Info sharing with partners v0.1
unrestricted
Contents
Key Messages 2
Policy 2
Definition 2
Restrict 2
Protect 3
Unrestricted 3
Private 4
Annex 1: interpretation of Restricted and Protect 5
Annex 2: Application of the policy 9
Key Messages
· Every document should be marked according to its sensitivity as Restrict, Protect, or unrestricted
· Incoming documents marked as Restrict or Protect must be managed accordingly
· Private documents may be marked as private
· Security appropriate to the marking must be applied when the document is stored, removed, accessed, transmitted by post or email, or used or processed
· “confidential” is not defined and should not be used
Policy
This document states the Security Marking policy for City of York Council in order for documents and records to have appropriate security measures applied to them.
This policy aims to ensure that documents and records are security marked in order to:
· alert users to restrictions on use or disclosure
· assist in the correct application of secure email and internet use in accordance with the Government Connect Code of Connection (CoCo)
· help fulfil the seventh principle of the Data Protection Act 1998
· Prohibit the disclosure of information as may be necessary by law.
Definition
The following markings may be used:
· Restrict
· Protect
· Unrestricted
· Private
Restrict
This is the lowest level of national security markings. It is unlikely the council would create or retain any in higher categories[1]. However if any should be received, the service involved must, under this policy, apply Cabinet Office Guidelines and the restrictions it requires.
Restrict is defined in the Cabinet Office Guidelines and repeated at Annex 1.
Protect
This is the principal level of security marking, below those appropriate to national security, but relevant to any data that requires some form of protection. See Annex 1 for the cabinet Office definition.
Advice from DCLG indicates that personal or commercial data may feature heavily in this category. As a matter of policy, any data requiring any degree of security protection short of that required for “restrict” documents should carry the label “protect”.
It is likely to be the biggest of the four categories and is therefore divided into an upper and lower sub-division.
Unrestricted
There are no adverse implications for disclosure to any person. It may be advantageous for such material to be made available as widely as possible. Some is included in the publication scheme and is expected to be published. No special security is required, and
· disclosure or transmission can be made freely within CYC (ie if using internal email or phone, security is adequate, and proper re-use can be assumed).
· disclosure can be made freely within formal partnerships and to statutory bodies
· minimal consultation is required in the event of an FoI request although a warning may be given if another party would be affected
Private
Some data or documents may relate to a person’s private life. This is separate from that person’s professional life – eg as an employee. Private records may be stored or transmitted using the council’s systems in accordance with the email policy. Examples include an employee’s:
· appraisal notes
· communications with his or her trade union
· notes and documents relating to his or her own disciplinary or grievance cases
· letters or emails relating to non-work-related matters such as family or business
The owner of a “private” record may assume that it will not be read other than in accordance with CYC policy, including the email policy. The marking “private and confidential” should not be used. “Confidential” is not defined in this policy and is not approved as a security marking within the council because of the risk of confusion with its use as a national security classification.
Any of the other security markings above may be combined with “private” if applicable.
V 0.1 / 9 February 2011 / R Beane / Page 1 of 9Info sharing with partners v0.1
unrestricted
Annex 1: interpretation of Restricted and Protect
Consider the effect that loss or compromise of the data would have, and how serious it would be.
Cabinet office criterion / Restricted / Protect 2 / Protect 1§ Distress to one or more individuals / “Substantial distress” / Simple “distress”
Professional counselling would be appropriate.
Unreasonable or unlawful action by others (eg vigilantism) may be provoked / The experience of distress ranges from annoyance to loss of rationality, and the degree experienced depends on the individual as well as external, objective events. This is unlikely to be a useful criterion for determining which protect band is appropriate to entire classes of information.
Instead take account of social norms of privacy, including reasonable expectations of a public authority in protecting personal privacy
suspicion of serious criminal activity by someone already in public eye, or when public emotions are already highly aroused. / suspicion of serious criminal activity / suspicion of minor criminal activity or civil breach
Personal identifiers that would enable impersonation leading to serious mischief / Personal identifiers that would enable impersonation, or those of a child or vulnerable person / basic personal identifiers.
