Document Classification for South African Organisations

Document classification is the process of assigning a formal sensitivity or confidentiality label to every document in your organisation based on its content and the risk its exposure would create. Classification is not an optional sophistication — it is the foundation on which all other information governance controls are built.

Why Classification Is the Foundation

Without classification, every other governance decision becomes a judgment call. Should this file be shared externally? Should it be encrypted? Who should have access? How long should it be retained? Classification provides a systematic answer to all of these questions by reference to the label, not the individual's judgment.

The Standard Four-Tier Framework

Most South African organisations benefit from a four-tier classification framework:

Public

Information specifically intended for public release. May be freely shared, published, or disclosed. Examples: marketing materials, published annual reports, press releases, job advertisements.

Internal

Information intended for internal use only. Not intended for public release but not sensitive enough to require heightened controls. Examples: internal procedures, operational guidelines, general staff communications, meeting agendas. May not be shared externally without authorisation.

Confidential

Information that could cause harm to the organisation or individuals if disclosed without authorisation. Requires active protection. Examples: client personal information, financial data, contracts, employee records, business strategies. Access restricted to those with a specific need. Must not be uploaded to consumer AI tools. Encrypted in transit and at rest.

Restricted

The most sensitive information. Disclosure could cause severe harm. Examples: ID documents, bank account details, medical records, legal advice, board documents, merger information, audit findings. Access limited to specifically named individuals. Additional controls required for sharing, printing and storage.

How to Implement Classification

1. Define your taxonomy: Agree on the four tiers and write clear definitions with examples specific to your organisation and sector.
2. Train all staff: Everyone who creates, receives or handles documents must understand the classification system. Include specific examples from their role.
3. Apply classification at creation: The best time to classify is when the document is created. A naming convention that incorporates classification markers helps.
4. Use technology where possible: Microsoft 365 Purview and Google Workspace both support sensitivity labels. These labels follow the document and can trigger automatic controls (encryption, sharing restrictions).
5. Audit periodically: Run a classification coverage check quarterly. What percentage of new files have been classified? Which departments have the lowest compliance rates?

Classification and POPIA

POPIA requires organisations to implement security safeguards appropriate to the nature of the personal information processed. Classification enables proportionate protection — the level of security applied to a document is determined by its classification label. This means Restricted documents get encryption and tight access controls, while Public documents need no special protection. Without classification, organisations either over-protect everything (operationally burdensome) or under-protect sensitive information (a compliance risk).

Common Classification Mistakes

• Too many tiers: More than four levels creates confusion. Staff stop classifying rather than trying to decide between eight options.
• No enforcement: Classification without consequences for non-compliance becomes ignored within weeks of launch.
• Retroactive classification: Trying to classify an existing unclassified repository all at once is overwhelming. Start with new documents; address the backlog in priority order.
• Classification inflation: If everything is Restricted, the label loses meaning. Reserve Restricted for genuinely highest-risk content.