Government security classifications e learning

Government Security Classifications

Welcome to this course on

Working with Security Classifications

This course teaches you about the new Government Security Classifications and the importance of using them correctly.


All of our information has value and we need to look after it



Information has valueInformation enables government to deliver services and protect our national interests. Just like buildings, people or money, all information has value. Take a look at these examples.

Defence Equipment and Support (DE&S) equip the UK’s armed forces, but they would be unable to do this without access to accurate and up-to-date information

Military dogs provides valuable capability to British patrols locating improvised explosive devices and saving many lives. The DE&S team scour the globe, gathering information and working with specialist companies to provide trained dogs and put support networks in place to ensure the welfare of animals and handlers in difficult conditions.

The Centre for Applied Science and Technology (CAST) provides policy makers with impartial and accurate scientific and technical advice.

Information collected and analysed by CAST has led to advances in fingerprinting and forensics technology, equipment to test drivers for illicit drugs and new tools to aid the policing of computer crimes such as hacking and fraud – all providing substantial benefits for UK law enforcement.

The Child Maintenance Options service has used key partnerships to ensure that important information is available to those that need it.

One such partnership was with the popular parenting website Netmums, where child maintenance and support information was hosted directly on the site. The impact of making this information readily available was significant. As estimated 35,000 more children benefits in the first year alone.


Looking after information is your responsibility



How would you feel?It is crucial to respect the information that we create or handle, as it can affect people in many ways. Look at the example here.

I’m Dave. I recently left some paperwork lying on my desk about a disciplinary case involving a member of my team.

I’m Victoria. I heard about Angela, it’s not very nice what other people in the office are saying about her now.

I’m Angela. I hoped no one would find out about my disciplinary. But the other day I heard people talking about it. I’m really upset and have spoken to HR.

I feel really awful that I left the details about Angel’s disciplinary on my desk. All of the team know about it and now HR want to see me.

I’m Tom. I happened to see some documents on Dave’s desk about Angela. I wasn’t looking for them they were just lying there for everyone to see.

I’m Kate. Tom told me about Angela and I’m really surprised to hear that about her.



Information and youThink about the information you use. Which of the following do you create or handle?

Whatever type of information you create or handle, you are entrusted to look after it.

Information is your responsibility.□ Information about members of the public

□ Information used by my organisation

□ Information about government policy

□ Information about public services or finances



Why we use security classifications

Sometimes, information is sensitive or highly valuable and needs to be handled with particular care. It’s then important to tell this to anyone using the information.

The proper use of security classifications is essential to good government, democracy and transparency. If we are clear about what needs protecting, we can be confident about sharing information responsibly both within and outside government.


Think about how the way we work has changed

We need new ways of protecting information to help us work securely and effectively today



BenefitsWhat do we need from the new security classifications?

We need a clearer, simpler system that enables people to quickly and with confidence decide how to mark and protect sensitive information. This will free up the information we need to share so that we can all collaborate effectively and deliver high quality public services.

Many of us are responsible for looking after personal information. This may belong to our colleagues or members of the public. It is critical that we are able to identify this information so that it can be protected appropriately.

The current system was originally designed for paper documents. While government still produces a lot of paper, we could not work without the computers that are now available to us.

We need a simpler system that allows us to get the most from modern technology and suits are new ways of working.

People expect the public sector to work in an open and transparent way. This means that we must be able to show why we have made decisions and also demonstrate that we are spending public money wisely.

It must be straightforward for us to make this type of information available to the public.

Simpler security classifications will enable us to:

•Use cheaper and more modern IT systems

•Allow us to identify different types of information in a more intuitive and meaningful way

•Make sure that sensitive information receives the protection it needs


So what will the new security classifications look like?



OFFICIAL

The vast majority of public sector information and routine government business will be OFFICIAL.

The classification OFFICIAL will cover most information that is created, stored and processed by the public sector. OFFICIAL information allows us to deliver public services, work with foreign governments and support the economy.

Information about running public sector organisations such as corporate services and administration.



Some examples of OFFICIAL information

Personal information about members of the public and people working in the public sector.

Commercial information such as contracts and procurement documentation.

Information relating to government policy.

Information about law enforcement and policy investigations.

Information about international relations.



Identifying OFFICIAL information

Not all OFFICIAL information that we work with will be marked, but we must treat it all with care.

There is a small amount of OFFICIAL information which is of a particularly sensitive nature. This includes any information that is the event of loss or inappropriate access could lead to damaging consequences or distress. It is vital that this information is identified so that others know when to take extra care when handling it.

