Summary

The information treatment policy defines the information classification and sets out rules how information must be treated.

The policy is applicable to all internal and external personnel.

Principles

Our organization distinguishes the following levels of information classification:

Classification	Description	Examples
Public	Information of this kind can be freely distributed to anyone	• Information on the OHMX.bio public web site
• Brochures and leaflets	No special measures need to be taken to protect this information
Internal	Information of this kind is meant to be kept internally, but no harm would be done if it would fall into wrong hands. This information can be shared with all Stakeholders when deemed necessary	• Policies and Procedures
• Assets
• Statement of Applicability	No special measures need to be taken to protect this information
Confidential	The loss of confidential information can pose a threat to the organization	• Personally Identifiable Information
• Information and results with respect to projects (e.g.: final reports and raw data)
• Financial information
• Audit reports
• Risk assessment
• Assurance statement	• Information can only be shared or distributed with permission from the owner, and when an NDA is in place
• Transmission or storage should be encrypted
Sensitive	The loss of sensitive information can pose a threat to the persons involved. Theft or loss should be reported with the authorities	Special categories of personal information ("bijzondere persoonsgegevens"), such as
• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Personal health data
• Biometric data
• Sex life or sexual orientation	• Information can only be shared or distributed with permission from the owner
• Transmission or storage must be encrypted
• Two factor authentication (2FA)
• No read access by own/maintenance personnel
• Access to this kind of information must be logged and audited

Version approved 21/04/2022