Attorney General's guidelines on information security and government work
Guidelines for civil panel counsel, revised to include the new government security classifications.
Introduction and the application of these guidelines
1) These guidelines were originally produced following the response of various government departments and agencies to the requirements of the Information Security and Assurance of HMG Security Policy Framework, December 2008 issued by the Cabinet Office in December 2008. These guidelines deal only with the steps which barristers should take to meet the particular requirements of prosecution and other United Kingdom government agencies. They have been prepared by the relevant government departments in conjunction with the Bar Council. Although they do not apply to information provided to barristers by other clients, you are requested to have these guidelines in mind when dealing with information which may have originated from government departments and agencies.
They have been revised to take into account the changes to the government’s Security Classification System in April 2014.The previous six levels of information classification (Unclassified, Protect, Restricted, Confidential, Secret, Top Secret) are replaced from 1 April 2014 by a three tier system:
- Top Secret
In addition there is a limited subset of Official information that could have more damaging consequences (for individuals, an organisation or government generally) if it were lost, stolen or published. This subset of information is still be managed within the Official classification tier, but may attract additional security measures (generally procedural or personnel) to reinforce that only those who ‘need to know’ should have access. In such cases where there is a need to reinforce the ‘need to know’, these documents are marked: Official – Sensitive.
The previous guidance note still applies to documents marked in the old way.
Categories of information
2) Material supplied to counsel falls into different categories of sensitivity.
(a) Documents routinely supplied to counsel acting for prosecution or other government agencies fall into the new Official category. They will include material the accidental release of which may cause substantial distress to individuals, breach proper undertakings to maintain the confidence of information provided by third parties, or prejudice the investigation of or facilitate the commission of crime. Examples could include personal data such as copies of bank statements, and the personal, medical or financial details of defendants, victims or witnesses. The data may also provide information concerning current investigations.
(b) Government agencies use the designations Secret and Top Secret to refer to more sensitive material. The nature of such material varies greatly, and encompasses material covered by Public Interest Immunity, family and child abuse documents, as well as information dealing with national security issues of varying degrees of complexity and sensitivity.
3) Except where stated otherwise, these guidelines do not apply to material which should be regarded as being more sensitive than Official. The identification, treatment and handling of this more sensitive material, i.e. Official -Sensitive, Secret and Top Secret, will be determined by the instructing solicitor, prosecution agency or relevant government department. The security requirements for such more sensitive material will vary according to the nature of each case, the type of material held and, where appropriate, may be a matter for discussion with counsel. Some government departments provide counsel with safes, secure dedicated laptops, photocopiers and printers, and physical escorts for the transfer of such material to courts or tribunals. Other forms of more sensitive material may require less stringent security measures.
4) Information received by barristers within a brief or back sheet from a prosecution or other government agency for professional purposes, should be assumed to be Official and treated as such. In the absence of specific instructions from Instructing solicitors, these guidelines apply to all such material received by barristers from prosecution or other government agencies for professional purposes and which barristers are required to treat as subject to a confidentiality obligation. Such information is referred to in these guidelines as Official material whether or not it is actually so marked. It also applies to documents which counsel creates.
5) These guidelines are concerned only with Official material and focus upon:
- the receipt and handling of physical material
- the storage and handling of electronic material
- electronic communications
- the reporting of loss of data
- the disposal and/or return of physical or electronic material.
- material taken outside the UK
General duties and obligations
1) Barristers are reminded that it is the individual responsibility of barristers to preserve the confidentiality of the client’s affairs, and not without the prior consent of the client or as permitted by law to lend or reveal the contents of the papers in any instructions to or communicate to any third person (other than another barrister - including, in the case of a registered European lawyer, the person with whom he is acting in conjunction for the purposes of paragraph 5(3) of the registered European Lawyers Rules: Rule 702 of the Code of Conduct (2009) - a pupil, or any other person who needs to know it for the performance of their duties) information which has been entrusted to them in confidence or use such information to the client’s detriment or to their own or another client’s advantage (paragraph 702 of the Code of Conduct).
2) You or chambers should have an information risk policy setting out how to safeguard information in chambers. You may adopt or adapt these guidelines, or create your own policy. You or chambers may be required to disclose the policy for the purposes of an annual audit.
The receipt and handling of physical material
3) Official material should never be left freely available in the clerks’ room or in any other common area in chambers where it may be read by other members of chambers or visitors.
4) Official material should not be left in a position where it might be read inadvertently by another person entering the room.
5) Official material should never be read or worked on in public where it can be overlooked by members of the public.
6) Official material should be stored in chambers or any other secure place to which the barrister instructed has regular access. A barrister may work on Official material at home provided that the material is put away when not in use.
7) Official material should be moved securely. On public transport Official material should not be left unattended. If travelling by private car, where practicable, keep it out of sight and stored as inconspicuously as possible. Official material should not be left in a car unattended except where the risk is less of a risk than taking it with you. It should never be left in a car overnight.
The storage, use and handling of electronic material
8) Great care should be taken to ensure that laptops, removable devices and removable storage media containing Official material are not lost or stolen. In particular:
(a) such laptops and other removable devices should never be left unattended in public places or left in a car overnight (although they may be left unattended in a locked court during adjournments)
(b) the material on any laptop or other removable device should be kept to the minimum necessary to enable work to be carried out efficiently
9) The electronic storage of Official material requires certain minimum levels of security.
All computers used by counsel for work must be protected by up to date anti-virus and anti-spyware software, subjected to regular virus scans and protected by an appropriate firewall for the computer used. The operating software should be checked regularly to ensure that the latest security updates are downloaded. Access to all computers must be password protected.
Particular care should be taken to avoid potential infection by malware, eg. by downloading software other than from trusted sources.
Work in progress should be regularly backed up, and back-up media used for Official material should be locked away if possible.
Computers used for working on Official material at home should be protected from unauthorised and unrestricted access by third parties. Where practicable, the ideal is a computer linked to chambers used only for counsel’s work.
Wherever practicable, Official material stored on removable devices or removable storage media (such as memory sticks, CD-ROMs, removable hard disk drives and PDAs) and laptop computers must be encrypted to FIPS 140-2 or CCTM (CESG Claims Tested Mark) standards or to such other standards as may be approved by the professional client. Whole disc rather than folder encryption is required.
Where the client provides its own removable devices or removable storage media, that should be used before using your own.
A decryption device or code created by counsel for the emergency recovery of encrypted material should be stored in a secure locked place such as a safe.
10) Reasonable steps should be taken to ensure the reliability of staff that have access to chambers’ IT systems (including identity checks and references), and encryption of particularly sensitive documents may be necessary to prevent technical staff accessing them. Staff in chambers must have annual training on the importance of information security.
11) Chambers should make arrangements to create and maintain a log of all computers used by counsel for storing or working on Official material. The log should record the type, model and serial number of each computer used by counsel, other than dedicated thin-client terminals, (a dedicated thin client terminal sends keyboard and mouse input to the server and receive screen output in return: it only processes the user interface (UI) and does not process any data. Data is stored on the chamber’s server), or similar workstations provided by chambers), together with the details and currency of any anti-virus, anti-spyware, encryption or other security software maintained on each machine.
12) Chambers should have procedures in place for the reporting of any loss of electronic Official material, computers, removable devices or removable storage media on which such material is or might be stored.
13) Wherever possible computers should not be placed so that their screens can be overlooked, especially when working in public places. It is recognised that this may not be possible in court.
14) Passwords used to access computers or encrypted data should be at least 9 letters or more in length and should contain at least 3 out of the 4 keyboard symbols (upper case, lower case, numbers and symbols). Access by a fingerprint scanner is an acceptable alternative.
15) Counsel should use CJSM to send and receive Official material by email.
16) Unless otherwise stated, counsel must assume that any government department or agency which sends emails under the CJSM system wishes to preserve the security of the material thus communicated. Accordingly, such emails cannot be forwarded, either manually or automatically, to other email addresses without the consent of the sender or the providers of the service. Such emails may be safely retrieved from other computers over the internet through Virtual Private Networks (VPNs).
17) Attachments containing Official material may be sent unencrypted via CJSM emails. Such attachments may only be sent by other email systems if the material is encrypted to FIPS 140-2 standards or to such others standards as may be approved by the relevant department or agency.
18) Passwords required to decrypt an email attachment must never be sent in the same email as the encrypted attachment.
Reporting of loss of data and minimising consequential risks
19) Accidents happen and thefts occur. Where Official material is lost the professional client, chambers and, where appropriate, the police must be informed as soon as possible. Outside working hours, contact the GLD duty officer on 07909 895922. If no response within 20 minutes please call the No 10 switchboard on 020 732 0905.
The disposal of physical or electronic material
20) Official material should not be retained in electronic form when it is no longer required. For the avoidance of doubt, counsel may retain anonymised precedents, pleadings and advices and any documents which have been deployed publicly in open court.
21) All chambers should have systems in place for the secure disposal of Official material i.e. the cross cut shredding of papers and CD ROMs.
22) Any Official material disposed of by counsel must be disposed of by using a secure method of disposal.
23) Counsel who wishes to dispose of any computer, hard drive, removable drives or other removable media on which Official material has been stored, including computers used at home, must ensure that the relevant media is effectively destroyed or wiped before disposal using a recognised method to ensure that information is put beyond recovery. Mere file deletion, single pass overwriting or reformatting is insufficient. Physical destruction or the use of specialist deletion and overwriting software is required.
24) Departments may require confirmation that Official material has been returned or destroyed securely.
Material taken outside the UK
25) No hard copy Official material may be taken outside the UK without prior permission from the instructing government department or agency concerned.
Subject to the paragraph below, no encrypted Official data may be taken outside the UK on any memory stick, USB stick, CD, DVD or any other small portable storage device without prior permission from the instructing government department or agency concerned.
Encrypted Official data that does not relate to cases involving national security or which does not originate from the National Crime Agency may be taken outside the UK on an encrypted laptop provided regard is had to paragraph 8(b) (keeping material to the minimum necessary to enable work to be carried out efficiently). This sub-paragraph does not apply to Official -Sensitive. This may not be removed from the UK without prior permission from the instructing government department or agency concerned.
Counsel are reminded that no material which falls within any higher security classification than Official (eg Secret, Top Secret) may be removed from the UK in any circumstances without the express permission of the government department or agency concerned. Such material should not of course, be being kept on counsel’s laptops and other portable storage device in any event.