Classified information



Classified information is material that a government body claims is sensitive information that requires protection of confidentiality, integrity, or availability. Access is restricted by law or regulation to particular groups of people, and mishandling can incur criminal penalties and loss of respect. A formal security clearance is often required to handle classified documents or access classified data. The clearance process usually requires a satisfactory background investigation. Documents and other information assets are typically marked with one of several (hierarchical) levels of sensitivity - e.g. restricted, confidential, secret and top secret. The choice of level is often based on an impact assessment; governments often have their own set of rules which include the levels, rules on determining the level for an information asset, and rules on how to protect information classified at each level. This often includes security clearances for personnel handling the information. Although "Classified information" refers to the formal categorization and marking of material by level of sensitivity, it has also developed a sense synonymous with "censored" in US English. A distinction is often made between formal security classification and privacy markings such as "commercial in confidence". Classifications can be used with additional keywords that give more detailed instructions on how data should be used or protected.

Some corporations and non-government organizations also assign sensitive information to multiple levels of protection, either from a desire to protect trade secrets, or because of laws and regulations governing various matters such as personal privacy, sealed legal proceedings and the timing of financial information releases.

Government classification
The purpose of classification is to protect information. Higher classifications protect information that might endanger national security. Classification formalises what constitutes a "state secret" and accords different levels of protection based on the expected damage the information might cause in the wrong hands.

However, classified information is frequently "leaked" to reporters by officials for political purposes. Several U.S. presidents have leaked sensitive information to get their point across to the public.

Typical classification levels
Although the classification systems vary from country to country, most have levels corresponding to the following British definitions (from the highest level to lowest)

The highest level except of classification of material on a national level. The information is further compartmented so that specific access using a code word after top secret is a legal way to hide collective and important information**. Such material would cause "exceptionally grave damage" to national security if made publicly available.

The Washington Post reports in its "Top secret America" investigation that per 2010 "An estimated 854,000 people ... hold top-secret security clearances" in the US.

Secret
Such material would cause "serious damage" to national security if it were publicly available.

In the USA, operational "Secret" information can be marked with an additional "LIMDIS", to limit readership.

Confidential
Such material would cause "damage" or be "prejudicial" to national security if publicly available.

Restricted
Such material would cause "undesirable effects" if publicly available. Some countries do not have such a classification; in public sectors, such as commercial industries, such level are also called and known as "Private Information".

Official
Such material forms the generality of government business, public service delivery and commercial activity. This includes a diverse range of information, of varying sensitivities, and with differing consequences resulting from compromise or loss. OFFICIAL information must be secured against a threat model that is broadly similar to that faced by a large private company.

The OFFICIAL classification replaces the Confidential and Restricted classifications after April 2014 in the UK.

Unclassified
Technically not a classification level; but this is a feature of some classification schemes, used for government documents that do not merit a particular classification. This is because the information is low-impact, and therefore does not require any special protection, such as vetting of personnel.

There are a plethora of pseudo-classifications under this category. Please see the articles on Sensitive but unclassified and Controlled Unclassified Information for more information.

Clearance
Depending on the level of classification there are different rules controlling the level of clearance needed to view such information, and how it must be stored, transmitted, and destroyed. Additionally, access is restricted on a "need to know" basis. Simply possessing a clearance does not automatically authorize the individual to view all material classified at that level or below that level. The individual must present a legitimate "need to know" in addition to the proper level of clearance.

Compartmented information
In addition to the general risk-based classification levels above, there may be additional compartmented constraints on access, such as (in the U.S.) Special Intelligence (SI), which protects intelligence sources and methods, No Foreign dissemination (NOFORN), which restricts dissemination to U.S. nationals, and Originator Controlled dissemination (ORCON), which ensures that the originator can track possessors of the information. Information in these compartments is usually marked with specific keywords in addition to the classification level.

Exceptionally Controlled Information (ECI) is a level above top-secret, which restricts information to very few people.

Government information about nuclear weapons such as nuclear warheads often has an additional marking to show it contains such information.

International
When a government agency or group shares information between an agency or group of other country’s government they will generally employ a special classification scheme that both parties have previously agreed to honour.

For example the marking ATOMAL, is applied to U.S. RESTRICTED DATA or FORMERLY RESTRICTED DATA and United Kingdom ATOMIC information that has been released to NATO. ATOMAL information is marked COSMIC TOP SECRET ATOMAL (CTSA), NATO SECRET ATOMAL (NSAT), or NATO CONFIDENTIAL ATOMAL (NCA).

In cases where a country wishes to share classified information bilaterally (or multilaterally) with a country that has a sharing agreement, the information is with the countries it can be shared with. Those countries would have to maintain the classification of the document at the level originally classified (TOP-SECRET, SECRET, etc.) with the appropriate caveat (USNZ, AUSGE, CANUK, etc.).

