home » about us » policies » information and communication technology » 

• 
• Contact Us
• FAQ's
• Accessibility
• A-Z
• Links
• Log In 

Start of main content

 Protective marking scheme

Please note that as this policy is periodically reviewed and updated, if you print it from the website, its accuracy cannot be guaranteed for more than a 24 hour period following printing.

Introduction

• This policy outlines the Hampshire Fire and Rescue Service (“HFRS”) protective marking scheme. The policy is written in line with the Cabinet Office’s Security Vetting and Protective Markings: A Guide for Emergency Responders and the BSI ISO27001 security standard and forms part of the Information and Communication Technology Policy SO/14/1
• The Information and Physical Asset Security Forum Management has the responsibility for ownership of the HFRS Service Order, policy and procedures and the responsibility for the UK government and EU protective marking schemes.
• Function Heads are responsible for ensuring that the protective marking scheme is used properly within their areas and for offering advice to staff on the marking and interpretations of the classification schemes.
• In this Service order the term “Author” means the person who is responsible for the medium in which the information is contained.

 

You shall protectively mark any current information which is in use at the time. The Protective Marking Policy which forms part of the Information and Communications Technology Policy, Service Order SO/14/1 comes into effect on 1^st April 2011.

Contents

1. What is protective marking?
2. Balancing openness with security
3. The UK government protective marking scheme
4. How protective marking affects you
5. Who can see protectively marked information?
6. What the protective markings mean?
7. Protectively marking information
8. Descriptor
9. Location of markings
10. Filing
11. Backdating
12. Instructions on handling
13. Exempt information
14. Publication
15. Reviewing
16. Handling and distribution of a protectively marked information
17. Security clearance
18. Breaches
19. HFRS Function Heads – duties and responsibilities
20. Further advice and EU Classifications
21. Legal Requirements

 

What is protective marking?

• The protective marking scheme is a common baseline for safeguarding information, particularly when it is shared with other organisations.
• A marking is applied to information to identify the standard procedures that are adopted in relation to their storage, security, distribution and destruction.
• This policy and procedure refers to all information assets such as papers,electronic documents, disks, photographs, CAD drawings etc.

   

Balancing openness with security

• HFRS is committed to openness, but recognises that some information needs to be given special protection, for example, to avoid breaching confidentiality, to assist in complying with the Data Protection Act and in some cases to protect national security.
• Under the Freedom of Information Act 2000 information is either proactively, or on request, made available to the public. Protectively marked information is not automatically exempt under the Freedom of Information Act.
• Where information is given a protective marking under this scheme, particular care must be taken when considering whether that information is disclosable under the Freedom of Information Act. Disclosure will be judged on a case by case basis. All requests under the FOI regime must be passed to the Information Compliance Officer for processing. For further detailed information on FOI and Protective Marking see SO/11/2 “Freedom of Information Act 2000"

 

The UK government protective marking scheme

• There are five protectively marked headings that may be used:
  • PROTECT
  • RESTRICTED
  • CONFIDENTIAL
  • SECRET
  • TOP SECRET
• With the exception of PROTECT the classifications are also classed as national security markings. See 'What the protective markings mean', for information about what the classifications mean.
• Material classified as PROTECT can be appropriately applied to sensitive information that needs to be protected (e.g. commercial or personal), which does not have a national security dimension and where the use of RESTRICTED classification would be excessive.

up

How protective marking affects you

• As a member of staff, or as a contractor working on behalf of HFRS you need to know what to do if you:
  • Have to handle protectively marked information
  • Need to apply a protective marking
• Most of you will need to know how to handle protectively marked information, and mark information to a level of PROTECT. It is unlikely that you will generally mark information assets above the marking of PROTECT.
• For that reason, this policy focuses on (a) PROTECT  and (b) RESTRICTED in so far as applying PROTECT and RESTRICTED markings.
• To apply markings beyond PROTECT, staff are asked to contact their respective Function Heads for further advice.

 

Who can see protectively marked information?

• To view any protectively marked information, an individual must have a ‘need to know’ – this means that you should only see information that is related to your work; and have the appropriate security clearance.
• No specific clearance is needed to handle PROTECT or RESTRICTED marked information.

 

What the protective markings mean?

PROTECT The compromise of this information or material would likely:

• Cause financial loss of earnings potential to, or facilitate improper gain or advantage for, individuals or companies.
• Prejudice the investigation or facilitate the commission of crime.
• Disadvantage HFRS in commercial or policy negotiations with others.
• Cause substantial distress to individuals.
• Breach proper undertakings to maintain the confidence of information provided by third parties.
• Breach statutory restrictions on the disclosure of information.

