Policy
Corporate Governance Framework
Our corporate governance framework sets out the necessary responsibilities and procedures that guarantee we operate properly.
Information security
32. You must comply with public sector guidance around the classification and handling of information. The majority of information the Commission handles is classified as ‘Official’ which means it should be handled with routine security.
33. Some information, however, is particularly sensitive. This means that loss or insecure handling could lead to damaging consequences for the organisation or for individuals, or might lead to action by third parties if release of this information has impacts on them.
34. To highlight these risks, we use the classification ‘Official Sensitive’ in email headers and on documents. This means that the information should be handled with particular care, such as not forwarding an email inappropriately or reading a document where it can easily be seen by others.
35. In addition, there are restrictions on the use of private email accounts and devices. Where information is stored in private email accounts, it is on servers that are outside of our control. We do not know where or how it is kept, or who has access to it. Commercial cloud storage services and private email accounts are prone to attack by cyber criminals and others. Commission email accounts and equipment have layers of security and active monitoring which may not be present in other services.
36. All documents, email messages, social media posts and texts can be subject to Data Protection and Freedom of Information legislation where they relate to Commission business and fall in scope of a request. Full details of these legislative requirements can be provided by the Information Security Team.
Previous sectionConfidentiality Next section
Openness and responsiveness
Last updated: 27 February 2023
Show updates to this content
Formatting changes.