Information handling and classification policy

Aims of the policy

Information is a valuable asset and aids a local authority to carry out its legal and statutory functions. The information that the London Borough of Enfield (LBE) processes can be highly confidential and very personal and therefore the council has a legal duty to take care of it. Like any other strategic asset, information must be protected appropriately depending on the level of sensitivity of the information.

The purpose of this document is to define the policies and standards that will be applied to maintain the confidentiality, integrity and availability of the information systems supporting the business functions of the council.

This policy provides direction and support for the implementation of information security and is designed to help council employees carry out the business of the council in a secure manner. By complying with this policy, the risks facing the council are minimised.

Anyone who uses the council’s systems should be made aware of and be expected to comply with this policy and need to understand that the council has a responsibility to ensure that staff must be cleared and trained to handle protectively-marked information.

The policy is not designed to be obstructive. If you believe that any element of this policy hinders or prevents you from carrying out your duties, please contact the council’s Digital Service (DS) Service Desk.

Scope and definitions

This policy applies to all employees, contractors, agents and representatives and temporary staff working for or on behalf of the council.

The Policy is also applicable to Members who create records in their capacity as representative of the council. When Members create records when acting as representatives of a resident in their ward they are recommended to apply the policy, but officers should consider whether it has been correctly applied on receipt of a member’s’ enquiry. It does not apply to those records Members create when acting as a representative of a political party.

The above groups will be referred to as 'users' for the remainder of this document.

Persons whose information is being used are referred to as 'data subjects'. A user can also be a data subject.

Partner organisations / third parties who access the council’s information systems should also be aware of this policy and adhere to it when accessing council information systems.

This policy applies to all information created or held by the council, in whatever format (for example, paper, electronic, email, microfiche, film) and however it is stored, (for example DS system/database, network drive folders, email, filing cabinet, shelving and personal filing drawers) as well as that communicated verbally. These will be referred to in this document as Information Assets. The persons responsible for managing, using or creating these will be designated as Information Asset Owners. All information assets must have an owner.

Other considerations and references

The retention and disposal of information assets is in many instances a legal requirement, but we must also remember those that follow after us and decide what records must be kept for historians. This does not mean that all information must be retained forever, since the majority will not be looked at and we do not have the capacity to store it.

Responsibilities must therefore also be assigned to ensure that information assets are stored on a suitable medium and retained or destroyed in accordance with the council’s Corporate Retention Schedule.

The following documents should be read in conjunction with this policy:

Many of the above documents are available online on the council intranet.

Responsibilities under this policy

All users are responsible for:

All managers are responsible for:

Data owners and authors are responsible for:

System administrators are responsible for:

Digital Services Security team are responsible for:

Accountability for assets

All information and information assets will be identified and an owner assigned. Data owners may delegate their security authority (power to act) to individual user managers or service providers, but they remain ultimately accountable for ensuring that adequate security protection for the information assets s maintained.

Data owner must be identified for each information asset used within the council. Accountability to an identified owner helps to ensure appropriate protection is maintained. The owner may delegate responsibility for the implementation of controls, however, accountability for the implementation of controls and their enforcement will stay with the owner at all times.

Legislation

All employees who use council information systems must comply with all UK information legislation and in particular the council’s Data Protection Policy and be aware of any legislation pertinent to their own service area.

Confidentiality agreements

All users will be required to sign that they have read and understood the council’s Code of Conduct or a confidentiality / non-disclosure agreement prior to commencement of work with the council, dependent on status. These agreements identify the requirement for confidentiality whilst employed with the council, and include:

Acceptable use

To ensure that all information is protected, an Acceptable Use Policy has been established. All staff are required to comply with this policy.

Documents and records management

Documents and records are another term for Information Assets.

There is a separate Documents and Records management policy giving high-level strategic goals which this policy implements.

Transmitting and receiving information asset

Resources may be used to exchange information with customers and other third parties provided that:

Employees must comply with relevant legislation and data sharing agreements when transmitting information. Where necessary, employees must:

Security of information assets off premises

Information assets which are held for home or mobile working or are transported away from normal work location must be carefully protected.

Home working controls should be determined by a risk assessment and suitable controls applied as appropriate. Adequate insurance cover should be in place to protect equipment off site. See also the council’s Acceptable Use and BYOD Policies.

All reasonable precautions must be taken to safeguard council equipment and paper when outside the office.

Laptops and tablet devices are vulnerable to theft, loss or unauthorised access when travelling. They should be provided with an appropriate form of access protection to prevent unauthorised access to their contents.

If it should become necessary to leave an information asset in an unattended vehicle, lock the asset securely in the boot of the vehicle.

Paper files must be carried in a way that does not allow others to read them, and should never be left unattended. If kept at home, this must be in a secure locked cabinet to which only council officers has access.

Devices in use in public spaces should have precautions to avoid information leakage via people reading over shoulders or via interception of WiFi.

Any loss or theft of equipment or paper must be reported to the DS Service Desk (see front page) as soon as possible and in any case within 24 hours. Additionally, any theft should be report to the police and a crime reference number obtained.

Classification of information

Introduction to classification

Asset classification and control is an essential requirement, which will ensure the Confidentiality, Integrity and Availability of information used by the council. An information classification system is used to define appropriate protection levels and to communicate the need for special handling measures. Each information asset is classified to indicate its sensitivity and to identify the controls required to protect it.

The Government Security Classification Policy (GCSP) came into effect 2 April 2014.

The intention of the classification policy to provide a more straightforward, proportionate and risk managed approach to the way that the public sector classifies and protects information, with more onus on staff taking individual responsibility for the information they manage.

The council has adopted the government’s information classification policy.

The Government’s classification scheme is widely used by government, local authorities and statutory agencies so that there is a common understanding across organisations as to how information needs to be protected.

Classification guidelines

All information that the council needs to collect, store, process, generate or share to deliver services and conduct council business has intrinsic value and requires an appropriate degree of protection, whether in transit, at rest or whilst being processed.

Information classification or protective marking of information assets are used to:

Classification and protective information controls are established to meet with the council’s need for sharing or restricting information. Information classification and their protective controls will be suited to the business need for sharing or restricting information and the business impact associated with such a need.

Classified data will be reviewed on a regular basis to assess if the security control is appropriate. The level of criticality of information assets will change due to changes in circumstances and / or expiry of legal retention periods.

The council’s classification scheme

The government classification scheme has three levels of classification. These are TOP SECRET, SECRET and OFFICIAL.

The council will only be using the OFFICIAL classification. However, the OFFICIAL classification also includes a handling caveat of OFFICIAL-SENSITIVE in order to identify information that should only be available on a strictly need to know basis and may need additional measures of protection. These classifications should be applied to all information including emails, paper documents, electronic documents, systems.

All council information will be classified as OFFICIAL unless there are specific handling requirements.

For OFFICIAL - SENSITIVE data common sense handling is required, extra care must be taken with storage and sharing. As this is a broad category and there will be variety of handling instructions associated with this information, the council is introducing sub-categories that give clear guidance on access arrangements for the information.

The complete list of protective markings and handling requirements for use is given below:

Classification markingUses
OFFICIAL Not covered under other categories and no special handling needed
OFFICIAL - SENSITIVE Common sense handling required, extra care must be taken with storage and sharing. Encryption will be automatically applied externally on email.
OFFICIAL - SENSITIVE [PERSONAL] As Official - Sensitive, contains information relating to individuals.
OFFICIAL - SENSITIVE [COMMERCIAL] As Official - Sensitive, contains information with commercial implications.
OFFICIAL - SENSITIVE [MEMBERS] As Official - Sensitive, contains information for Members and involved officers only. Cannot be sent externally.
OFFICIAL - SENSITIVE [LEGAL] As Official - Sensitive, contains information with sensitive legal advice.

Any information that is not marked will be assumed to be OFFICIAL.

The OFFICIAL-SENSITIVE caveat should be used at the discretion of staff depending on the subject area, context and any statutory or regulatory requirements where it is particularly important to enforce the need to know rules.

However, the caveat should be used by exception in limited circumstances where there is a clear and justifiable requirement to reinforce the ‘need to know’ as compromise or loss could have severe and damaging consequences for an individual (or group of individuals), another organisation or the council more generally. This might include, but is not limited to the following types of information:

OFFICIAL-SENSITIVE data cannot be shared externally except through an approved secure email system / secure network or appropriate data encryption and password protection and should be accompanied by a defined distribution list. Data sharing with external organisations must be in line with corporate data sharing agreements or contract terms.

Where large volumes of OFFICIAL-SENSITIVE information about particular topics are regularly shared between organisations, the respective information asset owners will need to agree specific handling arrangements and transfer protocols in line with the policy.

A classification of OFFICIAL-SENSITIVE does not necessarily exempt the information from a Freedom of Information Act request but it should prompt you to consider if an exemption applies.

On creation, all information assets must be assessed and classified by the owner according to their content. All information assets must be classified and labelled in accordance with this policy.

Information labelling and handling procedure

A set of procedures is defined for information labelling and handling in accordance with the classification scheme adopted by the council. All documents must be issued under version control with the file name and revision number and number of pages displayed in the footer. Where appropriate, the document will also contain its security classification and distribution list.

Key principles for all protectively marked material

The key principles for protectively marked material are as follows:

Enforcement monitoring

Monitoring of the policies is the responsibility of all managers as part of their management role. Internal and External Audit may undertake reviews on a planned and ad-hoc basis as part of the audit plan as agreed by the Information Governance Board.

Information security incidents

The council has a responsibility to monitor all incidents that occur within the organisation that may breach the security and/or the confidentiality of its information. All incidents need to be identified, reported, investigated and monitored. It is only by adopting this approach that Enfield Council can learn from its mistakes and prevent losses re-occurring.

The council has developed and implemented a Security Incident Response Policy, you should ensure that you read and understand both the policy and your responsibilities under the reporting process. In all cases you should follow the Security Incident Reporting Procedure.

The council also needs to take action where potential incidents are identified. Where ‘near misses’ occur, these should be reported to your line manager and a local decision taken as to whether the cause of the ‘near miss’ is one which could involve the enhancement of the policy or the process. In all cases you should follow the Security Incident Reporting Procedure.

Confidential waste

Summary of handling requirements

Any electronic devices no longer required or faulty must be returned to the DS Service desk.

OFFICIAL-SENSITIVE paper material must be disposed of in confidential waste bins if available.

Paper copies of OFFICIAL-SENSITIVE material to be disposed of through standard paper waste must be shredded using a cross-cut (dicing) shredder or placed in the confidential waste bins provided. Shredders must cut to a maximum size of 5mm wide and 42mm long.

Staff working from home or at a place where confidential paper waste facilities are not available, should retain their paper waste and bring back to office and dispose in the confidential waste bins.

Document Management shall store the documents securely and dispose of them with a registered waste carrier with secure destruction guarantees.

Paper waste handling

All paper documents including MFD (Multi Function Device) jams of blank paper, out of date letterheads, printed forms, can be placed in the recycle waste, on condition they are torn up, ensuring that they cannot later be removed and used inappropriately.

Paper confidential waste must be placed in either locked confidential waste bins, or shredded and placed in paper recycling. Prior to placing in confidential waste bins the paper must have all staples, paper clips and binders removed.

The use of shredders is permitted. Any shredders purchased should be ‘cross cut’, with a maximum shred size of 5mm x 42mm. Shredded paper should be placed in paper waste sacks for recycling disposal.

IT waste handling

Removable media (floppy disks, CD’s, DVD’s, videos, cassettes) - Removable Media requiring disposal should be passed to the DS Helpdesk. Staff must raise a call to arrange disposal.

Other IT equipment - The disposal of all other IT equipment, for example, PC’s, printers is to be dealt with by the DS department. Staff must raise a call to arrange disposal.

Erasure procedure for disposal of IT waste - As there is no current UK standard for erasure following the deprecation of HMG Infosec standard 5, Media which is to be reused rather than destroyed should be erased following SP 800-88 (PDF).

Note that older methods as specified by Infosec Standard 5 using multiple overwrites, are no longer applicable to modern technologies, especially solid state drives where wear levelling and relocation prevent complete erasure. This may present challenges with third parties using out of date policies, who may insist on inappropriate methods.

Data that is regarded as OFFICIAL - SENSITIVE and not subject to other controls should be erased via CLEAR procedures. This should cover most data on Enfield’s systems. Where data shared with Enfield is subject to higher security requirements, general PURGE is sufficient.

Whilst reference needs to be made to the latest destruction requirements in FIPS SP 800-88, at the time of writing:

Note: LBE uses Microsoft BitLocker as a trustworthy technology (Latest status of NIST validation can be checked here - Cryptographic Module Validation Program).

For all completed cases of Clear, Purge or Destroy, appropriate evidence will be kept by LBE Functional Tower involved.

For any device or media type not mentioned above the minimum recommended sanitization techniques to Clear, Purge, or Destroy will follow the recommendation in Appendix A of SP 800-88.

Information sharing protocols

Before information is shared with other organisations, an information sharing protocol/exchange agreements between the council and the other organisation(s) should be in place. These agreements must include IT staff in their creation and be recorded in the Register of Information Sharing Protocols.

The council has adopted a three tier protocol model. The following security controls should be considered within the operational instructions section of any protocol:

Email

All email sent to external organisations or individuals shall have a standard council disclaimer automatically attached to it. The disclaimer shall state that the information enclosed in the email and any attachment(s) is for the designated recipient only and that access, reproduction, dissemination or use of the information by another other person is not permitted.

User access management

Individuals employed by or under contract to the council are granted access to all systems and resources that they require to fulfil their role. Employees not specifically granted access to council systems or resources are prohibited from using such systems or resources.

Access to data, systems or networks will only be granted to employees that have formally agreed to comply with the council’s information security policies. Only a system administrator may grant logical access to council systems and systems resources.

Access will be granted only when a ‘new user request’ is completed using the LBE Service Desk available on staff intranet.

Periodically, all access rights must be reviewed and line managers will be required to formally check and amend the access rights of their employees.

Password use

Employees must keep passwords confidential and:

The sharing of User IDs and passwords is not permitted.

More detail on password management is provided in the Access Control Policy.

Unattended user equipment

Employees are required to lock their devices (Windows key + L on Windows machines, commonly power button on mobile devices) when they move away from their desk or are not using a device. This will require them to re-enter their password on return.

Legislative requirements

Under no circumstances are employees allowed to engage in any activity that is illegal under local, national or international law while utilising council resources.

Clear desk and clear screen policy

Information must be protected at all times, unattended information assets must be secured. See the Clear Desk and Clear Screen Policy.

Third party access

Third parties requiring access to systems for any purpose are subject to additional controls. Please see the Third Party Management Policy.

Logging into/accessing council systems

Each authorised user shall have a single unique user account that consists of:

Only the assigned user may use that user ID to access council systems. Only users who have authenticated themselves to a council system may use that system.

All council systems where technically possible will display a security message to all people attempting to log-in to that system, that:

Reporting an information security weakness, threat, event or incident

The following example might be used to describe the difference between a weakness, threat, event or incident:

It is vital that all such weaknesses, threats, events and incidents are reported immediately to the DS Service Desk, even if there is no adverse effect. Any observed or suspected security threats or weaknesses in systems or services should also be reported. If we do not know about them, they cannot be corrected.

Do not be afraid of reporting security issues - these are investigated with an appropriate degree of confidentiality. Staff who report near misses or incidents are also protected by the Whistle Blowing Policy.

Employees should not, in any circumstances, attempt to prove or validate a suspected information security weakness or threat, with the exception of Information Security staff.

Intellectual property

The council owns all data, information and software design or code produced by or on behalf of the council, regardless of format, unless otherwise specified by a valid third party agreement.

All information or software developed by or on behalf of the council will remain the property of the council and must in no way be sold, copied or used without the express permission of the council or authorised designate.

All contracts with third parties, including contracts for agency employees, must define the ownership of software and information.

Software licencing

Users are not generally permitted to install software on to the corporate network or council PCs, laptops or tablet devices. A range of software is permitted to be installed in Software Centre, other software must be regarded as not permitted. This includes web and cloud-based services.

For the purposes of definition, software includes but is not limited to any operating system, utility, programme, web service, cloud service, add-in or mobile application.

The Digital Services team will maintain a register of the entire council’s software and its location and must keep a library of software licenses.

Periodic software audits will be carried out by or on behalf of the council to ensure that all software loaded on to council information systems is appropriately licensed.

Commercial software may be installed or used on council computers only if a valid licence for that software has been purchased, and the DS department has recorded the use. Digital Services is the only department allowed to purchase software.

Mobile computing and communications

It is the responsibility of employees to take reasonable precautions to safeguard the security of all mobile equipment assigned to them and the information contained upon them. Detailed security compliance is provided in the Acceptable Use Policy.

Remote working

Remote Working (working at a site other than the usual place of work, for example, another office location, home) is available to most staff at manager’s discretion. Staff must follow the Acceptable Usage Policy.

Reporting of malfunctions

If your system develops any software or hardware faults do not attempt to rectify it. You must report the malfunction to the DS Service Desk.

Removal of property

Council property shall not be removed from the premises without prior approval. Laptop and tablet device users are by default, allowed to remove their DS equipment from the premises.

Removal/disposal of assets – permanent

Employees may not remove any commercial property or asset that is destined for destruction or disposal from council facilities, unless all the following conditions have been satisfied prior to removal of the property:

Removal/disposal of assets – temporary

Employees may not remove any commercial property or asset, on a temporary basis (to assist working from another location) from council facilities unless all the following conditions have been satisfied prior to removal of the property:

The above does not, of course, affect the accepted personal removal of issued laptops, tablets mobile telephones, pagers, paper files or the like for callout, home working or remote working purposes.

Loss, theft or destruction of assets

The loss, theft or destruction of any council asset must be reported to the relevant Head of Service, and the DS Security team as soon as is reasonably possible.

Policy compliance

The council expects that all employees will achieve compliance to the directives presented within this policy. This policy will be included within the Information Security Internal Audit Programme, and compliance checks will take place to review the effectiveness of its implementation.

Exceptions

In the following exceptional cases compliance with some parts of the policy may be relaxed. The parts that may be relaxed will depend on the particular circumstances of the incident in question:

The council will not take disciplinary action in relation to known, authorised exceptions to the information security management system.

Penalties

Non-compliance is defined as any one or more of the following:


Policy details

Author – Information Governance Manager
Owner – Information and Data Governance Board
Version – 1.8
Reviewer – Information Governance Manager
Classification – Official – Public
Issue status – Issued
Date of first issue – 21.10.2017
Date of latest re-issue – 30.05.2024
Date approved by IGB – 19.05.2024
Date of next review – 30.04.2025

Council news directly to you

The latest news in your inbox every week. Council news, community updates, local events and more.

Sign up Sign up