Cabinet Office Homepage
This is the second of seven Security Policies within the HMG Security Policy Framework (SPF); outlining the mandatory security requirements and management arrangements to which all Departments and Agencies (defined as including all bodies directly responsible to them) must adhere. This policy deals with:
The Protective Marking System (often referred to as the Government Protective Marking System/Scheme or GPMS) is the Government's administrative system to ensure that access to information and other assets is correctly managed and safeguarded to an agreed and proportionate level throughout their lifecycle, including creation, storage, transmission and destruction. The system is designed to support HMG business, and meet the requirements of relevant legislation, international standards and international agreements.
Departments and Agencies must apply the Protective Marking System and the necessary controls and technical measures as outlined in this framework.
The Official Secrets Acts 1911 to 1989 (OSAs), and the Data Protection Act 1998 (DPA) impose statutory obligations regarding the protection and handling of official information and of personal data respectively. In contrast, the Freedom of Information Act 2000 (FOIA) establishes a statutory regime for the release of information held by public authorities to any person requesting it. Both FOIA and DPA are subject to a number of important exemptions, which apply for example, to material which may prejudice law enforcement or damage national security if disclosed. All staff who handle government material must have an understanding of this legislation and how it specifically relates to their role. The Protective Marking System is an administrative system designed to protect information (and other assets) from accidental or deliberate compromise, which may lead to damage, and/or be a criminal offence, and must therefore be viewed against the legal background.
Departments and Agencies must provide all staff with guidance on the Official Secrets Acts, Data Protection Act and Freedom of Information Act. Staff handling protectively marked information must be given guidance on how this legislation relates to their role.
Sections 1 to 6 of the Official Secrets Act 1989 (OSA 1989) contain a range of offences concerning damaging disclosures of information, documents or other articles. These criminal prohibitions are aimed primarily at those in Government service, although they are equally applicable to anyone else in receipt of official information (whether or not as a result of an unauthorised disclosure). The OSA 1989 makes no reference to the Protective Marking System, but does specify the categories of interests to which damage must, or must potentially, be caused by the unauthorised disclosure. These are:
Members of the security and intelligence services, by virtue of Section 1(1) of the OSA 1989, are subject to an absolute prohibition against unauthorised disclosure of information, or other assets relating to security or intelligence regardless of whether or not it is a damaging disclosure. Similarly, any persons who are ‘notified’ under Section 1(1) of the OSA (because, for example, they have regular access to information relating to security or intelligence) are subject to the same prohibition. It should also be noted that it is an offence to disclose information or assets which it would be reasonable to expect might be used to obtain access to information protected under the Act (e.g. access codes, passwords, keys, etc).
Departments and Agencies must ensure that those who are notifiable under Section 1(1) of the Official Secrets Act 1989 are notified in writing. Any organisation responsible for notified employees or individuals must:
Compliance with data protection legislation requires appropriate management structure and control. Proper application of the Protective Marking System will also ensure that protectively marked personal information is appropriately safeguarded and that requirements of the DPA are met. Section 7 of the DPA entitles an individual to be informed whether their personal data is being processed by the data controller, and to be given access to that personal data (a subject access request). This right is subject to exemptions for specified categories of information as defined by the Act. Whilst the DPA makes no reference to the Protective Marking System, protective markings may be a helpful indicator that an exemption applies. The presence, or absence, of a protective marking is not in itself a deciding factor as to whether or not information should be released in response to a subject access request, but it may nevertheless provide some initial guidance as to whether and which exemption applies.
Departments and Agencies must follow the minimum standards and procedures for handling and protecting citizen or personal data, as outlined in HMG IA Standard No.6 – Protecting Personal Data and Managing Information Risk.
The Freedom of Information Act 2000 (FOIA) gives any person the right to request and be provided with information held by public authorities, although exemptions apply to specific information as defined by the Act. Whilst FOIA makes no reference to the Protective Marking System, protective markings may be a helpful indicator that an exemption applies. However, the presence, or absence, of a protective marking is not the deciding factor as to whether information should be released or not under FOIA. It should also be noted that the protective marking may no longer be current, and, while it reflects the highest classification of the information contained in a document, the file may also contain information that is not sensitive and may be subject to disclosure in a redacted form.
Under FOIA the holder of the information is responsible for answering a request for information; however, if the holder is proposing to disclose protectively marked information, the originator, or specified owner of the information must be consulted before disclosure. When a classified document has been released under FOIA it should be marked accordingly, for example, ‘Released under FOI in full on [date]’.
Foreign FOI legislation, where it exists, can differ from the UK; therefore the ‘UK’ prefix must be used when sending protectively marked material abroad. The onus is on those sending the material to seek to ensure that any UK protectively marked material is not subject to release under foreign FOI legislation unless by prior agreement.
