Data Handling Standard Operating Procedure

SOP-DH-001 · Version 3.2 · Internal

Document ID: SOP-DH-001
Version: 3.2
Effective Date: January 15, 2026
Owner: Data Governance Team
Approved By: Chief Data Officer
Review Cycle: Annual
Classification: Internal

1.0 Purpose

This Standard Operating Procedure establishes the requirements for the handling, classification, storage, sharing, and disposal of data at Veridian Corp. It ensures all employees and contractors manage data consistently, securely, and in compliance with applicable regulations including HIPAA, GDPR, and SOC 2.

2.0 Scope

This SOP applies to all Veridian Corp employees, contractors, consultants, and third-party agents who access, process, store, or transmit Veridian Corp data in any format (digital or physical).

3.0 Definitions

Term Definition
PII Personally Identifiable Information — any data that can identify an individual
PHI Protected Health Information — health data protected under HIPAA
Data Controller Entity that determines the purposes and means of processing personal data
Data Processor Entity that processes personal data on behalf of the data controller
Data Breach Unauthorized access, disclosure, or destruction of personal data
Retention Period The defined duration for which data must be kept before disposal
Data Subject The individual whose personal data is being processed
Anonymization Irreversible process of transforming data so individuals cannot be identified

4.0 Responsibilities

Role Responsibility
Data Owner Approves data classification, authorizes access, reviews quarterly
Data Steward Day-to-day management of data quality and access controls
IT Security Implements technical controls, monitors access logs, responds to incidents
Data Protection Officer Ensures regulatory compliance, handles subject access requests, reports breaches
End User Handles data according to classification, reports incidents immediately

5.0 Data Classification

Level Description Examples Handling Requirements
Confidential Highest sensitivity — unauthorized disclosure causes severe harm PHI, PII, financial records, passwords Encrypt at rest and in transit, need-to-know access only, cannot leave secure systems
Internal Business-sensitive — not for public release Internal processes, employee data, contracts Do not share externally without approval, use company systems only
Public Approved for external release Marketing materials, published policies, press releases No restrictions on handling

6.0 Procedures

  1. Upon receiving any new dataset, the Data Steward must classify it within 1 business day using the classification levels defined in Section 5.0.
  2. All Confidential data must be stored in approved, encrypted systems only; a list of approved systems is maintained by IT Security.
  3. Access to Confidential data must be granted on a need-to-know basis with explicit approval from the Data Owner.
  4. All access grants to Confidential data must be logged in the Access Management System within 24 hours.
  5. Data must not be copied to personal devices, personal email accounts, or personal cloud storage under any circumstances.
  6. Before sharing data with any third party, the Data Steward must verify a current DPA is in place and the recipient is on the approved vendor list.
  7. Data shared externally must be transmitted via encrypted channels only; email attachments containing Confidential data must be password-protected.
  8. Employees must complete data handling training before being granted access to Confidential data.
  9. When data is no longer required for its original purpose, the Data Steward must initiate the disposal process within 30 days.
  10. Physical documents containing Confidential data must be stored in locked cabinets and shredded when no longer needed.
  11. All data handling incidents (actual or suspected) must be reported to the Data Protection Officer within 1 hour of discovery.
  12. The Data Steward must conduct a quarterly review of all access permissions and remove access for any individuals whose role has changed.
  13. Backup copies of Confidential data must be encrypted with the same standard as the primary copy and tested for restorability quarterly.
  14. Any new software or system that will process Confidential data must undergo a Privacy Impact Assessment before deployment.
  15. Annual data audits must be completed by the Data Owner to verify data accuracy, relevance, and compliance with retention schedules.

7.0 Controls

8.0 Non-Compliance

Violations of this SOP may result in disciplinary action up to and including termination of employment or contract, as well as potential legal liability. All suspected violations must be reported to the Data Protection Officer immediately.

9.0 Revision History

Version Date Author Changes
3.2 Jan 15, 2026 J. Martinez Added DLP control, updated retention periods
3.1 Jul 10, 2025 S. Chen GDPR SCCs updated post-adequacy decision
3.0 Jan 8, 2025 J. Martinez Full restructure to align with ISO 27001:2022
2.4 Mar 3, 2024 R. Patel Added PHI handling procedures for HIPAA alignment