 

RESTRICTED The compromise of this information or material would likely:

• Adversely affect diplomatic relations.
• Make it more difficult to maintain the operational effectiveness of the security of the UK or allied forces.
• Impede the effective development or operation of government policies.
• Undermine the proper management of the public sector and its operations.
• Cause financial loss of earnings potential to, or facilitate improper gain or advantage for, individuals or companies.
• Prejudice the investigation or facilitate the commission of crime.
• Disadvantage government in commercial or policy negotiations with others.

 

CONFIDENTIAL The compromise of this information or material would likely:

• Damage diplomatic relations (i.e. cause formal protest or other sanction); to prejudice individual security or liberty.
• Cause damage to the operational effectiveness or security of the UK or allied forces, or the effectiveness of valuable security or intelligence operations.
• Work substantially against national finances or economic and commercial interests.
• Substantially undermine the financial viability of major organisations.
• Impede the investigation or facilitate the commission of serious crime.
• Impede seriously the development or operation of major government policies.
• Shut down or otherwise substantially disrupt significant national operations.

 

SECRET The compromise of this information or material would likely:

• Raise international tension.
• Damage seriously relations with friendly governments.
• Threaten life directly, or seriously prejudice public order, individual security or liberty.
• Cause serious damage to the operational effectiveness or security of the UK or allied forces, or to the continuing effectiveness of highly valuable security or intelligence operations.
• Cause substantial material damage to national finances or economic and commercial interests.

 

TOP SECRET The compromise of this information or material would likely:

• Threaten directly the internal stability of the UK or friendly countries.
• Lead directly to widespread loss of life.
• Cause exceptionally grave damage to the effectiveness or security of the UK or allied forces or to the continuing effectiveness of extremely valuable security or intelligence operations.
• Cause exceptionally grave damage to relations with friendly governments.
• Cause severe long-term damage to the UK economy.

up

Protectively marking information

It is the responsibility of the author of the material to apply the appropriate protective marking. If you are the author you should use the PROTECT bullet points in 'What the protective markings mean" above, to check whether the PROTECT marking applies or not.

The protective marking of information is applied by the author and may only be changed with the authors authority unless under exceptional circumstances.  

The author must:

• Consider to what level the information must be protected, the higher the classification of the information, the greater administrative burden on the organisation and the smaller the circulation of the information.
• If appropriate a descriptor should be suffixed to the classification, see the section on Descriptors below.
• Consider the duration of the classification, or review period, see section on Reviewing below.
• Consider constructive feedback as to the classification of information.  Authors have the responsibility of setting a classification and, if appropriate, changing the classification.
• If the author no longer holds their post, but still works for HFRS, they should be contacted if there is a requirement to change the classification of information.
• If the author no longer works for HFRS, the new post holder shall be responsible if there is a need to change the classification of information.

 

If no post holder is in place, the line manager allocated responsibility for the information shall be responsible if there is a need to change the classification of information.

In cases where it is assessed by the author that no protective marking is needed, then the information is still required to be marked with the author’s name and review date to demonstrate that the author has shown due diligence in assessing the contents of the information.

Under no circumstances should the phrase “NOT PROTECTIVELY MARKED” be used to indicate that a protective marking has not yet been made. If information has not been classified, it should not be released until a protective marking has been applied where required.

The marking to be applied should be considered on a case by case basis – you should not apply ‘blanket markings’.

If you think that a marking higher than PROTECT is needed then you should contact your respective Function Head. It should be noted that RESTRICTED has a very high threshold and will generally impact upon national security.

Once you have marked the information, recipients will know from the marking what measures are required to be applied in protecting the information. If you are sharing information with an organisation that does not use a protective marking scheme, then you should take extra precautions to make sure the information is handled appropriately. This may entail setting out handling requirements to the recipient. ie referring them to this document.

If the information has some security classified information and other information less sensitive then the marking should relate to the most sensitive information.

Output from software systems and local applications shall be Protectively Marked.

Descriptor

The large range of information that can be covered by ‘PROTECT’ means that you must also use a ‘descriptor’ to describe why the information is protected. The descriptors should follow the protective marking. For example – PROTECT- PERSONAL DATA or ‘PROTECT- LEGAL PROFESSIONAL PRIVILEGE. You should use a descriptor which will appropriately describe why the information has been marked as PROTECT and who should view it.

