for the implementation, enforcement, and periodic review of this policy. Day-to-day oversight shall be delegated to the Data Governance Office, which shall maintain the data classification framework, coordinate with data owners across business units, and report on compliance metrics to the executive leadership team on a quarterly basis. Each department shall designate a Data Steward responsible for ensuring compliance with this policy within their functional area.

2.1 All organizational data shall be classified into one of four categories based on its sensitivity and the potential impact of unauthorised disclosure: Public, Internal, Confidential, or Restricted. Public data is approved for external release and carries no confidentiality requirements. Internal data is intended for general use within the Organization and shall not be disclosed externally without authorisation. Confidential data includes business-sensitive information such as financial projections, strategic plans, and employee personal data, and requires encryption in transit and at rest. Restricted data encompasses highly sensitive information such as trade secrets, regulated personal data, and payment card data, and requires the highest level of security controls including encryption, access logging, and multi-factor authentication for access.

2.2 Data owners, defined as the business unit leaders or functional heads with accountability for specific data domains, shall be responsible for assigning the appropriate classification level to all data assets within their domain at the point of creation or acquisition. Classifications shall be reviewed at least annually or whenever the nature, sensitivity, or regulatory status of the data changes materially. Data owners shall ensure that classification labels are applied to documents, databases, and file repositories in a manner that is visible to authorised users and that facilitates automated enforcement of handling rules by the Organization's information security systems. The Data Governance Office shall maintain a central register of all classified data assets and shall audit classification accuracy on a semi-annual basis.

2.3 Confidential and Restricted data shall be encrypted using AES-256 or equivalent encryption standards approved by the Information Security team during storage at rest and transmission across any network, whether internal or external. Access to Confidential and Restricted data shall be restricted to authorised personnel on a strict need-to-know basis, enforced through role-based access controls and reviewed quarterly by the Data Governance Office. All access to Restricted data shall be logged and monitored, with anomalous access patterns investigated within 24 hours. Data handling procedures for each classification level shall be documented in the Data Handling Standards Guide maintained by the Information Security team and made available to all employees through the Organization's intranet.

2.4 The Organization shall maintain a comprehensive data inventory, also referred to as a data register or data catalogue, that catalogues all significant data assets across the Organization. The inventory shall record, at a minimum, the data asset name and description, classification level, storage location and format, designated data owner and data steward, applicable retention period, legal basis for processing where personal data is involved, and any cross-border transfer mechanisms in use. The Data Governance Office shall ensure the inventory is updated within 30 days of any material change to the Organization's data landscape, including new system implementations, data migrations, or changes in regulatory requirements. The inventory shall be reviewed in its entirety at least annually and shall serve as the authoritative reference for data protection impact assessments, audit activities, and incident response procedures.

3.1 Data shall be retained only for as long as it is required to fulfil the business purpose for which it was collected, to comply with applicable legal, regulatory, or contractual retention obligations, or to support the Organization's legitimate interests including the defence of legal claims. Retention periods for each data category shall be defined in the Data Retention Schedule, which shall be maintained by the Data Governance Office in consultation with Legal Counsel, the Finance department, and relevant business unit leaders. The Data Retention Schedule shall be reviewed and updated at least annually to reflect changes in legal requirements, business needs, and industry best practices. Data that has exceeded its retention period and is no longer subject to a legal hold shall be identified for disposal through the Organization's automated or manual retention management processes.

3.2 Disposal of data that has reached the end of its retention period shall be carried out using methods appropriate to the data classification level, in accordance with NIST SP 800-88 Guidelines for Media Sanitization or equivalent standards. Electronic data classified as Public or Internal may be deleted using standard deletion methods. Electronic data classified as Confidential or Restricted shall be permanently destroyed using approved sanitisation methods including cryptographic erasure, secure overwriting, or physical destruction of storage media. Physical records containing Confidential or Restricted data shall be cross-cut shredded to a particle size of no greater than 2mm x 15mm or incinerated by an approved destruction service provider. Certificates of destruction shall be obtained and retained for all disposal activities involving Confidential or Restricted data, and filed with the Data Governance Office for a minimum of 7 years.

