Information Classification Policy
Purpose and Scope
Chorley Council and South Ribble Borough Council (Council) is committed to GDPR and data security. We recognise that information is a vital asset to any organisation and take our responsibilities under the GDPR seriously. All of our activities create information assets . This Information Classification Policy supports the management of our information assets.
The purpose of this Data Classification Policy is to ensure:
- Availability, integrity and confidentiality are provided at the necessary levels for all identified data assets.
- Return on investment by implementing controls where they are needed the most.
- Map data protection levels with organisational needs and the need to protect personal data.
- Mitigate threats of unauthorised access and disclosure.
- Comply with legal and regulation requirements.
Principles
Information asset classification ensures that individuals who have a legitimate right to access information can do so, whilst ensuring that assets are protected from those who have no right to access them.
This policy ensures that correct classification and handling methods are applied and managed accordingly. This policy is based on the requirement that:
- All information assets must be handled and managed in accordance with their classification.
- Information assets should be made available to all who have a legitimate need to access them.
- The integrity of information must be maintained; information must also be accurate, complete, timely and consistent with other related information and events.
- All individuals who have access to information assets, have a responsibility to handle them in accordance with their classification.
Objectives of this Policy
To define the responsibilities of individuals for safeguarding information assets.
To provide a rigorous and consistent classification system which ensures that information assets are appropriately protected and managed in accordance with UK legal requirements.
To minimise the damage to the organisation, its customers and partners as a result of sensitive information assets being intercepted or exposed.
To ensure that information assets which are lost, stolen, damaged or intercepted are sufficiently protected and unreadable so that unwarranted action cannot be taken against the organisation.
Action Implementation
Procedures will be put in place to ensure that this policy is effective. These procedures include:
- Information users being appropriately identified and having access to information for which they have a legitimate need.
- Information assets being appropriately managed and controlled in line with the requirements of this policy.
- Information assets being identified and sufficiently protected in line with the correct categorisation and handling methods.
- Ensuring that adequate control mechanisms are in place for protecting information assets.
- Ensuring that information access control mechanisms are in place and that these mechanisms are reviewed regularly.
- Ensuring that asset owners define the required physical security of computer rooms, networks, personal computers and procedures for computer maintenance.
- Ensuring the safe disposal of all information assets and equipment.
Data Protection Act 2018 (DPA) and the UK GDPR
The GDPR and DPA requires the organisation to ensure appropriate technical and organisational measures are taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to, personal data.
Asset Classification and Handling
Information assets that are sensitive or have value must be protected at all times. Consideration must be given to day to day activities and protection outside normal working hours.
All information must be classified into one of the following categories by those who own or are responsible for the information:
- Public
- Open
- Confidential
- Strictly Confidential
- Secret
A lot of information will fall into the Publicor Opencategories, but for good reason, such as personal privacy or protection of the Council's interests, some information assets may be categorised as "Confidential"or "Strictly Confidential".
In exceptional circumstances information may be classified as "Secret". In the event of uncertainty or disagreement as to the classification of the information asset, it is advised that the default category and handling methods should be Confidential or Strictly Confidential.
Asset Classification Categories, Type and Handling Methods
Category | Type | Asset Handling Methods |
Public Definition: May be viewed by anyone, anywhere in the world. | Public information assets may include but are not limited to:
| N.B some contacts are associated with specific job roles and responsibilities only and should not be released to the general public without consent. |
Open Definition: Access is available to all. | Open information assets may include but are not limited to:
| Secure handling may include but is not limited to: Information should be formatted to enable basic security e.g. word documents converted into PDF to avoid tampering and disrepute. These include documents such as but not limited to:
|
Confidential Definition: Access is limited to specified people with appropriate authorisation or on a need to know basis. | Confidential information assets may include but are not limited to:
| Secure handling may include but is not limited to: Paper Documents (In Transit/Rest)
Electronic Information assets (In transit/rest)
|
Strictly Confidential Definition: Access is controlled and restricted to a small number of named individuals/ authorities | Strictly Confidential information assets may include but are not limited to:
| Secure handling may include but is not limited to: Paper documents (In transit/rest)
Electronic Information assets (In transit/rest)
|
Secret Definition: Access is subject to or obtained under the Official Secrets Act. | Special circumstances may require differing controls above/or below) local circumstances. Each requirement will be reviewed on a case by case basis in line with HMG controls. HMG advice and guidance is subject to regular change. |
Classification Guidelines (Paper/Electronic Copy)
Classification markings must be clearly visible on all information assets containing a category of classification information. The appropriate markings are to appear clearly either at the top, in the centre or at the bottom of each page.
Re-classification of Information Assets
Some information assets may be reclassified from one category to another based on the content and intent of the asset. There must be sound reasoning for the reclassification. If there is any doubt over the classification of an asset, contact the Information Security Officer.
Sensitive Information Assets
Responsibility for definition and the appropriate protection of an information asset remains with the originator or owner.
A higher level of protection must be provided for sensitive information assets which includes 'personal data' and 'personal identifiable information', which is defined as data relating to ethnic or racial origin, religious beliefs, physical or mental health, sexual life, political opinions, trade union membership or the commission or alleged commission of criminal offences.
Identifying sensitive information is a matter for assessment in each individual case. Broadly speaking, information will be confidential if it is of limited public availability; is confidential in its very nature; has been provided on the understanding that it is confidential; and/or its loss or unauthorised disclosure could have one or more of the following consequences:
- Financial loss e.g. the withdrawal of a research grant or donation, a fine by the ICO or a legal claim for breach of confidence.
- Reputational damage e.g. adverse publicity, demonstrations, complaints about breaches of privacy; and/or
- An adverse effect on the safety or well-being of staff of the organisation or those associated with it e.g. increased threats to staff engaged in sensitive work, embarrassment or damage to participants, benefactors and suppliers.
Storage and Backup
It is the responsibility of each person to ensure sensitive data is stored, secured and backed up as per the required schedule. All sensitive data must be stored and secured via the approved and provided electronic/physical storage locations.
Data Anonymisation
All appropriate steps must be taken prior to disclosing, sharing or transferring information to ensure the anonymity of a data subject is undertaken and maintained in accordance with legislation.
Omitting/Redacting
Omitting or deleting specific personal identifiers is the most basic privacy method whereby sharing or releasing information removes personal data from any documents/records including omitting and redacting sensitive data.
Audio Visual/Verbal Exchange
Audio visual data and/or participant information can be difficult to anonymise due to the nature and format of the recordings. Audio visual and verbally exchanged recordings, where required, should be masked, edited and/or dubbed.
Secure Disposal
Information assets that are considered sensitive (i.e. Secret, Strictly Confidential or Confidential) and are no longer needed or are deemed to have reached "end of life" must be securely disposed of. There are several ways to dispose of information assets and equipment. For example: secure shredding (cross cut shredders).
Information Security Incident Response
In the event that an information asset is damaged or lost, this must be reported immediately to the appropriate manager and to the Head of ICT.