Data Handling Standard Operating Procedure
SOP-DH-001 · Version 3.2 · Internal
1.0 Purpose
This Standard Operating Procedure establishes the requirements for the handling, classification, storage, sharing, and disposal of data at Veridian Corp. It ensures all employees and contractors manage data consistently, securely, and in compliance with applicable regulations including HIPAA, GDPR, and SOC 2.
2.0 Scope
This SOP applies to all Veridian Corp employees, contractors, consultants, and third-party agents who access, process, store, or transmit Veridian Corp data in any format (digital or physical).
3.0 Definitions
| Term |
Definition |
| PII |
Personally Identifiable Information — any data that can identify an individual |
| PHI |
Protected Health Information — health data protected under HIPAA |
| Data Controller |
Entity that determines the purposes and means of processing personal data |
| Data Processor |
Entity that processes personal data on behalf of the data controller |
| Data Breach |
Unauthorized access, disclosure, or destruction of personal data |
| Retention Period |
The defined duration for which data must be kept before disposal |
| Data Subject |
The individual whose personal data is being processed |
| Anonymization |
Irreversible process of transforming data so individuals cannot be identified |
4.0 Responsibilities
| Role |
Responsibility |
| Data Owner |
Approves data classification, authorizes access, reviews quarterly |
| Data Steward |
Day-to-day management of data quality and access controls |
| IT Security |
Implements technical controls, monitors access logs, responds to incidents |
| Data Protection Officer |
Ensures regulatory compliance, handles subject access requests, reports breaches |
| End User |
Handles data according to classification, reports incidents immediately |
5.0 Data Classification
| Level |
Description |
Examples |
Handling Requirements |
| Confidential |
Highest sensitivity — unauthorized disclosure causes severe harm |
PHI, PII, financial records, passwords |
Encrypt at rest and in transit, need-to-know access only, cannot leave secure systems |
| Internal |
Business-sensitive — not for public release |
Internal processes, employee data, contracts |
Do not share externally without approval, use company systems only |
| Public |
Approved for external release |
Marketing materials, published policies, press releases |
No restrictions on handling |
6.0 Procedures
- Upon receiving any new dataset, the Data Steward must classify it within 1 business day using the classification levels defined in Section 5.0.
- All Confidential data must be stored in approved, encrypted systems only; a list of approved systems is maintained by IT Security.
- Access to Confidential data must be granted on a need-to-know basis with explicit approval from the Data Owner.
- All access grants to Confidential data must be logged in the Access Management System within 24 hours.
- Data must not be copied to personal devices, personal email accounts, or personal cloud storage under any circumstances.
- Before sharing data with any third party, the Data Steward must verify a current DPA is in place and the recipient is on the approved vendor list.
- Data shared externally must be transmitted via encrypted channels only; email attachments containing Confidential data must be password-protected.
- Employees must complete data handling training before being granted access to Confidential data.
- When data is no longer required for its original purpose, the Data Steward must initiate the disposal process within 30 days.
- Physical documents containing Confidential data must be stored in locked cabinets and shredded when no longer needed.
- All data handling incidents (actual or suspected) must be reported to the Data Protection Officer within 1 hour of discovery.
- The Data Steward must conduct a quarterly review of all access permissions and remove access for any individuals whose role has changed.
- Backup copies of Confidential data must be encrypted with the same standard as the primary copy and tested for restorability quarterly.
- Any new software or system that will process Confidential data must undergo a Privacy Impact Assessment before deployment.
- Annual data audits must be completed by the Data Owner to verify data accuracy, relevance, and compliance with retention schedules.
7.0 Controls
- Multi-factor authentication (MFA) is mandatory for access to all systems containing Confidential data.
- Privileged access accounts must be reviewed and revalidated every 90 days.
- All access to Confidential data must generate an audit log entry including user ID, timestamp, data accessed, and action performed.
- Audit logs must be retained for a minimum of 2 years and reviewed monthly for anomalies.
- Data loss prevention (DLP) tools must be deployed on all endpoints with access to Confidential data.
- Encryption keys must be rotated annually and stored separately from the data they protect.
- All systems processing Confidential data must be covered by the vulnerability management program and patched within defined SLAs.
- Production data must never be used in development or test environments without anonymization or pseudonymization.
- Remote access to systems containing Confidential data requires VPN and MFA without exception.
- All contractors with access to Confidential data must sign a confidentiality agreement before access is provisioned.
8.0 Non-Compliance
Violations of this SOP may result in disciplinary action up to and including termination of employment or contract, as well as potential legal liability. All suspected violations must be reported to the Data Protection Officer immediately.
9.0 Revision History
| Version |
Date |
Author |
Changes |
| 3.2 |
Jan 15, 2026 |
J. Martinez |
Added DLP control, updated retention periods |
| 3.1 |
Jul 10, 2025 |
S. Chen |
GDPR SCCs updated post-adequacy decision |
| 3.0 |
Jan 8, 2025 |
J. Martinez |
Full restructure to align with ISO 27001:2022 |
| 2.4 |
Mar 3, 2024 |
R. Patel |
Added PHI handling procedures for HIPAA alignment |