Data Management & Database Policies

Document Version & Control

  • Version: 1.2
  • Last Review Date: 6 Jan 2025
  • Next Review Date: [12 months from last review or upon significant changes]
  • Approver: CTO (technical accuracy), DPO (security alignment), Legal & Compliance Officer (regulatory adherence)

Purpose & Scope
These policies govern the management of client and applicant data stored within our systems hosted on AWS and Digital Ocean. They ensure that data is properly segregated, documented, retained, archived, and ultimately destroyed in accordance with business, security, and regulatory requirements. These policies apply to all production environments and any environments containing real client data.

Compliance & References

  • Industry Standards: ISO 27001: A.8 (Asset management), A.9 (Access control), A.12 (Operations security); SOC 2 (Security, Availability, Confidentiality); NIST SP 800-53 (Data Protection)
  • Regulations & Legal Requirements: GDPR (if applicable), Personal Data Protection Act (PDPA - Singapore), and other applicable privacy regulations.
  • Related Internal Documents:
    • Information Security Policy
    • Encryption & Key Management Policy
    • Business Continuity Plan
    • Incident Response & Breach Notification Policy
    • Change Management & Release Management Policy

Roles & Responsibilities

  • CTO: Overall responsibility for data architecture and ensuring technical compliance.
  • DPO: Oversees data security, ensuring alignment with compliance and regulatory requirements.
  • Head of Data Management / Database Administrator Lead: Executes data schema changes, retention, archival, and destruction procedures.
  • DevOps & Infrastructure Team: Ensures proper deployment, backup configurations, environment isolation, and adherence to retention/deletion timelines.
  • Legal & Compliance Officer: Provides guidance on regulatory requirements for data retention and destruction.
  • Internal Audit or Compliance Team: Conducts periodic reviews for adherence to these policies.

1. Data Segregation & Multi-Tenancy Policy

Policy Statement:
All client data must be logically segregated in our multi-tenant platform to prevent unauthorized access, data leakage, or accidental cross-client exposure.

Key Requirements:

  1. Logical Segregation:
    • Tenant data is separated at the database or schema level.
    • Physical segregation (separate servers) is not required based on current client contracts.
    • User-level access controls must prevent cross-tenant data queries or actions.
  2. Dedicated Environments (If Requested):
    • Clients may request dedicated environments.
    • Such requests are fulfilled according to the client’s contract and internal approval.
  3. Monitoring & Auditing:
    • Implement logging and alerts to detect any cross-tenant data access attempts.
    • Conduct regular audits to verify the effectiveness of segregation controls (refer to Logging & Audit Trail Policy).

2. Data Dictionary & Schema Documentation

Policy Statement:
A comprehensive, current, and internally accessible data dictionary and schema documentation must be maintained to enable clear understanding of data structures and relationships.

Key Requirements:

  1. Documentation Platform:
    • Maintain all schema documentation and data dictionaries in a secure GitHub Pages repository, accessible only by authorized personnel.
    • Documentation is internal-only and not client-facing.
  2. Data Dictionary Maintenance:
    • Include all tables, fields, data types, keys, relationships, and descriptions.
    • Update the documentation after each schema change following the Change Management Policy.
  3. Version Control & Review:
    • Version control all documentation changes.
    • Conduct quarterly reviews to ensure accuracy and completeness.

3. Data Retention & Archival Policy

Policy Statement:
All client and applicant data will be retained for 30 days. After this retention period, data must either be archived (if required) or securely destroyed. If a client relationship has ended, the client may request adjustments to retention durations (longer or shorter), subject to regulatory and contractual constraints.

Key Requirements:

  1. Standard Retention Period:
    • Retain client data, including applicant CVs and associated metadata, for 30 days unless otherwise required by law or contract.
  2. Client-Requested Adjustments Post-Contract:
    • After the client relationship ends, clients may request different retention durations.
    • Legal & Compliance must review these requests to ensure no regulatory violations.
  3. Archival Procedures:
    • At the end of the 30-day retention period, data may be transferred to secure archival storage if needed for audit or legal purposes.
    • Archival storage must adhere to the Encryption & Key Management Policy.
    • Maintain metadata to locate archived data if needed.
  4. Review & Audit:
    • Review retention practices annually or upon regulatory changes.
    • Internal audits ensure retention and archival compliance.

4. Data Destruction Policy

Policy Statement:
When data surpasses the defined retention period or when requested by a client post-contract, it must be securely destroyed or deleted within 60 days, including from backups, following industry best practices and standards.

Key Requirements:

  1. Destruction Methods:
    • Use NIST SP 800-88 compliant data sanitization methods for all environments.
    • For cloud storage, use cryptographic erasure or secure deletion tools.
  2. Destruction Timelines & Requests:
    • Complete destruction requests within 60 days, including backup data.
    • Log all destruction events (request date, method used, completion date, responsible personnel).
  3. Compliance Considerations:
    • While based in Singapore, follow international best practices for secure deletion.
    • Update processes if future regulations impose stricter requirements.
  4. Documentation & Verification:
    • Maintain logs of all destruction activities for audit and verification.
    • Periodically test destruction procedures to ensure compliance and effectiveness.

Interdependencies with Other Policies

  • Information Security Policy: Provides overarching security controls.
  • Encryption & Key Management Policy: Defines encryption standards for archival and active data.
  • Incident Response & Breach Notification Policy: Guides responses if data handling must adapt post-incident.
  • Change Management & Release Management Policies: Govern schema or tool changes affecting retention, archival, or destruction.

Next Steps & Approval

  • CTO: Confirm technical feasibility of retention, archival, and destruction procedures.
  • DPO: Verify alignment with security and compliance standards.
  • Legal & Compliance Officer: Confirm that the retention period and practices meet all regulatory and contractual obligations.

Version Updates & Tracking

  • Document changes in a version-controlled repository.
  • Review policies annually or after major regulatory, business, or technical changes.

Copyright © 2024. All Rights Reserved by TechKnowledgey Pte Ltd. Scout is an AI-powered, all-in-one talent sourcing tool built for recruiters, by recruiters.