Classification+of+information

Classification of information **TART** All information is deemed as INSIDE information unless specifically classified as EXTERNAL or TOPSECRET

TOPSECRET information is defined as information which, if compromised, would be likely to cause damage to the interests of the Plan, including financial, legal, Strategic, operational and reputational damage. TOPSECRET information may only be accessed by manager or accountant level employees and non-employees/organizations which have signed non-disclosure agreements. This type of information includes (but is not restricted to): • Customer data • Personal data • Financial data • Technical information (e.g. admin passwords and network architecture diagrams).

Note: Personal data means data that relates to a living individual who can be identified from that data or a combination of that data and other information which is in the possession of Plan. It also includes any expression of opinion about the individual. Personal data includes sponsor information.

INSIDE (Not TOPSECRET) INSIDE information is defined as Plan information that, if compromised by disclosure to third parties, may adversely affect the organization. This information is generally available to employees, contractors and third parties in the normal course of business but must be kept within the control of the Plan and not be disclosed to the public without appropriate authorization. This type of information includes (but is not restricted to): • INSIDE policies, procedures, reports etc... • Draft papers and schedules; • INSIDE emails and INSIDE electronic communications.

External EXTERNAL information is defined as Plan proprietary information that has been approved by the Chief Information Security Officer for external publication. This type of information includes (but is not restricted to): • Information that is in the public domain or about to be put into the public domain; • Published documents e.g. annual reports.

Where possible, documents must be marked on the cover and in the header of each page with the chosen classification. Spreadsheets, databases etc must show the classification on the first page or sheet, as appropriate. If information is deemed unclassified, no action or marking is required on it.

EXTRA Care must be taken in assigning the appropriate classification. “Over-classifying” will result in superfluous precautions being applied to information that is not sensitive information, but “under-classifying” can again lead to sensitive information getting released to the public. Staff should consult with their line managers if there is any potential issues regarding classification or if they are not sure which classification to use. Managers may consult with the Chief Information Security Officer if they require assistance assigning the correct classification level.