Working securely with paper documents and files
To help identify formal policy statements, each is prefixed with an identifier of the form: POL.PPR.xxx, where xxx is a unique ID number.
Audience
This guidance complements the Ministry of Justice (MoJ) overall security policy.
This guidance applies to all employees, contractors, partners, and service providers, including those on co-located sites and sites owned by other public bodies. This includes employees of other organisations who are based in, or work at, MoJ occupied premises.
POL.PPR.001: Agencies and arm’s length bodies (ALBs) shall comply with this corporate framework but can establish their own arrangements tailored to operational needs and should supplement this framework with local policy or guidance for any business-specific risk.
Objective
The MoJ requires employees and contractors to get into the habit of looking after the information that they work with, whether it is on paper or stored electronically, in the same way that they would take care of their personal valuables.
Scope and Definition
This guidance helps you understand the risks involved in working with, sharing, and moving paper documents both inside and outside the office. It covers any information that relates to the business of the MoJ, its stakeholders, or partners, where the information has been printed out or written down on paper.
Note: This guidance applies also to the contents of personal information systems, such as notebooks.
This guidance outlines the basic principles of working securely with paper documents and files.
Context
All MoJ information is valuable. There is a requirement to protect everything that relates to the department’s business, including information provided by others.
Note: The protection requirement applies to all information, not just information that is covered by the Data Protection Act or classified under the government-wide security classification system.
There are different rules for managing and protecting various kinds of paper-based information. You should know how to:
-
Identify the correct security level for the information you work with.
-
Handle the information according to the relevant rules.
Responsibilities
All employees, contractors, partners, service providers and employees of other organisations who are on MoJ premises or co-located sites remain accountable for the security, health,and safety of themselves, colleagues, and the protection of departmental assets.
Policy statements
Identifying the correct security level
The MoJ uses the government-wide security classification system to indicate the level of security that the various types of information require. The different classifications are based upon the harm that would be caused if controls were breached.
POL.PPR.002: Within the Official classification, material does not normally need to have the classification written on it. However, particularly sensitive information should be marked with the Official-Sensitive handling caveat if it requires more robust access and handling controls to prevent more damaging consequences from disclosure.
POL.PPR.003: Information handled in the MoJ might not always have a visible classification marking. If any file contains material with a marking, then the cover of the file should be marked with the highest level of any of the contents.
To identify the right security level for information, think about:
-
How sensitive that information is.
-
Whether it contains personal data that could be used to identify individuals.
-
What the consequences might be if the information was compromised or misused.
-
Whether the information is likely to be under threat from anyone with a high intercept capability. If so, the information might require marking at a higher classification than Official. If you are working with information or documentation higher than the Official classification level, contact Security team for specific guidance.
If you are in any doubt, ask your line manager or contact Security team.
Allocating security levels and marking
POL.PPR.004: If you are generating original information, you should apply the standard rules to decide which classification to use. Do not set security levels higher than necessary. Set the classification that is appropriate at the time. Classification can be altered later if circumstances change, such as when material is no longer embargoed or has been released intentionally for consultation.
POL.PPR.005: For material at Official-Sensitive or higher classifications, the classification shall be written in capitals at the top and bottom of each page of the document. You should use the header and footer facility if creating electronically, and include page numbers by using the format Page x of y
. You should only create documents at classification levels higher than Official on approved IT systems. If you are working with information or documentation higher than the Official classification level, contact Security team for specific guidance. Files and documents should be marked according to the most sensitive piece of information included.
Data Protection Act
If the information in the documents or files can be used to identify living individuals, or could identify living individuals when used in conjunction with other MoJ material, then the information is covered by the Data Protection Act (DPA). The Act covers not only information such as name, address, and date of birth, but also expressions of opinion about or intentions towards an individual.
POL.PPR.006: Paper-based information that is covered by the DPA should be managed according to the general principles of working securely with paper documents and files set out here.
Handling paper-based information in the office
Think carefully before leaving papers unattended on desks, in the same way that you would avoid leaving your own personal correspondence – or even a purse or wallet – in plain view.
The MoJ has a clear desk policy that is intended to ensure information is seen only by people who ‘need to know’ it.
This means:
-
Not leaving documents or files on a desk when not being used.
-
Locking documents or files in a secure cabinet when you leave the office.
Failure to follow this policy could expose files and papers to the risk of being seen during the working day by other staff, or visitors to the office and, out of hours, by guards and cleaners. Even apparently non-sensitive information should be looked after. Putting papers away also protects them from damage from fire, smoke, or water.
There are different controls regarding how the various levels of classified information are secured. Refer to the Information classification, handling and security guide for more information.
