Data classification · 4 tiers
Data classification policy
4 sensitivity tiers (Public/Internal/Confidential/Restricted) · 8 handling rules per-tier · classification process automated + audited · 6 special cases documented · 6 compliance mappings GDPR/AEPD/NIS2/AI Act/Ley 41/2002.
4 tiers · ejemplos + handling
| Tier | Ejemplos | Handling |
|---|---|---|
| Tier 4 · Restricted (highest) | Patient medical history · diagnoses · medications · conversation messages content · biometric data · genetic data | AES-256 + pgsodium per-tenant + Postgres RLS + audit log every access + MFA mandatory + decryption logged + retention legally bound (Ley 41/2002 healthcare 5+ años) |
| Tier 3 · Confidential (high) | Patient PII (name + phone + email) · payment methods · staff salaries · clinic financial data · vendor contracts · API keys · secrets | AES-256 at rest + TLS 1.3 in transit + RLS per-tenant + need-to-know access + audit log + MFA mandatory production · retention per-data-type |
| Tier 2 · Internal (medium) | Operational metrics (response time · uptime stats) · aggregated analytics · internal documentation · staff schedules · vendor communications | TLS in transit + access control via RBAC + audit log access · retention 3 años default · NOT shared external without approval |
| Tier 1 · Public (low) | Marketing materials · blog content · landing pages · API docs · changelog · vendor names · pricing tiers · case studies (post-consent) | No special handling · published freely · cached + CDN distributed · NO PII allowed · review pre-publish founder |
8 handling rules · matrix per-tier
| Rule | T4 Restricted | T3 Confidential | T2 Internal | T1 Public |
|---|---|---|---|---|
| Storage encryption | AES-256-GCM + pgsodium per-tenant | AES-256-GCM at rest | Standard DB encryption | No special requirement |
| Transit encryption | TLS 1.3 mandatory | TLS 1.3 preferred · TLS 1.2 minimum | TLS 1.2+ | HTTPS standard |
| Access control | MFA + need-to-know + audit every access | MFA + role-based + audit log | RBAC standard | Public access OK |
| Logging access | Every read/write logged immutable | Every read/write logged | Aggregate logging | Optional analytics only |
| Retention | Legal minimum healthcare (5+ años) | Per-type 1-7 años | 3 años default | Indefinite acceptable |
| Deletion | Cryptographic erase keys · audit | Secure delete + audit | Standard delete | Standard delete |
| External sharing | NEVER · only via secure portal con consent + audit | Per-contract + DPA · audit | Approved partners only | Public OK |
| Backup encryption | Backup key separated · Shamir 3-of-5 | Backup encrypted standard | Standard backup | Standard backup |
Classification process · 6 fases
- T+0 · Data creation/ingestion · classifier auto-applies tier based source + content type · default Tier 3 si uncertain
- T+0 · Metadata tag attached · tier_level column en DB · sensitivity_tag header API responses
- Continuous · Access requests validated against tier · MFA challenge si Tier 3+ · denied si insufficient permissions
- Quarterly · Classification audit · sample 100 records per-tier · validate correct tier · re-classify drift
- Triggered · Re-classification event-based · si data context changes (anonymization aggregated) · tier may downgrade
- Annually · Tier definitions reviewed · GDPR + AEPD guidance updates incorporated · ADR if changes
Special cases · 6 escenarios
- Anonymized aggregated data (k≥5) · downgraded Tier 2/1 · NO individual identification · benchmarks public OK
- Pseudonymized data · still Tier 3/4 · key separation but reversible · NOT same as anonymous · stricter handling
- Encrypted backups offsite · maintain origin tier · backup encryption protects · audit at restore
- Logs containing PII (avoidable) · scrubbed pre-storage · if unavoidable then Tier 3 handling
- Sample data testing · synthetic ONLY · NEVER real PII in dev/staging · Tier 1 synthetic data
- External vendor data sharing · DPA mandatory · tier respected vendor side · audit cross-border
Compliance mapping · 6 frameworks
- GDPR Art 9 (special categories) → Tier 4 always · explicit consent + safeguards mandatory
- GDPR Art 32 (security of processing) → Tier 3+ encryption + pseudonymization required
- AEPD Guía Cifrado 2024 → Tier 4 minimum AES-256 · Tier 3 standard encryption
- NIS2 Directive → Tier 3+ logging mandatory · incident notification 24h breaches
- AI Act Art 10 (data governance) → Tier 4 training data restrictions · transparency
- Ley 41/2002 historia clínica → Tier 4 retention 5 años minimum post-última atención
¿Tu compliance team necesita classification deep-dive?
Para Enterprise procurement · classification matrix detallada · sample data flow diagrams · vendor data flow audit · DPA templates disponibles bajo NDA.