3.3 Legal holds, also known as litigation holds, shall take precedence over standard retention schedules and automated disposal processes. When Legal Counsel issues a legal hold notice, all data within the defined scope of the hold shall be preserved in its current state, regardless of whether the applicable retention period has expired, until the hold is formally released in writing by Legal Counsel. The Data Governance Office shall coordinate with the IT department to implement technical measures that suspend automated deletion for data subject to a legal hold. Employees who receive a legal hold notice shall comply immediately and shall not alter, delete, or destroy any data within the scope of the hold. Failure to comply with a legal hold constitutes a serious disciplinary offence and may expose the Organization to adverse legal consequences including sanctions and spoliation inferences.

4.1 The Organization shall establish data quality standards aligned with industry best practices to ensure that organizational data is accurate, complete, consistent, timely, and fit for its intended purpose. The Data Governance Office shall define data quality metrics for each critical data domain, including accuracy rates, completeness rates, duplication rates, and timeliness thresholds. These metrics shall be measured through automated data quality profiling tools and manual validation processes, and reported to data owners and the executive leadership team on a quarterly basis. Data quality issues shall be logged in a central issue register, triaged by severity, and assigned to the responsible data steward for remediation within defined service level agreements.

4.2 Data owners, in collaboration with the IT department, shall implement validation controls at the point of data entry and at key integration points between systems to prevent the introduction of inaccurate, incomplete, or duplicate data into the Organization's systems and databases. Validation controls shall include mandatory field checks, format validation, referential integrity constraints, and automated duplicate detection rules. Where data is received from external sources, including third-party providers, partners, and customers, the receiving business unit shall define acceptance criteria and perform quality checks before the data is loaded into production systems. The Data Governance Office shall maintain a catalogue of approved data validation rules and shall audit the effectiveness of these controls on an annual basis.

4.3 The IT department shall implement backup and recovery procedures that protect organizational data against accidental loss, corruption, hardware failure, or malicious destruction. Backup schedules shall be defined based on the criticality and classification of the data, with Restricted and Confidential data backed up at least daily and all other data backed up at least weekly. Backups shall be stored in geographically separate locations and encrypted to the same standard as the source data. The IT department shall conduct recovery tests on a quarterly basis to verify that backed-up data can be restored within the Organization's defined Recovery Time Objectives and Recovery Point Objectives. Test results shall be documented and reported to the Chief Information Officer, and any failures shall be escalated for immediate remediation.

5.1 The Data Governance Office, in coordination with the Internal Audit function, shall conduct comprehensive audits of data management practices across all departments and business units at least annually. Audits shall assess compliance with this policy's data classification, handling, retention, disposal, and quality requirements. The audit scope shall include a review of the data inventory accuracy, access control effectiveness, encryption compliance, retention schedule adherence, and disposal documentation. Findings, including compliance rates, identified deficiencies, and recommended corrective actions, shall be compiled into a formal audit report and presented to the Chief Information Officer and the executive leadership team within 30 days of audit completion.

5.2 All employees, contractors, and third-party personnel who access organizational data shall complete mandatory data management awareness training within 30 days of commencing their engagement and annually thereafter. The training program shall cover the Organization's data classification framework, data handling procedures for each classification level, retention and disposal requirements, data quality responsibilities, privacy and data protection obligations, and incident reporting procedures. Role-specific training shall be provided to data owners, data stewards, and IT personnel who have elevated data management responsibilities. The Learning and Development team shall maintain records of training completion, and the Data Governance Office shall not grant access to Confidential or Restricted data systems to individuals whose training is not current.

5.3 This policy shall be reviewed comprehensively at least once every 12 months by the Chief Information Officer, in consultation with Legal Counsel, the Data Governance Office, the Information Security team, and relevant business stakeholders. In addition to the scheduled annual review, an interim review shall be triggered by material changes in data protection legislation, significant data breaches or audit findings, organizational restructuring, or the adoption of new data processing technologies. Proposed amendments shall be reviewed by Legal Counsel for regulatory compliance, approved by the Chief Executive Officer, and communicated to all affected employees and stakeholders at least 14 calendar days before the effective date. A complete version history shall be maintained as an appendix to this policy.