Access Alert | Introducing Iraq’s Draft Data Classification Policy

Access Alert | Introducing Iraq’s Draft Data Classification Policy

On 20 June 2022, Iraq’s regulator, the Communications and Media Commission (CMC), announced the public consultation on the Draft Data Classification Policy. The policy aims to create a secure environment for the storing of data, ensure confidentiality of sensitive information, regulate access to data, process data in proportion to data classification levels, and protect data from loss or leakage.

Scope of application

The policy applies to both public and private sector stakeholders. More specifically, the scope applies to data that is stored, processed, modified, or transferred through a computer or smart device, created, collected, or maintained for the purpose of business functions or providing public services.

Different levels of data classification

In Article 1, the policy provides definitions of data, personal data, data owners, classification of data, encryption, and data breach. “Data” is defined as information that is edited, modified, printed, or stored on a computer in the form of files, text, audio, image, computer programs (or digital information in a language understood by a computer). Personal data is defined as any information through which it is possible to infer directly or indirectly the identity of the individual.

According to Article 5, data owners, such as government agencies and private companies, although excluding security or military entities, should classify data into at least four different levels. For data classified in level three and four of this policy, the data owner must encrypt all data classified in accordance with the third and fourth levels if the data is to be transferred from one entity to another.

The four different data classification levels are:

  • General data and information available to the public.
  • Non-sensitive personal data such as, but not limited to, a person’s names, gender age, and job title.
  • Sensitive personal data such as, but not limited to, criminal records, court decisions, and contact information.
  • Highly sensitive data such as, but not limited to, political documents or sensitive information from military or security entities.

According to provision 5.4 on “Duties and Responsibilities”, all public and private entities must take the above data classification levels into consideration. For senior management of the entity, this means disseminating this policy to all employees to ensure its implementation, adopt measures to address and correct any data breach, ensure compliance with this policy, and establish a data classification team headed by senior management, which will prepare quarterly reports about the implementation of this policy.

The Draft Data Classification Policy represent a significant development in Iraq’s regulatory ecosystem, which still is rather nascent, with little to no specific data protection regulations in place. With this policy, however, it is clear that the Iraqi regulator is currently working to expand its regulatory framework to keep pace with digital transformation development.

If you are interested in learning more about Iraq’s Draft Data Classification Policy, require support with submitting comments to the public consultation or engage the CMC, please contact Hussein Abul-Enein at hussein.abul-enein@accesspartnership.com, or Anja Engen at anja.engen@accesspartnership.com.

Related Articles

Python vs MATLAB vs Visualyse for satellite modelling

Python vs MATLAB vs Visualyse for satellite modelling

The satellite industry has evolved significantly in recent years. Even though launching and operation costs have steadily decreased, it is...

6 Dec 2022 Opinion
Impact of Hyperscale Cloud on the UAE’s SMEs and Start-ups

Impact of Hyperscale Cloud on the UAE’s SMEs and Start-ups

The United Arab Emirates (UAE) is making significant progress on its growth path towards economic diversification, with non-oil sectors contributing...

29 Nov 2022 Opinion
Access Alert | Brazilian telecom regulator approves Strategic Plan for 2023-2027; Peruvian government begins reorganisation of 800 MHz band

Access Alert | Brazilian telecom regulator approves Strategic Plan for 2023-2027; Peruvian government begins reorganisation of 800 MHz band

Two key Latin American countries have demonstrated a strong interest in expanding broadband coverage, fostering investment, and maintaining industry dynamism....

25 Nov 2022 Opinion
Access Alert | Colombia allocates the entire 6 GHz band for unlicensed use

Access Alert | Colombia allocates the entire 6 GHz band for unlicensed use

On 18 November, Colombia’s National Spectrum Agency (ANE) published Resolution 737, officially adding the 1.200 MHz that comprise the 6...

22 Nov 2022 Opinion