Taking documents and files out of the office
Occasionally, you might need to take MoJ information outside MoJ premises. Examples might be when you are working from home, or moving between MoJ buildings. At such times, it is likely that you’ll be carrying valuable information within documents, paper files and personal notebooks.
POL.PPR.007: Always check first whether it is really necessary to take documents out of the office. If it is essential to do so, you shall get permission from your line management, especially if the information includes:
-
Personal information, including anything that relates to an identifiable individual or individuals, such as MoJ staff, stakeholders, partners, or customers.
-
Material marked Official-Sensitive.
POL.PPR.008: You shall get permission from a head of division, or from a member of the Senior Civil Service (SCS) if the information is marked at a level higher than Official-Sensitive. Removal or relocation of information marked at a level higher than Official-Sensitive shall be noted and recorded on a register, and a record kept of when the material is logged back in.
POL.PPR.009: If you are carrying papers out of the office, you shall protect them against accidental loss such as an accident or distraction, causing you to drop or misplace them.
POL.PPR.010: Ideally, carry papers in an unmarked case. For papers marked Official-Sensitive or higher, or when using public transport, you shall use a lockable case.
POL.PPR.011: For short journeys, such as on foot, and where you are not stopping or using public transport, it is acceptable to carry Official papers in a plain envelope, marked only with your name and office address.
POL.PPR.012: If carrying papers to a meeting at a different location, you shall not allow sensitive details to be visible. The reason is that they could be photographed by a journalist.
POL.PPR.012.001: Papers should be stapled together or otherwise secured in a package. This is to limit dispersal if the carrying case or envelope becomes damaged or opened.
POL.PPR.013: Cases or envelopes should have the minimum details necessary on the outside to assure safe return of the item, if lost, without having to be opened to reveal the contents.
POL.PPR.014: Documents shall not be left unattended in public places or in an unattended car. Care should be taken if you are reading protectively marked information in public places where you might be overlooked, such as a train, or where it might be difficult to retrieve a document if you lost hold of it, for example if you dropped it, or it was blown away.
If you are taking papers home, ensure that they are not readily accessible to other members of your household. Take precautions to minimise their loss. If the papers would normally be locked away in the office, try to do the same at home.
Sending documents
Options for sending documents are covered in the Sending Information guidance note.
Disposing of paper information
MoJ offices have bins or bags that are specifically intended for secure waste disposal of documents or files, including:
-
Personal information that relates to an identifiable individual or individuals.
-
Sensitive information that should not be disclosed.
-
Any material bearing a visible classification marking.
POL.PPR.015: You should read and follow the secure waste disposal guidance on the MoJ Intranet before disposing of any document or files.
POL.PPR.016: Before disposing of information, you should check whether it should be retained on a file, and whether it is covered by a ‘retention schedule’. The Records and Retention team can advise on this.
Long-term storage
The MoJ has arrangements for the secure long-term storage of paper documents and files. If you want to keep paper-based information, but no longer need to regular access to it, refer to the information on the MoJ Intranet regarding keeping, deleting, and disclosing information. The Records and Retention team can provide additional guidance.
What to do if you think there has been a security breach
POL.PPR.017: If you suspect that the security of the information you work with has been compromised in any way, you shall report it immediately.
Note: A security breach does not have to involve the actual loss of information. The potential loss of information also counts. For example, if a security cabinet has been left unsecured, there may be no evidence that any information has been lost or interfered with, but there is a clear potential for loss or damage.
Compliance
POL.PPR.018: The level of risk and potential impact to MoJ assets, and, most importantly, physical harm to our people and the public, determines the controls to be applied and the degree of assurance required. The MoJ shall ensure a baseline of physical security measures are in place at each site, and receive annual assurance that measures are in place to provide appropriate protection to all occupants and assets, and that these measures can be strengthened when required, such as in response to a security incident or change in the Government Response Level.
POL.PPR.019: The implementation of all security measures shall be able to provide evidence that the selection was been made in accordance with the appropriate information security standards ISO27001/27002, Physical Security advice taken from the Centre for the Protection of National Infrastructure (CPNI), and Government Functional Standard - GovS 007: Security.
The constantly changing security landscape has necessarily dictated that Physical Security measures be constantly re-evaluated and tested to meet new threats and other emerging vulnerabilities. This policy and subsequent supporting standards is subject to annual review or more frequently if warranted.
Physical security advice
Physical security advice can be obtained by contacting Security team.
Contact details
For any further questions or advice relating to security, contact: security@justice.gov.uk.
Feedback
If you have any questions or comments about this guidance, such as suggestions for improvements, please contact: itpolicycontent@digital.justice.gov.uk.