Policies and Procedures
Government Security Classification (GSC) Procedure
Force Information Security Policy
1.1 Security controls are necessary to maintain the confidentiality, integrity, and availability of police information and systems. A key aspect of these controls is the correct classification of material so that it can be stored, handled, and shared appropriately.
1.2 HM Government sets out the way that all government information is classified and subsequently marked. This is designed to make security controls more appropriate, give more responsibility to individual authors, and to make sharing between partners easier.
1.3 HM Government classifies information as OFFFICAL, SECRET, and TOP SECRET. Advice on SECRET and TOP SECRET is available from the Information Security Team. All other information is classified as OFFICIAL; the label ‘Not Protectively Marked’ should not be applied to new documents.
2. Points of Note
2.1 All information that Police need to collect, store, process, generate or share to deliver services and conduct policing activities has intrinsic value and requires an appropriate degree of protection.
2.2 Security classifications help manage risk by indicating the sensitivity of information. Each classification has associated control measures to help protect it against a broad range of likely threat profiles.
2.3 Everyone who works with Police (including staff, contractors and service providers) has a duty of confidentiality and a responsibility to safeguard any police information or data that they access, irrespective of whether it is marked or not, and must be provided with appropriate training.
2.4 Accidental or deliberate compromise, loss, or misuse of police information may lead to damage and can constitute a criminal offence; deliberate misuse is expressly prohibited by force policy and procedure. If you suspect a breach of any kind, you should notify Information Security and your Data Protection Officer.
2.5 Access to sensitive information must only be granted on the basis of a genuine ‘need to know’ and an appropriate personnel security control.
2.6 Information should be available to the right people at the right time, and failure to do this may jeopardise operations, make us less effective, and put people at risk of harm. The principles of openness and transparency should be balanced by reasoned judgement against the requirements for data protection and confidentiality. The Information Management Team can help in this decision making process.
2.7 The compromise, loss, or misuse of sensitive information may have a significant impact on individuals or whole organisations; sensitive information must be handled accordingly.
2.8 Assets received from or exchanged with external partners must be protected in accordance with any relevant legislative or regulatory requirements, including any international agreements and obligations.
3. Information classified as OFFICIAL
3.1 All information that is not classified as SECRET or TOP SECRET is by default classified as OFFICIAL.
3.2 The typical threat profile for Information classified as OFFICIAL is similar to that of a large UK private company with valuable information and services. Likely attackers are hacktivists, pressure groups, investigative journalists, competent hackers, and the majority of criminals and organised criminal groups.
3.3 Information classified as OFFICIAL includes:
- The day to day business of policing, including crime records and intelligence
- The majority of public safety, criminal justice, and law enforcement activities
- Many aspects of defence, security, and resilience
- Any commercial interests, including information provided in confidence and intellectual property
- Personal information that is required to be protected under the Data Protection Act (1998) or other legislation
3.4 The minimum controls that must be applied for information classified as OFFICIAL are available from Information Management.
3.5 Some information may be particularly sensitive, and should have the following descriptor applied: OFFICIAL – SENSITIVE
4. Information Classified as OFFICIAL - SENSITIVE
4.1 This caveat should be applied to all information which is considered by the originator to have a clear and justifiable reason to reinforce the need to protect it. It can be managed on OFFICIAL systems / networks with additional safeguards in place.
4.2 OFFICIAL – SENSITIVE should only be used by exception, and it should not replace a previous protective marking by default i.e. everything that was previously ‘CONFIDENTIAL’ under the Government Protective Marking Scheme (GPMS) is not automatically OFFICIAL – SENSITIVE.
4.3 Examples of information that may be considered to be OFFICIAL - SENSITIVE are:
- The most sensitive corporate or operational information, e.g. relating to organisational change planning, contentious negotiations, or major security or business continuity issues
- Commercial or market sensitive information, including that subject to statutory or regulatory obligations, that may be damaging to the Forces or to a commercial partner if improperly accessed
- Personal information where compromise would directly threaten someone’s safety
- Information about investigations and civil or criminal proceedings that could compromise public protection or enforcement activities, or prejudice court cases
- More sensitive information about operations or covert assets or equipment that could damage capabilities or effectiveness, but does not require SECRET-level protections
- Very sensitive personal data, where it is not considered necessary to manage this information in the SECRET tier e.g., information about victims of human trafficking or Occupational Health forms
4.4 The minimum controls that must be applied for information classified as OFFICIAL - SENSITIVE are available from Information Management.
5. Marking Information
5.1 There is no requirement to routinely mark OFFICIAL information - all police information is considered to be OFFICIAL by default. If you think it is necessary to mark information as OFFICIAL, you must state why you have done so, and consider adding handling instructions.
5.2 You may wish to mark a document if you are sending it to someone who does not routinely handle police information and you want to reinforce certain principles like, “need to know”, or if you want the recipient to do something specific with the document, like “Do not further disseminate”. You may also want to mark a document if it contains information that is more sensitive than normal, but is not sensitive enough to require the OFFICIAL – SENSITIVE caveat.
5.3 OFFICIAL – SENSITIVE information must be marked:
- With the marking written in capital letters
- Clearly at the top and bottom of each page
- If in email form, by placing the marking at the beginning of the subject line and the top of the email text
- With the filename beginning with the marking
- You must use the Who (can see it), What (can and can’t be done with it), How (it must be treated and disposed of) principles
5.4 For example:
OFFICIAL – SENSITIVE
Police eyes only, do not disclose to partners, dispose of securely
OFFICIAL – SENSITIVE
This document is for Occupational Health eyes only, not to be disseminated outside of Human Resources, file on OHU file only
OFFICIAL – SENSITIVE
This document is for Reigate Intelligence Unit staff only, not to be disseminated outside of the Intelligence unit, it must be attached to ‘Operation Name’ for filing
6. Handling Information Classified under GPMS
There is no need to actively search out and reclassify historic data that has protectively marked under older schemes. However, as information is naturally amended, incorporated in to new material, or recirculated, it must be classified using this procedure.
7. Sharing Information with Partners
7.1 All information needs to be protected according to its sensitivity, but equally it can and should be shared where this is appropriate and helps deliver a policing purpose.
7.2 A marking of OFFICIAL – SENSITIVE does not automatically prevent the release of that information under the Freedom of Information Act, the Data Protection Act, or any other information sharing request.
7.3 Please refer to the Information sharing procedure, or contact the Information Management Team for further advice and guidance.