Some example descriptors are: -

• PROTECT- PERSONAL DATA
• PROTECT- LEGAL PROFESSIONAL PRIVILEGE
• PROTECT- IS SECURITY
• PROTECT- MEDICAL- PERSONAL DATA
• PROTECT- HR- PERSONAL DATA

 

At the present time it is the decision of the author as to the appropriate descriptor for the information. There are no current guidelines in place which define descriptors, so the author may decide upon the appropriate descriptor for the information concerned.

up

Location of marking

• The following numbered paragraphs contain the requirements which apply to the marking of different types of information within the different formats in which the information may be provided.
  • The protective security marking should be indicated in capital letters at the top and bottom of a document (within header and footer)

 

Word Documents

• Assessed by the author to require No Protective Marking using the Corporate Word template marked with Author and Review Date in header.
• Information may be shared with the public.

 

Word Documents Protectively Marked

• Assessed by the author to require a Protective Marking using the Corporate word template. Also located at I:\Corporate Templates\Classification.
• Information may NOT be shared with the Public unless declassified by the Author.

 

up

PowerPoint Document

• Assessed by the Author to require No Protective Marking using the Corporate PowerPoint template, click edit slides. Also located at I:\Corporate Templates\Classification and marked with Author and date due for review. The Author and date due for review does not appear during the presentation.

 

PowerPoint Document Protectively Marked

• Assessed by the Author to require a Protective Marking using the Corporate PowerPoint template click edit slides. Also located at I:\Corporate Templates\Classification. PROTECT appears on all slides but the Author and date of next review does not appear during the slide show.
• Information may not be shared with the Public unless declassified by the Author.

 

up

Excel Document

• Assessed by the Author to require No Protective Marking using the Corporate Excel template
• Also located at I:\Corporate Templates\Classification, delete Protective Marking then marked with Author and date due for review.

Excel Document Protectively Marked

• Assessed by the Author to require a Protective Marking using the Corporate Excel template. Also located at I:\Corporate Templates\Classification. PROTECT appears on the front page of the spreadsheet but is not visible on the following sheets until printed.
• Information may not be shared with the public unless declassified by the author.

 

Excel Document Print Preview

up

When saving an electronic document, the author must put in the title of the saved document the designated marking. For example:

• NO PROTECTIVE MARKING Required- IS Security Meeting- Minutes.doc
• PROTECTIVE MARKING Required- PROTECT- IS SECURITY- IS Security Forum- Minutes 09-11-10.doc

The marking of a ring binder folder and other types of folders

• Use either labels ordered from Central Services at HQ or the template located at- I:\Corporate Templates\Classification\PROTECT.doc
• For small sized folders place the label on the front of the folder.
• For folders that cannot have a label attached insert the same protective markings on the folder as the labels, by using a permanent marker pen, available form Central Services, in a conspicuous place on the outside of the folder.

 

up

The marking of CDs and DVDs

This should be marked as follows:-

Permanent marker pens available via e-mail request or visit, to Central Services HQ.

HFRS approved labels may also be used on CDs and DVDs.

The marking of photographs

• Photographs digitally printed onto standard paper shall be marked using the Corporate Word template.
• Photographs printed on to photographic paper shall not be marked on the photograph.
• Electronic copies (digital images) shall not be protectively marked on the image but shall be saved it the title with their protective marking.
• Where large numbers of photographs are stored on a CD, the CD shall be protectively marked but the individual digital images are not required to be protectively marked providing the distribution list for the CD is limited.

up

Filing

You should indicate the protective marking on the file (whether hard copy or electronic), for example, on the front cover of the file (or other appropriate place which is conspicuous).

Backdating

It is not mandatory to backdate markings on old information. However, if as the author you are updating old information then you shall consider protective marking at that time and apply appropriately.

Instructions on handling

If there are any special instructions on handling, such as instructing recipients not to make copies, then you should state this on the information.

Exempt information

Where information has been considered exempt under the Local Government Act (eg taken as business in ‘part 2’ (closed session) of a committee meeting) or under the Freedom of Information Act then the information should more than likely be protectively marked as PROTECT with the relevant descriptor.

Publication

Where a protective marking has been applied to a working draft which is later published the information should be reviewed before it is published to ensure it is protected in accordance with this Service Order and is appropriate for publication.

Reviewing

Authors should review protective markings on information to make sure that they are still appropriate and whether or not they may be removed. The review period will depend on the nature of the information. Generally, one year is an appropriate review time. If a review date is not applicable then insert N/A after “Date due for review.”

up

Handling and distribution of protectively marked information

• When information is sent to others there is the need to ensure that it is dispatched in a manner which is compatible with its marking. Each marking denotes different handling procedures to ensure that the information is treated in accordance with its designated marking.
• Use the section below to show the handling method (the way the information is sent to others) and the controls that must be implemented and followed to ensure its security:

 

Email

• Where an e-mail is assessed by the author to require No Protective Marking then a normal standard e-mail template shall be used.
• Where an e-mail is assessed by the author to require a Protective Marking then a protectively marked  e-mail template shall be used.

 

• Further information on how to add a Protectively marked e-mail template can be found at :I\Corporate Templates\Email signature
• Further information on how to add a Protectively marked e-mail template to Hants OWA can be found at http://www.hfrs.net/is-owa-signature

• PROTECT marked information may be transmitted on email. However, note that if you are transmitting a high volume of sensitive personal data or material marked PROTECT-PERSONAL DATA then the data shall be commercially encrypted using WinZip. Contact the IS Service Desk for further information.
• Alternatively, you could send the information in a de-personalised way (ie by deleting the personal data).
• RESTRICTED may only be emailed between two systems which contain the following: XXX@organisation.gsi.gov.uk  or XXX@organisation.pnn.police.uk. If only one party has the .gsi.gov.uk or .pnn.police.uk then up to PROTECT only may be sent (subject to the caveat above regarding sensitive personal data)
• CONFIDENTIAL may be sent between two systems which contain XXX@organisation.x.gsi.gov.uk.
• HFRS is not, at this time, able to share information over email systems above PROTECT as it does not have GSI or PNN email addresses.

up

Websites

• Material classified as RESTRICTED and above shall not be made available via a website.

 

Blackberries and iPhones

• Blackberries are the only CESG approved device to send and receive protected data up to and including RESTRICTED.
• iPhones, SMS and MSS shall not be used for sending or receiving any category of Protectively Marked Data

 

Telephone

When dealing with information which is RESTRICTED or above you shall not: -

• Talk about that information over a non-secure telephone/mobile line.
• Send it over a non-secure fax line.
• Send it to a pager.
• Leave information protected by this Service Order on an answering machine.

 

For operationally urgent messages you should assess the operational urgency and risk of not passing the information against the possible risk of a security breach. If you decide transmission is essential then you should keep messages to the absolute minimum.

Post Internal and External

• A return address shall always be included when sending protectively marked information by post.
• Do not include the classification on the envelope.
• Address the envelope clearly stating ‘name, job title and addressee only’.
• For RESTRICTED and above markings, address the envelope as above, mark CONFIDENTIAL and then place the envelope in a second outer envelope. Do NOT put the protective marking on the outer envelope.

 

Hard copy and electronic information

• Protectively marked information on computer disk, memory stick or other electronic   media must be marked with the security classification (of the most highly classified data stored on the device).
• Protectively marked information held on laptops, memory stick or other electronic media must be encrypted.
• Do not store protectively marked information on a Palm or other similar storage devices.
• Do not leave protectively marked information unattended during working hours when you are away from your desk and are unable to lock the office/ room.
• Protectively marked information must not be taken out of the office unless appropriate security measures are in place.
• Furniture to hold protectively marked information depends on the marking.
  • PROTECT or RESTRICTED – lockable furniture
  • CONFIDENTIAL and SECRET – combination lock or security Mersey and Butterfly key.
  • TOP SECRET - combination lock or security Mersey and Butterfly key and further to be in a lockable room with a limited number of people with permitted access to the room keys.

 

Destruction

• PROTECT and RESTRICTED documents, shred the information or put in a secure waste sack. Do not print protected documents unless strictly necessary.
• External Hard drives, USB sticks, Blackberries, iPhones etc pass to the Service Desk at HQ http://www.hantsfire.gov.uk/isopolicy-equipdisposal.htm
• CDs, DVDs and Dynotapes containing personal, sensitive or protectively marked data shall be disposed of by use of the internal post, by enclosing in an internal envelope, marked with the name of the sender and Station number or address. Do not include the classification on the envelope and mark it for the attention of the IS Service Desk only. For RESTRICTED and above markings, address the envelope as above, mark CONFIDENTIAL and then place the envelope in a second outer envelope. Do not put the protective marking on the outer envelope.
• CONFIDENTIAL and SECRET documents, shred at right angles to the print. The width of the shredded paper should be no more than 4mm wide or show more than two characters side by side. For SECRET information – a record must be made of the destruction (the information, date of destruction and who authorised the destruction). This record must be kept for five years.
• TOP SECRET – As for SECRET above, except that two people must witness the shredding and sign the record that they witnessed the destruction.

