Security classification policy

Security classification

We will adopt the security classifications described in the Government Classification Scheme. This is a common classification scheme used within the public sector.

The classification scheme has three levels of classification. These are:

  • top secret
  • secret
  • official

The nature of council business means we will only use a single classification of ‘official’.

Official

The default for all council information is ‘official’.

Official information includes all routine business operations and services. Some of which could have damaging consequences if:

  • lost
  • stolen
  • published into the public domain

'Official' includes personal data requiring protection under data protection legislation.

Information that is official does not need to be marked. Therefore all unmarked information will be deemed to be official.

The controls to protect official information will be:

  • understood
  • achievable
  • based on commercial good practice

The controls will support the delivery of services in a multi-agency environment.

The controls will provide protection against those who intend to compromise our information. 

You must:

  • consider the nature and context of the information you are working with
  • exercise good judgement to ensure that you always process official information appropriately

Our information assurance policies set out how official information should be protected.

Official-sensitive

The classification of 'official' can be supplemented by an additional marking. This is known as a handling caveat, to indicate when extra care is needed.

We will use the handling caveat of ‘sensitive’ when it is particularly important to enforce the need-to-know principle. For example, 'official-sensitive'.

It must be used at the discretion of the originator and be informed by:

  • the subject area
  • context
  • any statutory or regulatory requirements

You must therefore apply an 'official-sensitive' marking to a document, file or email, where compromise or loss could have particularly damaging consequences for an individual (or group of individuals), or an organisation.

'Official-sensitive' is a subset of information that:

  • must still be managed as official
  • attracts additional organisational measures to reinforce the need to know

'Official-sensitive' includes special categories of personal data and information. If compromised, amended, or made unavailable, this would cause an increased negative impact over routine information.

Official-sensitive marking will:

  • provide instant information about a document’s sensitivity
  • encourage everyone to think about how they handle the information

Where system limitations do not allow you to apply a handling caveat, information should be marked as soon as possible. For example, when it is amended within M365 applications such as Word, Outlook, or Excel.   

There is no mandatory requirement to retrospectively mark historic information with a handling caveat, unless the document is being amended. However, if the opportunity to apply the official-sensitive marking arises and it is reasonable to do so, you should apply it.   

Working with official-sensitive information

 When it is necessary to reinforce the need-to-know principle, additional controls may be required to protect official-sensitive information.

Examples include:

  • well communicated and understood handling instructions
  • well defined and limited circulation
  • more granular access controls within document stores or databases
  • increased monitoring and compliance auditing

The protective marking must be applied by the originator.

Recipients of official-sensitive information should not change the marking unless authorised to do so by the originator.

‘Official-sensitive’ must be clearly indicated in capital letters.

Easy to use tools within M365 will be made available to help apply a classification:

  • on documents, the marking should appear at the top and bottom of each page
  • emails with official-sensitive attachments must also make this obvious in the subject line and the email content
  • filenames should include the classification where possible

Examples where 'official-sensitive' may be used:

  • the most sensitive corporate or operational information, for example, relating to:
    • organisational change planning
    • contentious negotiations
    • major security or business continuity issues
  • policy development and advice to members or senior managers on contentious or very sensitive issues
  • commercial or market sensitive information, including that subject to statutory or regulatory obligations, that may be damaging to the council or to a commercial partner if improperly accessed
  • information about investigations and civil or criminal proceedings that could:
    • compromise public protection or enforcement activities
    • prejudice court cases
  • more sensitive information about security assets or equipment that could damage capabilities or effectiveness
  • special categories of personal data that would be damaging to an individual if lost or compromised, for example, data relating to:
    • health
    • ethnicity
    • sexual orientation or sex life
    • biometric data
    • racial or ethnic origin
    • political opinions
    • religious or philosophical beliefs  
  • sensitive information relating to children or adults
  • information from other organisations where they have defined it as official-sensitive and insist on strict sharing protocols
Print this document