NATO classifications
For example, sensitive information shared amongst NATO allies has four levels of security classification; from most to least classified: A special case exists with regard to NATO UNCLASSIFIED (NU) information. Documents with this marking are NATO property (copyright) and must not be made public without NATO permission. In general documents with this classification aren't cleared for internet-transmission either, unless clearly marked with RELEASABLE FOR INTERNET TRANSMISSION. Documents that can be made public, however, should be clearly marked with NON SENSITIVE INFORMATION RELEASABLE TO THE PUBLIC.
 * 1) COSMIC TOP SECRET (CTS),
 * 2) NATO SECRET (NS),
 * 3) NATO CONFIDENTIAL (NC), and
 * 4) NATO RESTRICTED (NR).

International organisations

 * European Commission, has 5 levels, EU TOP SECRET, EU SECRET, EU CONFIDENTIAL, EU RESTRICTED, and EU COUNCIL / COMMISSION. (Note that usually the French term is used)
 * OCCAR, a European defence organisation, has three levels of classification: OCCAR SECRET, OCCAR CONFIDENTIAL, OCCAR RESTRICTED.

By country
Most countries employ some sort of classification system for certain government information. For example, in Canada, information that the U.S. would classify SBU (Sensitive but Unclassified) is called "protected" and further subcategorised into levels A, B, and C.

Australia
On 19 July 2011, the National Security (NS) classification marking scheme and the Non-National Security (NNS) classification marking scheme in Australia was unified into one structure.

The Australian Government Security Classification system now comprises TOP SECRET, SECRET, CONFIDENTIAL and PROTECTED. A new dissemination limiting markers (DLMs) scheme was also introduced for information where disclosure may be limited or prohibited by legislation, or where it may otherwise require special handling. The DLM marking scheme comprises For Official Use Only (FOUO), Sensitive, Sensitive: Personal, Sensitive: Legal, and Sensitive: Cabinet.

Documents marked Sensitive Cabinet, relating to discussions in Federal Cabinet, are treated as PROTECTED at minimum due to its higher sensitivity.

Brazil
In Brazil, a top secret (Ultra-secreto) government-issued document may be classified for a period of 25 years, which may be extended up to another 25 years. Thus, no document remains classified for more than 50 years. This is mandated by the 2011 Information Access Law (Lei de Acesso à Informação), a change from the previous rule, under which documents could have their classification time length renewed indefinitely, effectively shuttering state secrets from the public. The 2011 law applies retroactively to existing documents.

Background and hierarchy
There are 2 main type of sensitive information designation used by the Government of Canada: Classified and Designated. The access and protection of both types of information is governed by the Security of Information Act, effective December 24, 2001, replacing the Official Secrets Act 1981. To access the information, a person must have the appropriate level of clearance and a need to know.

In addition, the caveat "For Canadian Eyes Only" may be used to restrict Classified or Designated information to only Canadian citizens with the appropriate level of clearance and need to know.

Special operational information
SOI is not a classification of data per se. It is defined under the Security of Information Act, and unauthorised release of such information constitutes a higher breach of trust, with penalty of life imprisonment.

SOIs include:
 * military operations in respect of a potential, imminent or present armed conflict
 * the identity of confidential source of information, intelligence or assistance to the Government of Canada
 * tools used for information gathering or intelligence
 * the object of a covert investigation, or a covert collection of information or intelligence
 * the identity of any person who is under covert surveillance
 * encryption and cryptographic systems
 * information or intelligence to, or received from, a foreign entity or terrorist group

Classified information
Classified information can be designated Top Secret, Secret or Confidential. These classifications are only used on matters of national interest.


 * Top Secret: This applies when compromise might reasonably cause exceptionally grave injury to the national interest. The possible impact must be great, immediate and irreparable.
 * Secret: This applies when compromise might reasonably cause serious injury to the national interest.
 * Confidential: When disclosure might reasonably cause injury to the national interest.

Designated information
Designated information is not classified. Designated information pertains to any sensitive information that does not relate to national security and cannot be disclosed under the access and privacy legislation because of the possible injury to particular public or private interests.
 * Protected C (Extremely Sensitive designated information): is used to protect extremely sensitive information, which if compromised, could reasonably be expected to cause extremely grave injury outside the national interest. Examples could include bankruptcy, identities of informants in criminal investigations, etc.
 * Protected B (Particularly Sensitive designated information): is used to protect information that could cause severe injury or damage to the people or group involved if it was released. Examples include medical records, annual personnel performance reviews, etc.
 * Protected A (Low-Sensitive designated information): is applied to low sensitivity information that should not be disclosed to the public without authorisation and could reasonably be expected to cause injury or embarrassment outside the national interest. Example of Protected A information could include employee number, pay deposit banking information, etc.

