Birmingham City Council Information Classification and Data Storage Standard Document Owner: Author: Version: Date of this version.draft: Policy change in this version.draft Date version approved: Classification Contact: Title Author Jackie Woollam Head of Strategy & Governance Team, BCC 2.0 December 2015 No policy change. The storage policy has been merged and made harmonious with the classification policy. December 2015 Mr David Thomas ICF Manager 10 Woodcock Street Birmingham B2 2YY Tel: 675 1431 Email: Information and Strategy Team M Westrop Information and Cyber Security Manager © Birmingham City Council 2015 Information Classification & Data Storage page 1 of 12 Birmingham City Council CONTENTS 1. The purpose of this standard ..................................................................................................................... 3 2. Scope ........................................................................................................................................................ 3 3. Definitions ................................................................................................................................................ 3 4. Information Classification .......................................................................................................................... 3 5. Information Classification, Security and Disclosure. ................................................................................... 4 6. PROTECTION OF INFORMATION MANDATORY RULES ................................................................................ 5 6.1 6.2 6.3 6.4 6.5 6.6 7. General .................................................................................................................................... 5 Lifecycle stage 1: acquisition and creation of information ....................................................... 5 Lifecycle stage 2: storage of information ................................................................................ 5 Lifecycle stage 3: access to information ................................................................................. 6 Lifecycle stage 4: printing, copying and transfer and the use of portable media ................... 7 Lifecycle stage 6: information retention, archiving and destruction ........................................ 8 PROTECTION OF INFORMATION – BEST PRACTICE .................................................................................... 9 7.1 7.2 7.3 7.4 Storage of information .............................................................................................................. 9 Access to information ............................................................................................................. 10 Printing, copying and transfer to portable media .................................................................... 10 Summary of information transfer good practice rules ............................................................ 11 8. Who is responsible for upholding the rules for information classification and data storage? .................... 12 9. Non‐conformity and breaches of this standard ........................................................................................ 12 Information Classification & Data Storage page 2 of 12 Birmingham City Council 1.
The purpose of this standard This Standard explains how information should be classified and describes how it should be stored and protected through all stages of its lifecycle. 2.
Scope This standard applies to all Information that is Processed by Birmingham City Council, or Processed on behalf of the council by a third party. 3.
Definitions Capitalised terms, acronyms and their origin are explained in the separate document, “BCC Basic Definitions for Information and Cyber Security Policies and Standards.” This includes IAO, ICF, Information, Information Security, Netmotion, Process, PSN, PSPG, SIRO, Staff, Two Factor Authentication. 4.
1.
2.
3.
4.
5.
6.
7.
8.
Information Classification In 2014, the Government introduced a new information security policy framework which contains a simplified classification scheme. The Council shares information with central Government and recognises the scheme. All Information which is Processed by BCC now lies within one Government classification of OFFICIAL. A sub‐category within the OFFICIAL classification is OFFICIAL – SENSITIVE. OFFICIAL‐SENSITIVE information requires elevated protection levels. It is information that is likely to include: personal information relating to an identifiable individual, particularly information which is sensitive information under the Data Protection Act1 (“DPA”) , confidential information, security information, commercially sensitive information, information that, if disclosed inappropriately, could compromise the operational effectiveness, internal stability or security of the Council and anything that was formerly classified as RESTRICTED information, information that is scheduled to be deleted, other information requiring enhanced protection. 1
OFFICIAL – SENSITIVE is not definitively the same as sensitive personal information under the DPA1 but will inevitably include all the sensitive personal information under that Act which requires more protection than ordinary personal information: Sensitive personal information under the DPA concerns (a) the racial or ethnic origin of the individual, (b) his political opinions, (c ) his religious beliefs, (d) whether he is a member of a trade union, (e) his health, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence. Information Classification & Data Storage page 3 of 12 Birmingham City Council 5.
Information Classification, Security and Disclosure. In addition to the Government label of OFFICIAL‐SENSITIVE, older labels such as “confidential”, “personal2” “RESTRICTED”, “commercially sensitive”, &c, persist and may be still used, which under the Government scheme would all be displayed the following format (using the example of Personal): OFFICIAL‐SENSITIVE [PERSONAL]. Whatever format is used, where there is a labelled classification, this label does not determine what can be published or disclosed. All information must be kept securely and all may need to be available for disclosure. Disclosure may be required under the Freedom of Information Act, Environmental Information Regulations, Local Government Transparency Code 2014, the rules of court proceedings and enquiries and other laws . The FOI Act is of particular importance in local government and it sets up a presumption that public bodies must disclose their records and that the public may ask to view these records. It is possible that an exemption applies to a particular record and it can be withheld. For example, personal information protected by the Data Protection Act is often, but not always, exempt from FOI disclosure. The application of an exemption is subject to process, appeal and review. Therefore, all Information must be kept and preserved securely with the workings of the Freedom of Information Act, Transparency Code and other disclosure requirements in mind. Some information is already released under a publication scheme, but for all other information, the issue of whether it is exempt from disclosure cannot be pre‐judged and, until a particular case is considered, the basic rules of Information Security must be applied. Therefore OFFICIAL and OFFICIAL‐SENSITIVE information held by the council must be protected and access must be restricted as described in this standard, so that it is available for disclosure. 2
Relating to personal information about an identifiable individual Information Classification & Data Storage page 4 of 12 Birmingham City Council 6.
