Classified information

In many jurisdictions, for example, the United States and United Kingdom, Top Secret (TS) is the highest level of classified information.^[4] Prior to 1942, the United Kingdom and other members of the British Empire used Most Secret, but this was later changed to match the United States' category name of Top Secret in order to simplify Allied interoperability. The unauthorized disclosure of Top Secret information is expected to cause harm and be of grave threat to national security.^[5][6]

Secret material is often regarded as causative of "serious damage" to national security if it were publicly available,^[9] although not as serious harm as in the case of Top Secret classification.

Confidential material is material that would cause "damage" or be prejudicial to national security if publicly available. It is used in the US since as early as 1936.^[10] A relatively recent revision of its definition is in Executive Order 13526.

Restricted material would cause "undesirable effects" if publicly available. Some countries do not have such a classification in public sectors, such as commercial industries. Such a level is also known as "Private Information". Such a level existed within the US Government during World War II but is no longer used.

The Official-Sensitive classification replaced the Restricted' classification in April 2014 in the UK. Unlike information only marked Official, information that belong to this class is of some interest to threat actors. Compromise is likely to cause moderate damage to the work or reputation of the organisation and/or the government.^[11]

This class of information forms the generality of government business, public service delivery and commercial activity. Compared to the higher levels, the consequence of compromise is lower but not nonexistent.

• In U.S. DOD classification, this class is called Controlled Unclassified Information (CUI). It is divided into five levels specifying different scopes of dissemination. It is the result of an effort to consolidate agency-specific markings such as Sensitive But Unclassified.
• In U.K. classification, this class is called Official. It replaced the previously used Unclassified marking in 2014. Protection is required but is not as strict as the higher levels.^[11]

Unclassified information is low-impact, and therefore does not require any special protection.

Private corporations often require written confidentiality agreements and conduct background checks on candidates for sensitive positions.^[12]

Policies dictating methods for marking and safeguarding company-sensitive information are common in companies, especially as regards information that is protected under trade secret laws. New product development teams are often sequestered and forbidden to share information about their efforts with un-cleared employees. Other activities, such as mergers and financial report preparation generally involve similar restrictions. However, corporate security generally lacks the standardised hierarchical clearance and sensitivity structures and the criminal sanctions of government classification systems.

In the U.S., the Employee Polygraph Protection Act prohibits private employers from requiring lie detector tests, but there are a few exceptions.

When a government agency or group shares information between an agency or group of other country's government they will generally employ a special classification scheme that both parties have previously agreed to honour.

For example, the marking Atomal, is applied to U.S. Restricted Data or Formerly Restricted Data and United Kingdom Atomic information that has been released to NATO. Atomal information is marked COSMIC Top Secret Atomal (CTSA), NATO Secret Atomal (NSAT), or NATO Confidential Atomal (NCA). BALK and BOHEMIA are also used.

For example, sensitive information shared amongst NATO allies has four levels of security classification; from most to least classified:^[13][14]

1. COSMIC Top Secret (CTS)
2. NATO Secret (NS)
3. NATO Confidential (NC)
4. NATO Restricted (NR)

• ATOMAL: This designation is added to the NATO security classification when applicable. For example, COSMIC TOP SECRET ATOMAL (CTS-A). ATOMAL information applies to U.S. RESTRICTED DATA or FORMERLY RESTRICTED DATA or United Kingdom Atomic Information released to NATO.^[15]

A special case exists with regard to NATO Unclassified (NU) information. Documents with this marking are NATO property (copyright) and must not be made public without NATO permission.

COSMIC is an acronym for "Control of Secret Material in an International Command".^[16]

• The European Union has four levels: EU Top Secret, EU Secret, EU Confidential, EU Restricted.^[17] (Note that usually the French terms are used.^[18])
  • Très Secret UE/EU Top Secret: information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of the Member States;
  • Secret UE/EU Secret: information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of the Member States;
  • Confidentiel UE/EU Confidential: information and material the unauthorised disclosure of which could harm the essential interests of the European Union or of one or more of the Member States;
  • Restreint UE/EU Restricted: information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States.
• Organisation for Joint Armament Cooperation, a European defence organisation, has three levels of classification: OCCAR Secret, OCCAR Confidential, and OCCAR Restricted.^[19]
• The United Nations has two classification levels: Confidential and Strictly Confidential.^[20]

The Traffic Light Protocol^[21][22] was developed by the Group of Eight countries to enable the sharing of sensitive information between government agencies and corporations. This protocol has now been accepted as a model for trusted information exchange by over 30 other countries. The protocol provides for four "information sharing levels" for the handling of sensitive information.

Most countries employ some sort of classification system for certain government information. For example, in Canada, information that the U.S. would classify SBU (Sensitive but Unclassified) is called "protected" and further subcategorised into levels A, B, and C.

On 19 July 2011, the National Security (NS) classification marking scheme and the Non-National Security (NNS) classification marking scheme in Australia was unified into one structure.

As of 2018, the policy detailing how Australian government entities handle classified information is defined in the Protective Security Policy Framework (PSPF). The PSPF is published by the Attorney-General's Department and covers security governance, information security, personal security, and physical security. A security classification can be applied to the information itself or an asset that holds information e.g., a USB or laptop.^[23]

The Australian Government uses four security classifications: OFFICIAL: Sensitive, PROTECTED, SECRET and TOP SECRET. The relevant security classification is based on the likely damage resulting from compromise of the information's confidentiality.

All other information from business operations and services requires a routine level of protection and is treated as OFFICIAL. Information that does not form part of official duty is treated as UNOFFICIAL.

OFFICIAL and UNOFFICIAL are not security classifications and are not mandatory markings.

Caveats are a warning that the information has special protections in addition to those indicated by the security classification of PROTECTED or higher (or in the case of the NATIONAL CABINET caveat, OFFICIAL: Sensitive or higher). Australia has four caveats:

• Codewords (sensitive compartmented information)
• Foreign government markings
• Special handling instructions
• Releasability caveats

Codewords are primarily used within the national security community. Each codeword identifies a special need-to-know compartment.

Foreign government markings are applied to information created by Australian agencies from foreign source information. Foreign government marking caveats require protection at least equivalent to that required by the foreign government providing the source information.

Special handling instructions are used to indicate particular precautions for information handling. They include:

• EXCLUSIVE FOR (named person)
• CABINET
• NATIONAL CABINET

A releasability caveat restricts information based on citizenship. The three in use are:

• Australian Eyes Only (AUSTEO)
• Australian Government Access Only (AGAO)
• Releasable To (REL).^[23]

Additionally, the PSPF outlines Information Management Markers (IMM) as a way for entities to identify information that is subject to non-security related restrictions on access and use. These are:

• Legal privilege
• Legislative secret
• Personal privacy^[23]

There are three levels of document classification under Brazilian Law No. 12.527, the Access to Information Act:^[24] ultrassecreto (top secret), secreto (secret) and reservado (restricted).

A top secret (ultrassecreto) government-issued document may be classified for a period of 25 years, which may be extended up to another 25 years.^[25] Thus, no document remains classified for more than 50 years. This is mandated by the 2011 Information Access Law (Lei de Acesso à Informação), a change from the previous rule, under which documents could have their classification time length renewed indefinitely, effectively shuttering state secrets from the public. The 2011 law applies retroactively to existing documents.

The government of Canada employs two main types of sensitive information designation: Classified and Protected. The access and protection of both types of information is governed by the Security of Information Act, effective 24 December 2001, replacing the Official Secrets Act 1981.^[26] To access the information, a person must have the appropriate security clearance and the need to know.

In addition, the caveat "Canadian Eyes Only" is used to restrict access to Classified or Protected information only to Canadian citizens with the appropriate security clearance and need to know.^[27]

SOI is not a classification of data per se. It is defined under the Security of Information Act, and unauthorised release of such information constitutes a higher breach of trust, with a penalty of up to life imprisonment if the information is shared with a foreign entity or terrorist group.

SOIs include:

• military operations in respect of a potential, imminent or present armed conflict
• the identity of confidential source of information, intelligence or assistance to the Government of Canada
• tools used for information gathering or intelligence
• the object of a covert investigation, or a covert collection of information or intelligence
• the identity of any person who is under covert surveillance
• encryption and cryptographic systems
• information or intelligence to, or received from, a foreign entity or terrorist group

In February 2025, the Department of National Defence announced a new category of Persons Permanently Bound to Security (PPBS). The protection would apply to some units, sections or elements, and select positions (both current and former), with access to sensitive Special Operational Information (SOI) for national defense and intelligence work. If a unit or organization routinely handles SOI, all members of that unit will be automatically bound to secrecy. If an individual has direct access to SOI, deemed to be integral to national security, that person may be recommended for PPBS designation. The designation is for life, punishable by imprisonment.^[28]

Classified information can be designated Top Secret, Secret or Confidential. These classifications are only used on matters of national interest.