Federal Cabinet (Queen's Privy Council for Canada) papers are either designated (i.e. overhead slides prepared to make presentations to Cabinet) or classified (draft legislations, certain memos).

People's Republic of China
The Criminal Law of the People's Republic of China (which is not operative in the Special Administrative Regions of Hong Kong and Macao) makes it a crime to release a state secret. Regulation and enforcement is carried out by the National Administration for the Protection of State Secrets.

Under the 1989 "Law on Guarding State Secrets," state secrets are defined as those that concern:


 * 1) Major policy decisions on state affairs;
 * 2) The building of national defence and in the activities of the armed forces;
 * 3) Diplomatic activities and in activities related to foreign countries and those to be maintained as commitments to foreign countries;
 * 4) National economic and social development;
 * 5) Science and technology;
 * 6) Activities for preserving state security and the investigation of criminal offences; and
 * 7) Any other matters classified as "state secrets" by the national State Secrets Bureau.

Secrets can be classified into one of three categories:
 * Top secret (绝密): Defined as "vital state secrets whose disclosure would cause extremely serious harm to state security and national interests";
 * Highly secret (机密): Defined as "important state secrets whose disclosure would cause serious harm to state security and national interests"; and
 * Secret (秘密): Defined as "ordinary state secrets whose disclosure would cause harm to state security and national interests".

France
In France, classified information is defined by article 413-9 of the Penal Code. The three levels of military classification are
 * Très Secret Défense (Very Secret Defence): Information deemed extremely harmful to national defence, and relative to governmental priorities in national defence. No service or organisation can elaborate, process, stock, transfer, display or destroy information or protected supports classified at this level without authorisation from the Prime Minister or the national secretary for National Defence. Partial or exhaustive reproduction is strictly forbidden.
 * Secret Défense (Secret Defence): Information deemed very harmful to national defence. Such information cannot be reproduced without authorisation from the emitting authority, except in exceptional emergencies.
 * Confidentiel Défense (Confidential Defence): Information deemed potentially harmful to national defence, or that could lead to uncovering an information classified at a higher level of security.

Less sensitive information is "protected". The levels are
 * Confidentiel personnels Officiers ("Confidential officers")
 * Confidentiel personnels Sous-Officiers ("Confidential non-commissioned officers")
 * Diffusion restreinte ("restricted information")
 * Diffusion restreinte administrateur ("administrative restricted information")
 * Non Protégé (unprotected)

A further caveat, "spécial France" (reserved France) restricts the document to French citizens (in its entirety or by extracts). This is not a classification level.

Declassification of documents can be done by the Commission consultative du secret de la défense nationale (CCSDN), an independent authority. Transfer of classified information is done with double envelopes, the outer layer being plastified and numbered, and the inner in strong paper. Reception of the document involves examination of the physical integrity of the container and registration of the document. In foreign countries, the document must be transferred through specialised military mail or diplomatic bag. Transport is done by an authorised convoyer or habilitated person for mail under 20 kg. The letter must bear a seal mentioning "PAR VALISE ACCOMPAGNEE-SACOCHE". Once a year, ministers have an inventory of classified information and supports by competent authorities.

Once their usage period is expired, documents are transferred to archives, where they are either destroyed (by incineration, crushing or electrical overtension), or stored.

In case of unauthorized release of classified information, competent authorities are the Ministry of Interior, the Haut fonctionnaire de défense et de sécurité ("high civil servant for defence and security") of the relevant ministry, and the General secretary for National Defence. Violation of such secrets is an offence punishable with 7 years of imprisonment and a 100 000 Euro fine; if the offence is committed by imprudence or negligence, the penalties are 3 years of imprisonment and a 45 000 Euro fine.

Hong Kong
The Security Bureau is responsible for developing policies in regards to the protection and handling of confidential government information. In general, the system used in Hong Kong is very similar to the UK system, developed from the Colonial Hong Kong era.

Four classifications exists in Hong Kong, from highest to lowest in sensitivity:
 * Top Secret (高度機密)
 * Secret (機密)
 * Confidential (保密)
 * Temporary Confidential (臨時保密)
 * Restricted (限閱文件/內部文件)
 * Restricted (staff) (限閱文件(人事))
 * Restricted (tender) (限閱文件 (投標))
 * Restricted (administration) (限閱文件 (行政))

Restricted documents are not classified per se, but only those who have a need to know will have access to such information, in accordance with the Personal Data (Privacy) Ordinance.