Sensitive OFFICIAL Information must always be clearly marked as:

OFFICIAL – SENSITIVE

Your organisation or line manager will be able to help you to understand where you need to use this classification, but it is your responsibility to use it correctly.

Loss or compromise of SECRET information could directly threaten the life of an individual, cause serious harm to this effectiveness of military operations or damage our relations with foreign governments.

SECRET information must always be clearly marked.

Highly sensitive defence information relating to ongoing operations and sensitive military capabilities.

Highly sensitive diplomatic information. High sensitive information relating to the investigation and prosecution of serious organised crime.



SECRETVery sensitive information which requires a high level of protection and care.



TOP SECRET

The most sensitive information that government holds.

Compromise of TOP SECRET information could directly threaten the national security of the UK, cause long-term damage to our economy or lead to widespread loss of life.

TOP SECRET information must always be clearly marked.


It is vital that security classifications are used correctly and clearly


More detail can be found in these leaflets

Please read this guidance carefully and speak to your line manager if you have any questions



Scenario 1 – Getting it rightTake a look at why it is important to use security classifications.

John’s team is responsible for conducting a survey of the public in the local area. The data his team collects is anonymous and does not contain any sensitive information.

It is treated as OFFICIAL.

John’s team shares the survey data with a research team in another part of his organisation. Sarah manages the research team. They will use the survey data to create information that will feed into policy and decision making.

Sarah’s team collates the survey data with information that had been previously collected. The resulting documents now contain a great deal of information about people in the local community, including details about residents that are vulnerable or from at-risk groups.

Sarah decides that this data now needs to be clearly identified so that people using it will take extra care. She tells her team to mark it OFFICIAL – SENSITIVE.

Karen in Sarah’s manager. She’s pleased that Sarah has taken responsibility for marking the information as OFFICIAL – SENSITIVE.

If the information had been lost or accidentally made available, it could have caused distress to many people. The reputational damage would severely disrupt the ability of the organisation to carry out vital work in the future.



Consider the outcomesIt’s important to take responsibility for the information that you create or handle, as it can affect people in many ways. Look at the example here.

I’m John. My team did the right thing by not using the OFFICIAL – SENSITIVE classification because, at that stage, the survey data was not sensitive and di not require it.

I’m Karen. If this research data became available it would have had a big impact on the reputation of the organisation.

I’m Gavin, the Head of the Department. As the information now has the correct security classification it can be used to help further research and to develop policy, but will only be accessed by those who need to see it.

I’m Sarah. When the survey data was combined with existing data, I noticed it became particularly sensitive. It was important that my team used the correct security classifications so that this information would be properly handled and protected.



Scenario 2 – Getting it wrongWhat can happen if security classifications are not used correctly? Take a look at this example.

Andy circulates the minutes of a meeting to the attendees, including those that weren’t able to attend. He fails to add a security classification to the document or to the covering email.

Dhruv couldn’t come to the meeting but is sent the email and minutes. Without first reading it himself, he forwards it to everyone in his team.

Unfortunately, some of the information is about a restructuring that affects Dhruv’s team. People are angry and upset that they heard about it this way.

Dhruv’s team forward the email to friends and colleagues. Soon there are multiple copies of this email across and outside the organisation.



Consider the consequences

I’m Dhruv. This is a real mess. I should have read the minutes before sending it on but I was busy and I like to keep my team in the loop. There was nothing to indicate that the contents were sensitive.

It’s me again, Dhruv. This is going to take a long time to sort out. My team’s confidence in the organisation has been damaged. That makes it much more difficult to work effectively.

I’m Alice, the CEO. The redundancy rumours are ongoing – not least because the email has been sent on to so many people.. We are a good employer but this incident has led to a general lack of trust from our staff.

I’m Ingrid, one of Dhruv’s team members. I’m furious about the redundancies I’ve heard about and so are my colleagues.

I’m Andy Everyone thinks there are redundancies looming, but that just isn’t the case. Dhruv should have explained this properly to his team. I guess that if I’d used the right security classification on the email, then Dhruv would have understood the need to handle the contexts with particular care.


It is your responsibility to mark information correctlyCheck your organisation’s policiesIf in doubt, ask



Summary

Let’s recap the key points:

•All information that we collect, store and work with has value and should be cared for

•Everyone who works within government and the public sector has a responsibility to safeguard information

•Access to sensitive information should only be provided to those that need it

•Most OFFICIAL information will be unmarked but OFFICIAL – SENSITIVE information should always be clearly marked

•Using security classifications properly is your responsibility

Education

Government security classifications e learning