Security classification policy

Policy overview

This policy sets out the standard by which we apply security classifications to information. 

It will:

  • support proportionate controls appropriate to the sensitivity of information
  • assist us to meet legal and regulatory requirements
  • promote responsible sharing and discretion
  • assist in identifying where our sensitive information is held
  • inform data leakage prevention controls which can reduce the risk of compromise and loss of information

Scope

This policy applies to all information that we collect, store, create or share to deliver council services.

It applies to all council information regardless of format or location.

General principles

All information that we collect, store, create, share or otherwise use:

  • has value
  • requires an appropriate degree of protection

Everyone who works with council information has a:

  • duty of confidentiality
  • responsibility to safeguard any information or data that they access

Everyone who works with council information must be provided with appropriate training.

Access to information must only be granted on a genuine ‘need-to-know’ basis. The more sensitive the information, the more robust the ‘need-to-know’ principle applies.

‘Need-to-know’ means only allowing individuals access to information when it is deemed necessary for them to carry out a business task effectively.

Information received from or exchanged with external partners must be protected in accordance with any relevant legislative or regulatory requirements.

Security controls must always be:

  • proportionate
  • informed by the business requirement