New Zealand
New Zealand uses the Restricted classification, which is lower than Confidential. People may be given access to Restricted information on the strength of an authorisation by their Head of Department, without being subjected to the background vetting associated with Confidential, Secret and Top Secret clearances. New Zealand's security classifications and the national-harm requirements associated with their use are roughly similar to those of the United States.

In addition to national security classifications there are two additional security classifications, In Confidence and Sensitive, which are used to protect information of a policy and privacy nature. There are also a number of information markings used within ministries and departments of the government, to indicate, for example, that information should not be released outside the originating ministry.

Because of strict privacy requirements around personal information, personnel files are controlled in all parts of the public and private sectors. Information relating to the security vetting of an individual is usually classified at the In Confidence level.

Romania
In Romania, classified information is referred to as "state secrets" (secrete de stat) and is defined by the Penal Code as "documents and data that manifestly appear to have this status or have been declared or qualified as such by decision of Government". There are three levels of classification—Secret, Top Secret, and Top Secret of Particular Importance. The levels are set by the Romanian Intelligence Service and must be aligned with NATO regulations—in case of conflicting regulations, the latter are applied with priority. Dissemination of classified information to foreign agents or powers is punishable by up to life imprisonment, if such dissemination threatens Romania's national security.



Russian Federation
In the Russian Federation, a state secret (Государственная тайна) is information protected by the state on its military, foreign policy, economic, intelligence, counterintelligence, operational and investigative and other activities, dissemination of which could harm state security.

Sweden
The Swedish classification has been updated due to increased NATO/PfP cooperation. All classified defence documents will now have both a Swedish classification (Kvalificerat hemlig or Hemlig), and an English classification (Top Secret, Secret, Confidential, or Restricted).. The term skyddad identitet, "protected identity", is used in the case of protection of a threatened person, basically implying "secret identity", accessible only to certain members of the police force and explicitly authorised officials.

United Kingdom


Until 2013, the United Kingdom used five levels of classification—from lowest to highest, they were: PROTECT, RESTRICTED, CONFIDENTIAL, SECRET and TOP SECRET (formerly MOST SECRET). The Cabinet Office provides guidance on how to protect information, including the security clearances required for personnel. Staff may be required to sign to confirm their understanding and acceptance of the Official Secrets Acts 1911 to 1989, although the Act applies regardless of signature. PROTECT is not in itself a security protective marking level (such as RESTRICTED or greater), but is used to indicate information which should not be disclosed because, for instance, the document contains tax, national insurance, or other personal information.

Government documents without a classification may be marked as UNCLASSIFIED or NOT PROTECTIVELY MARKED.

This system is being replaced by the Government Security Classifications Policy, which has a simpler model: TOP SECRET, SECRET, and OFFICIAL from April 2014.

United States
The U.S. classification system is currently established under Executive Order 13292 and has three levels of classification—Confidential, Secret, and Top Secret. The U.S. had a Restricted level during World War II but no longer does. U.S. regulations state that information received from other countries at the Restricted level should be handled as Confidential. A variety of markings are used for material that is not classified, but whose distribution is limited administratively or by other laws, e.g., For Official Use Only (FOUO), or Sensitive but Unclassified (SBU). The Atomic Energy Act of 1954 provides for the protection of information related to the design of nuclear weapons. The term "Restricted Data" is used to denote certain nuclear technology. Information about the storage, use or handling of nuclear material or weapons is marked "Formerly Restricted Data". These designations are used in addition to level markings (Confidential, Secret and Top Secret). Information protected by the Atomic Energy Act is protected by law and information classified under the Executive Order is protected by Executive privilege.

Table of equivalent classification markings in various countries
Original source: NISPOM Appendix B  ¹ In addition, Finland uses label Salassa pidettävä, "to be kept secret" for information that is not classified but must not be revealed on some other basis than national security. (E.g. privacy, trade secrets etc.)

Corporate classification
Private corporations often require written confidentiality agreements and conduct background checks on candidates for sensitive positions. In the U.S. the Employee Polygraph Protection Act prohibits private employers from requiring lie detector tests, but there are a few exceptions. Policies dictating methods for marking and safeguarding company-sensitive information (e.g. "IBM Confidential") are common and some companies have more than one level. Such information is protected under trade secret laws. New product development teams are often sequestered and forbidden to share information about their efforts with un-cleared fellow employees, the original Apple Macintosh project being a famous example. Other activities, such as mergers and financial report preparation generally involve similar restrictions. However, corporate security generally lacks the elaborate hierarchical clearance and sensitivity structures and the harsh criminal sanctions that give government classification systems their particular tone.

Traffic Light Protocol
The Traffic Light Protocol was developed by the G8 countries to enable the sharing of sensitive information between government agencies and corporations. This protocol has now been accepted as a model for trusted information exchange by over 30 other countries. The protocol provides for four "information sharing levels" for the handling of sensitive information.