 

Filing

• You should indicate the protective marking on the files (see section on 'marking of folders'), with the highest marking relevant to the information, and on filing lists.

 

You should seek advice from your Function Head if you are not sure about handling procedures that need to be applied or, for example, where you believe you need to share information but cannot comply with the handling requirements.

Information created outside of HFRS

• Information received by HFRS which already has a protective marking recognised by this policy should be respected and held and processed in line with that protective marking.
• Information that originates from outside of HFRS may not be protectively marked. If it is received then HFRS shall mark the information on receipt in line with this protective marking scheme.
• Information that is marked with a marking that is not recognised by this Service Order shall be assessed and regard must be had to the required protected marking for the information. For example information may be received that is marked “private and confidential”. It is advisable that such information should be assessed in accordance with the nature of the information. Consideration should be given whether such information should be marked “PROTECT” by default.

up

Security clearance

• No specific clearance is required to handle PROTECT or RESTRICTED information.
• Those who are cleared to Baseline Standard (previously known as basic check) may have access to CONFIDENTIAL and occasional controlled access to SECRET material.
• Those who are cleared to Security Check level may have long term, frequent and uncontrolled access to SECRET information assets; and occasional controlled access to TOP SECRET material.
• If you think you need to be security cleared then contact your Function Head.

 

Breaches

• You must report any breaches or possible breaches of this Service Order to the HFRS IS Service Desk at HQ immediately.
• Any breach will require an investigation.
• A breach of this Service Order could result in disciplinary proceedings against the individual or possibly a criminal investigation, depending on the nature of the breach.

 

HFRS Function Heads – duties and responsibilities

HFRS Function Heads shall:

• Advise staff on the handling and marking of protectively marked information   (RESTRICTED and above).
• Assess requests for applications for higher security clearance of Security Check.
• Report security breaches relating to the handling of protectively marked information and reported breaches to the IS Service Desk for investigation by the ICT Security Manager.
• Liaise with other agencies regarding any further specialist advice relating to protective security.

 

Further advice

• The Information and Physical Asset Security Forum Board is responsible for the HFRS protective marking scheme in terms of this Service Order and procedures – i.e. PROTECT information.
• Function Heads are the HFRS experts on the government protective marking scheme and the EU Classifications.
• Further Information on the EU Classifications, Markings and Security of documents marked TRÈS SECRET UE/EUTOP SECRETTOP SECRET: SECRETUE: CONFIDENTIEL UE: RESTREINT UE:. can be found here-  Adopting the Council's security regulations (2001)
• For advice on sending, receiving or storing electronic information and for the investigation of security breaches, contact the ICT Security Manager.
• For advice relating to data protection and freedom of information contact the Information Compliance Officer.

 

Legal Requirements

• Data Protection Act
• Access to Medical Reports Act (1988)
• Official Secrets Act
• Human Rights Act

 

The application of this policy has the potential to engage the following articles of the Human Rights Act 1998:

• Article 3    The prohibition of torture, degrading and inhuman treatment or punishment
• Article 5    The right to liberty and security of person
• Article 8    The right to privacy, family life, home and correspondence
• Article 9    Freedom of thought, conscience and religion
• Article 10  Freedom of expression
• Article 11  Freedom of assembly and association

 

• news
• keeping safe
• business fire safety
• kidzone
• careers & training
• about us
• for staff
• Go to Animal Rescue :: Operations Audit Commission and Other External Assessments and Reports - The Service Budget, Accounts and Regulations Business Education Community Response Corporate Planning Current Vacancies :: Careers and Training Environment Equality and Diversity Events Diary Fire Control Fire Safety Regulations Fire Stations Fire and Rescue Authority Freedom Of Information Act 2000 (FOI) Hampshire Fire and Rescue Service Plan History of HFRS Home Safety IPDS Incident Types News Releases Past Members Planning for Emergencies Policies Recent Incidents Service News Service orders Station Admin Manual Top 10 Fire Safety Tips Vehicles and Appliances