PROTECTION OF INFORMATION MANDATORY RULES 6.1 General 1. All Staff must handle Information with care and are personally responsible for following the Information Security rules:  All Staff must act to avoid the loss or inappropriate disclosure of Information;  All Staff must keep Information securely and its accuracy must be maintained;  All Staff must make Information available for authorised use or disclosure when required;  All Staff must comply with legal and regulatory duties as directed by management. These rules apply regardless of whether or not the Information is labelled with a security classification. 2. Information must be protected throughout its lifecycle from creation to its authorised disposal. 6.2 Lifecycle stage 1: acquisition and creation of information 1. Management must consider how Information should be classified and labelled (see Classification, above) from the outset, when it is acquired or created. 2. All Staff must comply with the Data Protection Act, the payment card industry rules and the laws against copyright theft when acquiring new information. 6.3 Lifecycle stage 2: storage of information 1. Staff must store Information securely in order to prevent unauthorised access. Where the council provides shared, audited and backed‐up repositories for storing particular types of information, Staff must always use these3. 2. Staff must never store payment card information except in systems designed to be fully compliant with the Payment Card Industry Rules4 which will automatically delete permanently particular parts of that information. 3. Employees of the council who Process Information on laptops or mobile devices, must do so on Council‐
owned devices5 which have encryption software activated. 4.
Personal use of council storage is forbidden 5. Staff must use storage space provided by the council for the business purposes of the council and for no other purpose. Staff are forbidden from making personal use of council storage. If there is any doubt whether something forms part of the council’s business, Staff must obtain written management approval in 3
See notes advising against use of the C drive in the practical good practice guide below. 4
PCI advice available from [email protected] 5
Telephone the Service Birmingham Service Desk for technical help with encryption security 4‐4444 Information Classification & Data Storage page 5 of 12 Birmingham City Council order to store information on council equipment or in council‐owned facilities6. For instance, audio and video files and digital images may be stored only when required and legitimately acquired for work: for example, training, publicity or translation services. 6. Staff may only store Information properly in possession of the council on council equipment or in council‐ owned facilities. If there is any doubt about whether information is rightfully in possession of the council or whether it actually should be returned to a third party, Staff must obtain written management clarification. 7. Staff may not use storage facilities provided by third parties, such as cloud providers, or Youtube. Exceptional use of third party storage can be allowed by management permission only after thorough examination of security risk, after due diligence to particular cloud security and legal concerns and only after written management approval. 6.4 Lifecycle stage 3: access to information Any member of the public may ask to view Information under the laws about disclosure, irrespective of classification. However, before information is disclosed under those laws, access is strictly controlled. 1. Staff and management must limit access to Information in the digital systems or in their care only to those authorised to view it. Access must be granted only to those who require it in order to perform their jobs as set out in the BCC Access Control Standard. 2. Management must follow particular procedures to authorize Staff to access PSN information7. PSN information must be accessed only from equipment which is owned by the Council. Staff who connect remotely to PSN information must do so on council owned equipment using Netmotion connections and Two Factor Authentication8. 6
This does not apply to automatic storage such as Word backups or cached internet information where the decision to store is not made by individual Staff but by technical configuration settings. 7
PSN enrolment procedures and requirmeents are available from the ICF. 8
For more information on Netmotion and Two Factor Authentication, see Definitions, or contact [email protected]. Staff are not permitted to connect to PSN information using Citrix connections. Information Classification & Data Storage page 6 of 12 Birmingham City Council 6.5 Lifecycle stage 4: printing, copying and transfer and the use of portable media 1. Staff must label appropriately to make sure that Information that is protectively marked keeps its protective marking when it is printed, copied or transferred to portable media. 2. Staff must protect all OFFICIAL‐SENSITIVE confidential information in portable form; they must not leave it unattended without protection. 3. It is the IAO’s overall responsibility, to decide whether specific restrictions need to be placed on printing, copying or the transfer of a particular information asset onto portable media. Staff must protect OFFICIAL‐SENSITIVE Information with two layers of security when they: a) transfer it out of, or into, the corporate network electronically, or b) access the information on equipment that can be taken outside council premises. 4.
One layer of security must be encryption if this is available (see BCC Email and Messaging Policy and Good Practice rules for secure email) because this provides good security. A second layer of security may be the requirement for a user name and password to gain access. Additional security measures which can provide one layer include the use of password protected files, personal identification numbers or security tokens (see Two Factor Authentication). See the good practice guide below for secure file transfer advice. (See also, mobile devices, above). 5. Staff must never send Information contained within a password‐protected file or an encrypted file by the same communications channel as the encryption key. For example: 
if Staff send information in a password‐protected file by email, they must communicate the password otherwise: for instance, by telephone or by text message; 
if Staff send an encrypted CD by registered post, they must send the encryption key separately to the recipient, for example, by email. 6. Staff must keep an audit log to track the use of OFFICIAL–SENSITIVE information on portable media. This should include signed receipts for any information handed to third parties. 7. Staff must not transfer or exchange OFFICIAL‐SENSITIVE information with other organisations or third parties unless this is authorised in writing by the IAO or their deputised single point of contact with that third party9. 9
Single point of contact information is available from the ICF or from BCC_Security @birmingham.gov.uk Information Classification & Data Storage page 7 of 12 Birmingham City Council 8. Staff must keep the amount of information transferred to the minimum necessary to meet the needs of the business and must obfuscate or redact personal information where this exists in the record but is not absolutely required for the purposes of a transfer.
9.
a)
b)
c)
d)
e)
10.
Staff must take great care if they transfer Information from within the PSN onto any equipment or network owned or managed by third parties outside the PSN. This should only take place when there is: a clear business requirement for the transfer ; explicit consent for the transfer by the data controller; a written receipt for the transfer; two layers of security where this is appropriate for the classification (see 4. above). clear labelling of the classification for the Information transferred. Mobile connectivity to PSN information kept within the Council is permitted only through Netmotion and Two Factor Authentication provided by the council on council‐owned equipment. 6.6 Lifecycle stage 6: information retention, archiving and destruction10 1. When information processing equipment is due to be de‐commissioned, the person responsible for the de‐commissioning of those devices must follow the Disposal of Information Processing Equipment Standard. Information should be destroyed in a way that makes reconstitution unlikely. 2. Information which is due to be destroyed is always classified as OFFICIAL–SENSITIVE and must be clearly and obviously marked with its classification. 3. The council may delete any Information stored on council equipment or within the council without reference to the person who put it there. 10
The City Council’s Records Management Policy, Records Management Standard, Records Management Manual and Corporate Retention Schedule deal with the management of records and provide guidance on retention, archiving and destruction. Information Classification & Data Storage page 8 of 12 Birmingham City Council 7.
PROTECTION OF INFORMATION – BEST PRACTICE11 7.1 Storage of information 1. Try to hold Information, as far as is practical, in a structured and organised way, so that it is available for authorised use when required. 2. Where practical, lock rooms and cupboards that contain Information classified as OFFICIAL–SENSITIVE or OFFICIAL, or that contain equipment used to process such Information. 3. Avoid using your C drive and use your shared drives instead. Information held on the shared drives is automatically backed up but your local hard drive is not backed up and is vulnerable to loss if your system crashes. You should also consider using shared drives for storage in preference to email systems or peripheral devices (such as memory sticks) where a managed and shared resource is available. 4. With regard to mandatory rules prohibiting personal use of storage space, you should also note that: a. A process is followed when individuals leave the organisation12 and items stored in their individually‐allocated shared‐drive space, called the home drive, is removed to a designated area for three months, after which it is deleted. b. The council reserves the right to delete any Information stored on council equipment or within the council network without reference to individuals or third parties who put it there. c. The Council reserves the right to monitor and investigate any information stored on its systems (see also the BCC Monitoring Standard). d. Note that managers can get Emergency Access to individual email accounts to retrieve business information if the person holding that account is unavailable. 5. Be mindful to use storage space, which is expensive, efficiently. If space available is filled up, this could prevent further information from being Processed. If in doubt, ask your manager. It is directorate management’s responsibility to determine the storage requirement or rationalise the way it is organised. 6. Note that the amount of storage procured by the council is a monitored expense. The Service Birmingham service delivery manager’s monthly report, which includes a breakdown by directorate, is brought to the notice of each of the BCC directorates, noting when the storage used is approaching full capacity. A Service Birmingham client services manager will liaise with a directorate representative and where storage is nearly filled; BCC directorates then either reduce their storage requirement and/or buy extra space. 7. There are no automatic cleansing processes. 8. Third parties working with the council buy storage directly from Service Birmingham, when required. 11
For the difference between Policy Rules and Good Practice see the BCC Basic Definitions for Information and Cyber Security Policies and Standards. 12
The SLAM or Starters, Leavers and Movers process Information Classification & Data Storage page 9 of 12 Birmingham City Council 7.2 Access to information 1. Take care to avoid being overlooked, particularly if you work in an environment that is accessible to the public. Consider using a privacy screen that makes it difficult for a casual observer to see what is displayed. 2. If you leave your desk, even for a short period of time, lock your workstation so that others cannot access anything on your computer. 7.3 Printing, copying and transfer to portable media 1. To apply a classification label, use the file name. For example, a file might be labelled by naming it “OFFICIAL–SENSITIVE [Confidential] Reference 12345”. Use the subject line in emails, or an indelible pen for CDs, etc. 2. If you wish to transfer files or exchange protectively marked information over the Internet, you should use a secure file transfer protocol (SFTP) facility; this can be set up by a request to the Service Birmingham Service Desk. You should insist on written confirmation that the receiving party has in fact received the information. 3. See the table below for more advice about Information transfer. 4. Remove documents from printers immediately. The private print option13 should be used for sensitive information where this option is available on the printer. 5. Lock away sensitive information which must not be left unattended on desks or in parked vehicles. 13
See your printer manual or ask Service Birmingham security team for advice. Information Classification & Data Storage page 10 of 12 Birmingham City Council 7.4 Summary some transfer rules and good practice advice Method of transfer Type of information OFFICIAL Hand delivery Post or courier Registered post or dedicated courier E‐mail 

Internal post Standard external post Internal e‐mail NOTE 1, 2 !

!
Electronic file transfer NOTE 4
×
×
NOTE 1,2, 3, 5 !
!
NOTE 1,3,4,5 PRECAUTION 3,4

Telephone !
NOTE 1,3,4, 5,6, NOTE 7 !
Answering machines Fax transmission NOTE 1, 5 !
NOTE 2 !
External e‐mail Other electronic methods OFFICIAL–SENSITIVE, RESTRICTED OR CONFIDENTIAL !
×
!
NOTE 7 ×
NOTE 3,6 !
NOTE 1,3,4,5,6,8 Precautions 1 2 3 4 5 6 7 8 The recipient should acknowledge receipt in writing, or provide a receipt electronically by automatic process. There must be a named recipient, the envelope should be opaque and the classification should not be marked on the outside of the envelope. The subject line should begin with the classification in emails; the classification should be signified in other cases – for example in the file name.. This must not be used for sending information between secure PSN email accounts and non‐PSN accounts. There must be at least two layers of security – see explanation above 6.5 point 4 and Secure Email in the Email and Messaging Policy. The password or encryption key must be sent by a separate route from the information that is being transferred. Avoid being overheard in a public place and make the classification of the information discussed clear. The recipient must be available and waiting at the machine to receive the transmission. Information Classification & Data Storage page 11 of 12 Birmingham City Council 8.
Who is responsible for upholding the rules for information classification and data storage? All Staff who handle or use Birmingham City Council’s Information, whether employed by the Council or not, are personally accountable for following the rules in this standard. The Information must be protected against all types of Information Security incident. Individuals are personally responsible for protecting any Information or other assets in their care and for following the standard. Individuals are personally responsible for protecting any Information or other assets in their care and for following the standard. Additionally, council management within the directorates are responsible in their own areas for: 1) The security of information assets relating to their areas of business; 2) The assignment of appropriate classification labels to information; 3) The assignment of appropriate access restrictions to information, (it is the responsibility of the IAO to regulate access to Information); 4) Governance, training and regulation of Staff, including third parties who are granted access to information, (management must make sure that both Staff who are employees and those who are not employees understand the basic security rules set out here); 5) Compliance with the PSN code of connection; 6) Setting retention periods in that area as required by the council’s Records Management Policy; 7) Compliance with the council’s legal and regulatory obligations, particularly conditions set by the payment card industry and those required by an IAO and the SIRO; 8) Determination of storage requirements and organisation and management of the storage. Technical responsibility for managing the council’s data storage lies with the infrastructure, service delivery and the cyber security team within Service Birmingham and their business aims are determined by the council’s contract with Service Birmingham and actions agreed with the an IAO and the SIRO and BCC’s ICF. 9.
Non‐conformity and breaches of this standard Any employee who disobeys this standard may be investigated under the council’s disciplinary procedure and, where appropriate, legal action will be taken. Anyone, whether they are an employee or not, who disobeys this standard may forfeit access to Information or equipment. End 
Information Classification & Data Storage page 12 of 12