We are now using protective marking software to mark all our electronic and paper information based on its content and the level of security it needs when being shared, handled and stored.
We are using the Government Security Classification Policy (GSCP) and associated markings and you should be aware of what this means for you when information is shared with you.
Information can be visually marked in one of three main ways by adding one of the following marks:
1. OFFICIAL SENSITIVE
(plus one of four sub categories - Personal Data, Commercial, Operational, Senior Management)
- This is information regarding the business of the council or of an individual which is considered to be sensitive
- This is information relating to the business of the council and is not considered to be sensitive
3. NOT OFFICIAL
- This is information not about the business of the council or classed as sensitive.
What is Protective Marking?
- Protective Marking is a process by which one of the above marks, indicating the sensitivity or otherwise of a document, is visually added to the document/information being shared.
- We have adopted the Protective Marking scheme which many other public bodies also use - it is based on the Government Security Classifications Policy (GSCP).
- You should only ever receive information from us with one of the above marks.
- Protective Marking helps to make sure that the confidentiality, integrity and availability of information is maintained - this is done by highlighting its importance and sensitivity through the use of the appropriate visual mark.
- The different levels of marking are based upon the severity of impact that:
- unauthorised access to
- destruction or loss
- or loss of confidence in the reliability of the data
would have on the council, its employees, members of the public and other organisations.
Understanding what Protective Marking means - with examples
When you encounter information carrying a Protective Mark from the council you need to understand what it means and how to handle it in line with its mark (classification).
This mark is used where there is a clear and justifiable requirement to reinforce the 'need to know', as compromise or loss could have damaging consequences for an individual, a group of individuals, an organisation or the council generally.
This might include, but is not limited to, the following types of information:
Example of OFFICIAL-SENSITIVE: Personal Data.
- Special category personal data as defined in the General Data Protection Regulation (GDPR) such as health status, racial or ethnic origin, religious or philosophical beliefs, sex life, political opinions or genetic/biometric data.
- Criminal offence data as defined in the GDPR.
Example of OFFICIAL-SENSITIVE: Commercial.
- Commercial or market sensitive information, including that subject to statutory or regulatory obligations, that may be damaging to the organisation or to a commercial partner if improperly accessed.
Example of OFFICIAL-SENSITIVE: Commercial or OFFICIAL-SENSITIVE: Operational
- Negotiating positions where inappropriate access could have an impact and must, therefore be limited to bounded groups.
- Marked according to what the negotiation was about.
Examples of OFFICIAL-SENSITIVE: Operational.
- The most sensitive corporate or operational information, for example, relating to organisational change planning, industrial relations negotiations, or major security or business continuity issues.
- Information about investigations and civil or criminal proceedings that could compromise public protection or enforcement activities, or prejudice court cases
- Sensitive information about security systems, building plans or emergency plans
Example of OFFICIAL-SENSITIVE: Senior Management
- Policy development and advice to senior officials on contentious and very sensitive issues
This mark is used for the vast majority of information that is created or processed by the council.
Although there may be some consequences if the information is lost or stolen, it is not subject to heightened risk. It could also include personal information not considered sensitive.
OFFICIAL Examples will include:
- official reports
- meeting agendas
- internal and external communication
- personal information such as staff rotas
- business advice between staff
- routine customer liaison.
3. NOT OFFFICIAL
This mark is used for matters not considered official business of the council.
NOT OFFICIAL Examples include:
- incidental communication
- social news
- unsolicited marketing material
- personal use (subject to the council's Acceptable Use of ICT Facilities policy).