At the end of June 2023, the Cabinet Office published Procurement Policy Note (PPN) 07/23: Government Security Classifications Policy 2023.
The PPN highlights some recent changes made to the Government Security Classifications Policy (GSCP), and the need for contracting authorities to incorporate its new guidance for new and existing contracts.
What changes have been introduced, and what does it mean for your contracting authority?
In this quick-fire blog, we've summarised the key changes made to the GSCP, and how this might affect your procurement going forward.
But first, a recap:
The GSCP is a Cabinet Office-issued policy document that defines how different levels of HM Government-related information and data can be shared.
The GSCP defines three classification tiers of information: Official, Secret and Top Secret. A piece of information's classification tier "indicates its sensitivity ("in terms of the likely impact resulting from compromise, loss or misuse)".
All HM Government information should be designated into one of these tiers.
The policy enforces a minimum level of security for the handling of HM Government information, used across the public sector; public bodies are free to add additional security controls on top of it.
To read the policy in full, please refer here.
In June 2023, the Cabinet Office introduced a number of changes to the policy. These changes are highlighted in PPN 07/23, as a reminder for contracting authorities to take note of them during procurement.
The key changes include:
Updated definitions of the 3 classification tiers, namely:
Official: represents the majority of information created and shared within the public sector; information that could cause "no more than moderate damage if compromised"
Secret: "sensitive" information that could "threaten life" or damage the UK's security if compromised, requiring the use of "secure networks" and "boundary security controls" to control how and when it is shared.
Top Secret: "exceptionally sensitive" information that "directly supports or informs the national security of the UK", requiring the highest level of security controls and infrastructure.
New guidance on when the '-sensitive' marking is applied to 'Official' information (information which is "likely to cause moderate damage to the work or reputation" of the relevant organisation)
New guidance on when 'additional markings' for handling and describing information (e.g. 'Recipients Only', 'For Public Release', 'Legal', etc.) should be used
Updated principles on how HMG information should be handled
New guidance on how to handle sensitive information while remote working
The full GSCP document can be found here.
PPN 07/23 makes clear that those across commercial, procurement and/or contract management roles need to be aware of the changes made to the GSCP.
Specifically, the PPN applies only to those within Central Government, their Executive Agencies, Non-Departmental Public Bodies and NHS bodies. That being said, the GSCP still applies to any public sector body that handles HM Government information.
The GSCP's Guidance 1.6 for Contractors and Contracting Authorities specifies that:
You need to be fully implementing the GSCP's updated guidance by June 29th 2024
You should notify existing contractors that the GSCP has been updated. If applicable, you also need to notify of any changes to the level of security classification accorded to information handled as part of any ongoing contracts, in line with the updated definitions.
You need to notify existing contractors if you introduce "any new additional markings" outside the GSCP's standard, and how this applies to ongoing contracts. These additional markings should also be made clear to prospective suppliers at the bidding stage of new tenders.
If appropriate, instructions should also be issued between your contractors and their sub-contractors.
To help contracting authorities to implement these changes, a new e-learning module on the Government Campus has been introduced, and departmental Security Advisors should also have received new education and awareness material.
*
PPN 07/23 brings attention to some important changes to how your contracting authority should handle sensitive information. It's vital you're up-to-speed on the changes introduced to the GSCP, and train your team ahead of the June 2024 implementation deadline.
To access the fully updated GSCP document, click here.
To get more of these summaries sent straight to you, consider signing up to our biweekly newsletter for public sector professionals.
We've summarised lots of past PPNs. Click below to view our summaries on: