Classified information


Classified information is confidential material that a government, corporation, or non-governmental organisation deems to be sensitive information, which must be protected from unauthorized disclosure and that requires special handling and dissemination controls. Access is restricted by law, regulation, or corporate policies to particular groups of individuals with both the necessary security clearance and a need to know.
Classified information within an organisation is typically arranged into several hierarchical levels of sensitivity—e.g. Confidential, Secret, and Top Secret. The choice of which level to assign a file is based on threat modelling, with different organisations have varying classification systems, asset management rules, and assessment frameworks. Classified information generally becomes less sensitive with the passage of time, and may eventually be reclassified or declassified and made public.
Governments often require a formal security clearance and corresponding background check to view or handle classified material. Mishandling or unlawful disclosure of confidential material can incur criminal penalties, depending on the nature of the information and the laws of a jurisdiction. Since the late twentieth century, there has been freedom of information legislation in some countries, where the public is deemed to have the right to all information that is not considered to be damaging if released. Sometimes documents are released with information still considered confidential redacted. Classified information is sometimes also intentionally leaked to the media to influence public opinion.

Governmental classification levels

Top Secret (TS)

In many jurisdictions, for example, the United States and United Kingdom, Top Secret is the highest level of classified information. Prior to 1942, the United Kingdom and other members of the British Empire used Most Secret, but this was later changed to match the United States' category name of Top Secret in order to simplify Allied interoperability. The unauthorized disclosure of Top Secret information is expected to cause harm and be of grave threat to national security.

Secret

Secret material is often regarded as causative of "serious damage" to national security if it were publicly available, although not as serious harm as in the case of Top Secret classification.

Confidential

Confidential material is material that would cause "damage" or be prejudicial to national security if publicly available. It is used in the US since as early as 1936. A relatively recent revision of its definition is in Executive Order 13526.

Restricted

Restricted material would cause "undesirable effects" if publicly available. Some countries do not have such a classification in public sectors, such as commercial industries. Such a level is also known as "Private Information". Such a level existed within the US Government during World War II but is no longer used.
The Official-Sensitive classification replaced the Restricted classification in April 2014 in the UK. Unlike information only marked Official, information that belong to this class is of some interest to threat actors. Compromise is likely to cause moderate damage to the work or reputation of the organisation and/or the government.

Controlled

This class of information forms the generality of government business, public service delivery and commercial activity. Compared to the higher levels, the consequence of compromise is lower but not nonexistent.
  • In U.S. DOD classification, this class is called Controlled Unclassified Information. It is divided into five levels specifying different scopes of dissemination. It is the result of an effort to consolidate agency-specific markings such as Sensitive But Unclassified.
  • In U.K. classification, this class is called Official. It replaced the previously used Unclassified marking in 2014. Protection is required but is not as strict as the higher levels.

    Unclassified

Unclassified information is low-impact, and therefore does not require any special protection.

Corporate classification

Private corporations often require written confidentiality agreements and conduct background checks on candidates for sensitive positions.
Policies dictating methods for marking and safeguarding company-sensitive information are common in companies, especially as regards information that is protected under trade secret laws. New product development teams are often sequestered and forbidden to share information about their efforts with un-cleared employees. Other activities, such as mergers and financial report preparation generally involve similar restrictions. However, corporate security generally lacks the standardised hierarchical clearance and sensitivity structures and the criminal sanctions of government classification systems.
In the U.S., the Employee Polygraph Protection Act prohibits private employers from requiring lie detector tests, but there are a few exceptions.

Trade secrets

Personally identifiable information (PII)

Protected health information (PHI)

Nonpublic personal information

Material Nonpublic Information

International classification systems

When a government agency or group shares information between an agency or group of other country's government they will generally employ a special classification scheme that both parties have previously agreed to honour.
For example, the marking Atomal, is applied to U.S. Restricted Data or Formerly Restricted Data and United Kingdom Atomic information that has been released to NATO. Atomal information is marked COSMIC Top Secret Atomal, NATO Secret Atomal, or NATO Confidential Atomal. BALK and BOHEMIA are also used.

NATO classifications

For example, sensitive information shared amongst NATO allies has four levels of security classification; from most to least classified:
  1. COSMIC Top Secret
  2. NATO Secret
  3. NATO Confidential
  4. NATO Restricted
  • ATOMAL: This designation is added to the NATO security classification when applicable. For example, COSMIC TOP SECRET ATOMAL. ATOMAL information applies to U.S. RESTRICTED DATA or FORMERLY RESTRICTED DATA or United Kingdom Atomic Information released to NATO.
A special case exists with regard to NATO Unclassified information. Documents with this marking are NATO property and must not be made public without NATO permission.
COSMIC is an acronym for "Control of Secret Material in an International Command".

International organizations

  • The European Union has four levels: EU Top Secret, EU Secret, EU Confidential, EU Restricted.
  • *Très Secret UE/EU Top Secret: information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of the Member States;
  • *Secret UE/EU Secret: information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of the Member States;
  • *Confidentiel UE/EU Confidential: information and material the unauthorised disclosure of which could harm the essential interests of the European Union or of one or more of the Member States;
  • *Restreint UE/EU Restricted: information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States.
  • Organisation for Joint Armament Cooperation, a European defence organisation, has three levels of classification: OCCAR Secret, OCCAR Confidential, and OCCAR Restricted.
  • The United Nations has two classification levels: Confidential and Strictly Confidential.

    Traffic Light Protocol

The Traffic Light Protocol was developed by the Group of Eight countries to enable the sharing of sensitive information between government agencies and corporations. This protocol has now been accepted as a model for trusted information exchange by over 30 other countries. The protocol provides for four "information sharing levels" for the handling of sensitive information.

By country

Most countries employ some sort of classification system for certain government information. For example, in Canada, information that the U.S. would classify SBU is called "protected" and further subcategorised into levels A, B, and C.

Australia

On 19 July 2011, the National Security classification marking scheme and the Non-National Security classification marking scheme in Australia was unified into one structure.
As of 2018, the policy detailing how Australian government entities handle classified information is defined in the Protective Security Policy Framework. The PSPF is published by the Attorney-General's Department and covers security governance, information security, personal security, and physical security. A security classification can be applied to the information itself or an asset that holds information e.g., a USB or laptop.
The Australian Government uses four security classifications: OFFICIAL: Sensitive, PROTECTED, SECRET and TOP SECRET. The relevant security classification is based on the likely damage resulting from compromise of the information's confidentiality.
All other information from business operations and services requires a routine level of protection and is treated as OFFICIAL. Information that does not form part of official duty is treated as UNOFFICIAL.
OFFICIAL and UNOFFICIAL are not security classifications and are not mandatory markings.
Caveats are a warning that the information has special protections in addition to those indicated by the security classification of PROTECTED or higher. Australia has four caveats:
  • Codewords
  • Foreign government markings
  • Special handling instructions
  • Releasability caveats
Codewords are primarily used within the national security community. Each codeword identifies a special need-to-know compartment.
Foreign government markings are applied to information created by Australian agencies from foreign source information. Foreign government marking caveats require protection at least equivalent to that required by the foreign government providing the source information.
Special handling instructions are used to indicate particular precautions for information handling. They include:
  • EXCLUSIVE FOR
  • CABINET
  • NATIONAL CABINET
A releasability caveat restricts information based on citizenship. The three in use are:
  • Australian Eyes Only
  • Australian Government Access Only
  • Releasable To.
Additionally, the PSPF outlines Information Management Markers as a way for entities to identify information that is subject to non-security related restrictions on access and use. These are: