Policy is set by the Cabinet Office. The Security Policy Framework superseded the Manual of Protective Security and contains the primary internal protective security policy and guidance on security and risk management for Her Majesty's Government Departments and associated bodies. It is the source on which all localised security policies are based. The classification system was formerly included in the Manual of Protective Security which specified the impact of release and protection level required for each classification. Departments issued localised versions of the content of the MPS as appropriate to their operational needs.
Government Security Classifications Policy
The Cabinet Office issued the Government Security Classifications Policy in 2013; it came into effect in 2014. It replaced the old Government Protective Marking Scheme. Classifications must be capitalised and centrally noted at top and bottom of each document page, save at OFFICIAL where the document marking is optional. All material produced by a public body in the UK must be presumed to be OFFICIAL unless it is otherwise marked. Like the Protective Marking Scheme which it superseded, the GSCP classifications are applied only to the confidentiality of the data under classification. ;TOP SECRET: Information marked as TOP SECRET is that whose release is liable to cause considerable loss of life, international diplomatic incidents, or severely impact ongoing intelligence operations. Disclosure of such information is assumed to be above the threshold for Official Secrets Act prosecution. ;SECRET: This marking is used for information which needs protection against serious threats, and which could cause serious harm if compromised—such as threats to life, compromising major crime investigations, or harming international relations. ;OFFICIAL: All routine public sector business, operations and services is treated as OFFICIAL. Many departments and agencies operate exclusively at this level. It is often incorrectly assumed that the OFFICIAL classification replaces the GPMS markings of PROTECT, RESTRICTED and CONFIDENTIAL, however this is not the case, since the criteria on which GPMS markings were applied bear no relationship to the criteria used for GSCP classifications. It is quite possible, and not uncommon, for data within an OFFICIAL classification to have serious impacts including serious injury in the event of unauthorised disclosure. This is one of the characteristics of the GSCP which differs significantly from the Protective Marking Scheme which it replaced. At the OFFICIAL classification there is a general presumption that data may be shared across Government, however where a need to know principle is identified data may be marked as "OFFICIAL-SENSITIVE"; "OFFICIAL-SENSITIVE COMMERCIAL"; "OFFICIAL-SENSITIVE LOCSEN" or "OFFICIAL-SENSITIVE PERSONAL". All OFFICIAL-SENSITIVE data must be marked and contain handling instructions identifying why the data is deemed sensitive, how it must be held, processed and transferred.
Government Protective Marking Scheme
The older system used five levels of classification, supplemented with caveat keywords. The keyword was placed in all capital letters in the centre of the top and bottom of each page of a classified document and described the foreseeable consequence of an unauthorised release of the data. In descending order of secrecy, these are: ; TOP SECRET ; SECRET ; CONFIDENTIAL ; RESTRICTED ; PROTECT ; UNCLASSIFIED Documents classified under the Protective Marking Scheme still exist and need correct handling. After 100 years all the classifications will have run out but the procedures may still be of interest to historians.
Handling
Access to protectively marked material is defined according to a vetting level which the individual has achieved. Vetting is intended to assure the department that the individual has not been involved in espionage, terrorism, sabotage or actions intended to overthrow or undermine Parliamentary democracy by political, industrial or violent means. It also assures the department that the individual has not been a member of, or associated with, any organisation which has advocated such activities or has demonstrated a lack of reliability through dishonesty, lack of integrity or behaviour. Finally, the process assures the department that the individual will not be subject to pressure or improper influence through past behaviour or personal circumstances. Protectively marked material must be accounted for in a manner appropriate to its classification level and disposal must be in accordance with the SPF. The act of destruction or disposal is included in the accounting process.
Descriptors
Protectively marked material may also be marked with a descriptor, or privacy marking, which identifies sensitivities around distribution and handling. Examples of descriptors include, but are not restricted to:
Budget
Commercial
Honours
Management
Medical
Personal
Policy
Staff
Visits
Nationality caveat
Protectively marked material may bear a nationality :wikt:caveat|caveat, a descriptor defining which nationality groups it may be released to. By default material in the UK is not caveated by nationality, the classification being sufficient protection. Examples of nationality caveats include, but are not limited to:
AUSCANNZUKUS: Australia, New Zealand, Canada, UK and USA.
Codewords
Dissemination of already protectively marked material may be further limited only to those with a legitimate need to know using compartmentalisation by use of codewords. Examples of compartmented material would include information about nuclear warheads, fusion, and naval nuclear propulsion. In some cases, the existence of a codeworded compartment is itself classified. Examples of codewords include, but are not limited to:
LOCSEN: has local sensitivity, and may not be shown to local officials.
NATSEN: has national sensitivity.
DEDIP, DESDEN: may not be shown to certain named officials.