security-handbook

How do I classify data correctly?

“Definitions for OFFICIAL, SECRET and TOP SECRET” as found in the Government Security Classification policy.

“The majority of information that is created, processed, sent or received in the public sector and by partner organisations, which could cause no more than moderate damage if compromised and must be defended against a broad range of threat actors with differing capabilities using nuanced protective controls”

“In most cases there are limited to no negative consequences if OFFICIAL information is compromised. However, in some circumstances when OFFICIAL information contains sensitive information and is marked -SENSITIVE, its unintended disclosure or compromise can lead to moderate damage (including to the UK’s longer-term strategic/economic position) and in exceptional circumstances it could lead to a threat to life.” - GSC

Can someone else classify the data for me?

It is the responsibility of the Data Owner to classify the data.

How do I know who the data owner is?

Data owners are stakeholders within an organization or company accountable for the data quality and governance of one or more data assets.

Within government they might be an individual or group who are ultimately accountable for your data but also in practical terms they are often too far removed from the processing of the data to make effective decisions about the classification of the data.

Often, it’s the person or team asking the question who are responsible; for example you or your team might be a Data Owner if you create a new dataset through processes and systems you have built.

An example of this could be a report you have created which is being extracted, transformed and loaded into a reporting tool you manage. In this example you have created a new dataset derived from another and you have control of the data. It is therefore your responsibility to classify this new dataset and make risk based decisions about how to appropriately handle this data.

In other instances your role as either a Data Controller or Processor might have been agreed with the Data Owner and therefore you are empowered to make decisions about the handling of the data.

So once again the role of classifying the data falls to the team creating, handling and processing the data as they are best place to make decisions.

It is then sensible to notify the Data Owner of your decision and reason, another good reason to include decision records within your team.

Further Guidance

GDS states that:

“Data owners (also known as data custodians) are accountable for taking decisions relating to the data e.g. defining policies relating to the use of the data. They assess the sensitivity of the data they own and classify the data according to the various data protection categories supported by the architecture.

One option is for each team involved with processing data to conduct self-assessments against agreed data principles and standards. The principles and standards would be defined and agreed by the data architecture function, and informed by the need to comply with legislation (e.g. relating to data privacy) and ethical standards (relating to the use of data).”

If it does look like OFFICIAL – and if you are happy the impact of breach or loss matches the descriptions above then that’s likely correct.