Departments must consult the Ministry of Justice FOI Clearing House (clearinghouse@justice.gsi.gov.uk; 020 3334 3891) for guidance about any FOI requests that concern information supplied by or relating to bodies dealing with security matters (section 23), National Security (section 24), or any other triggers for automatic referral (see MoJ guidance [External website]). This includes any requests concerning protectively marked information originating from an overseas government or international organisation (or commercial entity). Where possible, the originator or specific UK departmental owner must also be consulted when considering the request.
Departments and Agencies must ensure that any protectively marked material that is to be released under the Freedom of Information Act is de-classified first and is marked as such. The originator, or specified owner, must be consulted before protectively marked material can be de-classified.
The effective use (including the sharing and protection) of information is a key priority for Government. Access to sensitive information or assets, will be required for the efficient management of HMG business. However, access must only be granted to those who have a business need and the appropriate personnel security control (BPSS or National Security Vetting). This ‘need to know’ principle is fundamental to the security of all protectively marked Government assets – casual access to protectively marked assets is never acceptable. If there is any doubt about giving access to sensitive assets individuals should consult their managers or security staff before doing so.
Departments and Agencies must ensure that access to protectively marked assets is only granted on the basis of the ‘need to know’ principle. All employees must be made fully aware of their personal responsibility in applying this principle.
The Government Protective Marking System is designed to meet the principles of the international standard on Information Security Management Systems (ISO/IEC 27000 series). This standard represents good practice to which this framework is aligned. More details are to be found in Security Policy No.4: Information Security and Assurance and a copy of ISO/IEC (270001) is reproduced as a supplement to this framework.
HMG is party to a range of multilateral and bilateral international agreements governing the use, handling and protection of material. It should be noted that the PROTECT marking is a non-National Security marking and is not covered by international agreements.
Departments and Agencies must ensure they adhere to any UK obligations in regard to international markings, as set out in this framework and governed by multilateral and bilateral international security agreements.
Outside HMG there is no agreed UK system for marking sensitive material, although terms such as PRIVATE and CONFIDENTIAL are in common use, particularly in relation to personal information. Any material originating outside of government, that is not covered by a recognisable protective marking, international agreement, contract or other arrangements, but is marked in such a way to indicate sensitivity, must when handled by HMG, be protected to at least the level offered by the PROTECT marking, and a higher marking should be considered.
Departments and Agencies must ensure that non-HMG material which is marked to indicate sensitivity is handled at the equivalent level within the Protective Marking System, or where there is no equivalence, to the level offered by PROTECT as a minimum.
The Protective Marking System comprises five markings. In descending order of sensitivity they are:
Unmarked material is considered ‘unclassified’. The term ‘UNCLASSIFIED’ or ‘NON‘ or ‘NOT PROTECTIVELY MARKED’ may be used to indicate positively that a protective marking is not needed. These markings can be applied to any government assets, although they are most commonly applied to information held electronically or in paper documents. The methodology used to assess these principles within information systems is expressed in Business Impact levels – please see Security Policy No.4: Information Security and Assurance for details.
There are a number of specified technical controls for each level of protective marking. The controls below apply to all protectively marked information.
Departments and Agencies must apply the following baseline controls to all protectively marked material:
The originator or nominated owner of information, or an asset, is responsible for applying the correct protective marking. When protectively marking a document, it is recommended that a damage or ‘harm test’ is conducted to consider the likely impact if the asset were to be compromised and to help determine the correct level of marking required. The ‘harm test’ should be done by assessing the asset against the criteria for each protective marking.
If applied correctly, the Protective Marking System will ensure that only genuinely sensitive material is safeguarded. The following points should be considered when applying a protective marking:
The criteria below provide a broad indication of the type of material at each level of protective marking. Detailed requirements, including specific details on definitions, protection, handling and disclosure instructions are contained in supplementary material within the framework.
| Criteria for assessing TOP SECRET assets: |
|---|
|
| Criteria for assessing SECRET assets: |
|---|
|
| Criteria for assessing CONFIDENTIAL assets: |
|---|
|
| Criteria for assessing RESTRICTED assets: |
|---|
|
| Criteria for assessing PROTECT (Sub-national security marking) assets: |
|---|
|
Supplementary markings may be applied to protectively marked material to indicate additional information about its contents, sensitivity and handling requirements. These markings can include national caveats (e.g. UK EYES ONLY), descriptors, codewords or compartmented handling regimes. In most cases, special handling requirements are only applied to highly sensitive material (e.g. intelligence material or material marked CONFIDENTIAL and above).
MANDATORY REQUIREMENT 20
Departments and Agencies must meet special handling arrangements where they apply and ensure that all staff handling such information understand these arrangements.
Departments and Agencies must present their staff with a clear indication of the incremental penalties for breaching the rules regarding protectively marked material and the other mandatory requirements as laid out in this framework. This must include recourse to disciplinary and, where applicable, criminal proceedings.
MANDATORY REQUIREMENT 21
Departments and Agencies must have a breach system and give clear guidance to all staff that deliberate or accidental compromise of protectively marked material may lead to disciplinary and or criminal proceedings.