Government Security Classifications

Government SecurityClassificationsMay 2018Version 1.1 – May 2018Page 1 of 37

Version 1.1 – May 2018Version HistorySPFDocumentVersion Version11.01.0DatePublishedOct 13Summary Of ChangesSPFDocumentVersion Version11.01.1DatePublishedMay 18Summary Of ChangesN/A – This document will replace thecurrent ‘Government Protective MarkingScheme’ document on 2 April 2014.This document will replace DocumentVersion 1.0 for the purpose of makingreference to Data Protection legislation asoutlined as follows: Overview of Key Principles,paragraph 1, page 4 Official - Definition, page 7 Disclosure, page 27Including referencing the exemptions tosome or all of the data protection principlesas outlined as follows: Legal Framework, paragraph b, page15The EU-US Privacy Shield replaces the SafeHarbor Agreement, which was held to beinvalid in October 2015 by the Court ofJustice of the European Union. Thesechanges have been reflected at the Annex,under Part Three, Technical ControlsSummary, paragraph 53.Page 2 of 37

Version 1.1 – May 2018Government Security ClassificationsExecutive SummaryThis policy describes how HM Government classifies information assets to: ensurethey are appropriately protected; support Public Sector business and the effectiveexploitation of information; and meet the requirements of relevant legislation andinternational / bilateral agreements and obligations. It applies to all information thatgovernment collects, stores, processes, generates or shares to deliver services andconduct business, including information received from or exchanged with externalpartners.Everyone who works with government has a duty to respect the confidentiality andintegrity of any HMG information and data that they access, and is personallyaccountable for safeguarding assets in line with this policy.HMG information assets may be classified into three types: OFFICIAL, SECRET andTOP SECRET. Each attracts a baseline set of security controls providing appropriateprotection against typical threats. Additionally, ICT systems and services may requireenhanced controls to manage the associated risks to aggregated data or to manageintegrity and availability concerns.Government Departments and Agencies should apply this policy and ensure thatconsistent controls are implemented throughout their public sector delivery partners(i.e. NDPBs and Arms Length Bodies) and wider supply chain.The Government Security Classifications will come into force on 2 April 2014 –until then existing policy remains extant.Cabinet OfficeDecember 2012Page 3 of 37

Version 1.1 – May 2018Government Security ClassificationsDecember 2012Overview of Key Principles1. This policy describes HM Government’s administrative system for the secure, timely andefficient sharing of information. It is not a statutory scheme but operates within theframework of domestic law, including the requirements of the Official Secrets Acts (1911and 1989), the Freedom of Information Act (2000) and Data Protection legislation.Principle One:ALL information that HMG needs to collect, store, process, generate or share to deliverservices and conduct government business has intrinsic value and requires an appropriatedegree of protection.2. Security classifications indicate the sensitivity of information (in terms of the likely impactresulting from compromise, loss or misuse) and the need to defend against a broad profileof applicable threats. There are three levels of classification:OFFICIALSECRETTOP SECRETThe majority of informationthat is created or processedby the public sector. Thisincludes routine businessoperations and services,some of which could havedamaging consequences iflost, stolen or published inthe media, but are notsubject to a heightenedthreat profile.Very sensitive informationthat justifies heightenedprotective measures todefend against determinedand highly capable threatactors. For example, wherecompromise could seriouslydamage military capabilities,international relations or theinvestigation of seriousorganised crime.HMG’smostsensitiveinformation requiring thehighest levels of protectionfrom the most seriousthreats. For example, wherecompromise could causewidespread loss of life orelse threaten the security oreconomic wellbeing of thecountry or friendly nations.3. Each classification provides for a baseline set of personnel, physical and informationsecurity controls that offer an appropriate level of protection against a typical threat profile.A top level controls framework is provided as an annex to this policy. As a minimum, allHMG information must be handled with care to comply with legal and regulatory obligationsand reduce the risk of loss or inappropriate access. There is no requirement to markroutine OFFICIAL information.4. Organisations may need to apply controls above (or below) the baseline on a risk managedbasis appropriate to local circumstances and in line with HMG risk appetite tolerances.The Government SIRO will moderate such instances that entail any pan-government risk.Page 4 of 37