Cont…
A complaint would be likely to lead to enforcement action against CYC by an appropriate regulator / Complaint would be likely to generate bad publicity / Complaint would be dealt with internally
§ Financial loss or loss of earning potential / CYC would have to make substantial service reductions, including numerous redundancies / Budget variance requiring report to members / Budget variance requiring report internally
A business or individual would be threatened with bankruptcy, with likely recovery action against CYC / A business or individual would no longer do business with CYC (including possible immediate termination of contract) / Compensation would be required
§ Facilitate improper gain or advantage for individuals or companies / Criminal charges resulting would lead to at least 5 years imprisonment / “Improper” crosses threshold of criminality / “Improper” poses a risk to CYC reputation
Values involved so big that they would, if they fell to CYC, lead to service reductions as above / Values involved so big that they would, if they fell to CYC, lead to public reports, as above / Values involved big enough, if they fell to CYC, to lead to reports as above
§ Prejudice the investigation or facilitate the commission of crime / Successful prosecution (if the crime were to be committed) would lead to at least 5 years imprisonment for at least one person / Crime sufficiently serious that prosecution by police or CPS would be likely (if evidence available) / Crime insufficiently serious, or evidence insufficiently strong, for actual prosecution to be likely
Cabinet office criterion / Restricted / Protect 2 / Protect 1
§ Breach proper undertakings to maintain the confidence of information provided by third parties / Other party would cease contact and cooperation altogether with CYC / Other party would require CYC to change procedures or personnel before normal relations can resume / Retaliatory action unlikely
Court action would lead to substantial damages with reportable budgetary consequences for CYC / Court action would lead to minor damages without reportable budgetary consequences for CYC / Court action unlikely
§ Impede the effective development or operation of government policies / Publicity or similar action would cause failure to prepare new policy or gain formal approval for it. Basically a political protection only applicable at the highest level / Not included on the Protect list. However controversy might threaten the success of a policy; publicity may require management and therefore disclosures must be controlled
§ To breach statutory restrictions on disclosure of information / Court action (if taken) would lead to substantial damages with reportable budgetary consequences for CYC / Court action would lead to minor damages without reportable budgetary consequences for CYC / Court action unlikely
§ Disadvantage the council in commercial or policy negotiations with others / Values involved so big that they would, if they fell to CYC, lead to service reductions as above / Values involved so big that they would, if they fell to CYC, lead to public reports, as above / Values involved big enough, if they fell to CYC, to lead to reports as above
§ Undermine the proper management of the public sector and its operations / Would be exempt under S36 of FoI - that is, Monitoring Officer would be willing to sign a non-disclosure certificate for this reason / Not included on the Protect list. However controversy might threaten the success of a policy; publicity may require management and therefore disclosures must be controlled
Security management: both classes must be stored on a secure IT system, or in a locked and secure cupboard if in hard copy.
Restricted material can only be sent electronically via a secure IT system such as the Government Secure Intranet (GSI – the Government Connect system of “.gscx” email addresses). It cannot be sent over the internet. However, Protect material can be sent over the internet if it is encrypted before sending (using WinZip or similar). However, the recipient will need to be advised in advance of receipt.
Officers must assure themselves that the recipient is sufficiently aware of handling procedures to be entrusted with the material. Where an information sharing agreement is in place, it may be used to specify handling procedures; for an ad-hoc disclosure a judgement may have to be made. Setting conditions is unlikely to be effective. Within CYC, this policy and the related data security policies apply.
V 0.1 / 9 February 2011 / R Beane / Page 1 of 9Info sharing with partners v0.1
unrestricted
Annex 2: Application of the policy
Application
A security classification should be applied by the officer who creates a record. Existing records should be classified as soon as possible The progress of the eDRMS project will be a suitable opportunity for many. Where appropriate, Information Asset Owners (IAOs) may devise criteria suitable for that service to assist their colleagues.
Records and documents received from outside the council should be classified by the receiving officer, taking account of any marking already carried and of local policy for similar documents set by the IAO. Information sharing agreements should include a clause on the treatment of security marked material, including consistent security management and possible reclassification.
A classification may be amended (perhaps after a challenge) by the IAO. Decisions of IAOs may be set aside by the Senior Information Risk Owner (SIRO) who may also delegate this power to other suitably qualified and senior officers.
Interpretation
The formal descriptions of what should be Restrict and protect are very similar in many respects. Protect needs less security but ranging from anything short of what is required by “Restrict” down to the lightest-touch security. Remember that Restrict is a national security classification so applicable only to the most serious risks.
The Annex sets out a table comparing how the two classifications might be used.
Freedom of Information
Records and documents bearing security markings are likely to be exempt. But the marking is not definitive, as the passage of time may have reduced the risk even though the marking has not been reviewed or amended.
In any case the relevant exemption may be subject to the Public Interest Test, and the information fall to be disclosed even though the risk still exists. These considerations must be applied in accordance with the FoI policy in the event of such a record being the subject of a request.
Appropriate level
The classification applied to a document must be neither too low nor too high. The definitions above describe the possible consequences if too low a level is applied and the information is actually compromised. However too high a level will impose an overhead with consequences of cost, time, or efficiency.
This may mean that it is more efficient to store documents in accordance with their protective markings rather than their content – by (for instance) having a separate cabinet in an office for all its “protect” records; or by having a separate network folder for such records and accessible to a more limited group of people.
Documents, records, information, data
A classification should be applied at a reasonable level of detail. A multi-page document will have an overall classification – it should not be applied to each page, or each item of data. However “restrict” or “protected” markings may appear on each individual page in case they get separated (perhaps in a header or footer).
If a document is included in a folder along with other documents, the folder should be classed at the level of the highest document within it. Removal of a document may mean the folder can be reclassified lower.
Incident Management
In the event of a data security incident the classification of the data involved will help determine the action to be taken. An incident may involve theft or misplacement of documents in any format, including the loss or theft of a file, or lap-top or memory stick. “Compromise” of information means that there is a risk of information being improperly re-used, or deleted[2]
V 0.1 / 9 February 2011 / R Beane / Page 1 of 9[1] Emergency Planning is the service most likely to receive higher-classified data, especially in an actual emergency
[2] ie it is the original that is lost, with no back-up copy. “Loss” of copy data may lead to compromise through improper re-use