Version 1.1 – May 20185. The classification scheme applies to information (or other specific assets). Major ICTinfrastructure (e.g. large aggregated data sets, payments systems, etc.) may requireenhanced controls to effectively manage associated confidentiality, integrity andavailability risks – determined on a case by case basis following a robust risk assessment.Principle Two:EVERYONE who works with government (including staff, contractors and service providers)has a duty of confidentiality and a responsibility to safeguard any HMG information or datathat they access, irrespective of whether it is marked or not, and must be provided withappropriate training.6. Accidental or deliberate compromise, loss or misuse of HMG information may lead todamage and can constitute a criminal offence. Individuals are personally responsible forprotecting any HMG information or other assets in their care, and must be provided withguidance about security requirements and how legislation relates to their role, includingthe potential sanctions (criminal or disciplinary) that may result from inappropriatebehaviours. A summary of the relevant legal and regulatory context is set out on page 13.7. Organisations must have a breach management system in place to aid the detection andreporting of inappropriate behaviours, enable disciplinary procedures to be enforced andassist with any criminal proceedings.Principle Three:Access to sensitive information must ONLY be granted on the basis of a genuine ‘need toknow’ and an appropriate personnel security control.8. Information needs to be trusted and available to the right people at the right time. Thefailure to share and exploit information can impede effective government business and canhave severe consequences (e.g. medical records or case management files). Theprinciples of openness, transparency, Open Data and information reuse require individualsto consider the proactive publishing of public sector information and data sets. However,this must always be a reasoned judgement, taking data protection and confidentiality intoaccount.9. The compromise, loss or misuse of sensitive information may have a significant impact onan individual, an organisation, or on government business more generally. Access tosensitive information must be no wider than necessary for the efficient conduct of anorganisation’s business and limited to those with a business need and the appropriatepersonnel security control. This ‘need to know’ principle applies wherever sensitiveinformation is collected, stored, processed or shared within government and when dealingwith external public and private sector organisations, and international partners.10. The more sensitive the material, the more important it is to fully understand (and ensurecompliance with) the relevant security requirements. In extremis, there may be a need toshare sensitive material to those without the necessary personnel security control, forexample when immediate action is required to protect life or to stop a serious crime. Insuch circumstances a common sense approach should be adopted - if time permits,alternatives should be considered and steps taken to protect the source of information. IfPage 5 of 37

Version 1.1 – May 2018there is any doubt about providing access to sensitive assets, individuals should consulttheir managers or security staff before doing so and when time permits record the reasonsfor their actions.Principle Four:Assets received from or exchanged with external partners MUST be protected in accordancewith any relevant legislative or regulatory requirements, including any internationalagreements and obligations.11. The policy applies equally to assets entrusted to HMG by others, such as foreigngovernments, international organisations, NGOs and private individuals.12. Where specific reciprocal security agreements / arrangements are in place with foreigngovernments or international organisations, equivalent protections and markings must berecognised and any information received must be handled with AT LEAST the samedegree of protection as if it were UK information of equivalent classification. Detailedinformation about international and bilateral security agreements and the controls formanaging foreign-originated information is set out in the ‘International Protective SecurityPolicy’ supplement to the SPF.13. Where no relevant security agreements / arrangements are in place, information or otherassets received from a foreign country, international organisation or a UK NGO must at aminimum be protected to an equivalent standard as that afforded to HMG OFFICIALassets, although higher classifications may be appropriate. Refer to the ‘InternationalProtective Security Policy’ supplement for more detail.14. The need to know principle must be strictly enforced for access to international partners’information.Page 6 of 37