• Top Secret: applies when compromise might reasonably cause exceptionally grave injury to the national interest. The possible impact must be great, immediate and irreparable.
• Secret: applies when compromise might reasonably cause serious injury to the national interest.
• Confidential: disclosure might reasonably cause injury to the national interest.

Protected information is not classified. It pertains to any sensitive information that does not relate to national security and cannot be disclosed under the access and privacy legislation because of the potential injury to particular public or private interests.^[29][30]

• Protected C (Extremely Sensitive protected information): designates extremely sensitive information, which if compromised, could reasonably be expected to cause extremely grave injury outside the national interest. Examples include bankruptcy, identities of informants in criminal investigations, etc.
• Protected B (Particularly Sensitive protected information): designates information that could cause severe injury or damage to the people or group involved if it was released. Examples include medical records, annual personnel performance reviews, income tax returns, etc.
• Protected A (Low-Sensitive protected information): designates low sensitivity information that should not be disclosed to the public without authorization and could reasonably be expected to cause injury or embarrassment outside the national interest. Example of Protected A information include employee identification number, pay deposit banking information, etc.

Federal Cabinet (King's Privy Council for Canada) papers are either protected (e.g., overhead slides prepared to make presentations to Cabinet) or classified (e.g., draft legislation, certain memos).^[31]

The Criminal Law of the People's Republic of China (which is not operative in the special administrative regions of Hong Kong and Macau) makes it a crime to release a state secret. Regulation and enforcement is carried out by the National Administration for the Protection of State Secrets.

Under the 2024 revision of the "Law on Guarding State Secrets",^[32] state secrets are defined as those that concern:

1. Major policy decisions on state affairs
2. The building of national defence and in the activities of the armed forces
3. Diplomatic activities and in activities related to foreign countries and those to be maintained as commitments to foreign countries
4. National economic and social development
5. Science and technology
6. Activities for preserving state security and the investigation of criminal offences
7. Any other matters classified as "state secrets" by the national State Secrets Bureau^[33]

Secrets can be classified into three categories:

• Top Secret (Chinese: 绝密; pinyin: Juémì), defined as "vital state secrets whose disclosure would cause extremely serious harm to state security and national interests"
• Highly Secret (Chinese: 机密; pinyin: Jīmì), defined as "important state secrets whose disclosure would cause serious harm to state security and national interests"
• Secret (Chinese: 秘密; pinyin: Mìmì), defined as "ordinary state secrets whose disclosure would cause harm to state security and national interests"^[33]

In France, classified information is defined by article 413-9 of the Penal Code.^[34] The three levels of military classification are

• Très Secret Défense (Very Secret Defence): Information deemed extremely harmful to national defence,^{[citation needed]} and relative to governmental priorities in national defence. No service or organisation can elaborate, process, stock, transfer, display or destroy information or protected supports classified at this level without authorization from the Prime Minister or the national secretary for National Defence. Partial or exhaustive reproduction is strictly forbidden.
• Secret Défense (Secret Defence): Information deemed very harmful to national defence. Such information cannot be reproduced without authorisation from the emitting authority, except in exceptional emergencies.
• Confidentiel Défense (Confidential Defence) - in effect until 2021:^[35] Information deemed potentially harmful to national defence, or that could lead to uncovering some information classified at a higher level of security.

Less sensitive information is "protected". The levels are

• Confidentiel personnels Officiers ("Confidential officers")
• Confidentiel personnels Sous-Officiers ("Confidential non-commissioned officers")
• Diffusion restreinte ("restricted information")
• Diffusion restreinte administrateur ("administrative restricted information")
• Non Protégé (unprotected)

A further caveat, spécial France (reserved France) restricts the document to French citizens (in its entirety or by extracts). This is not a classification level.

Declassification of documents can be done by the Commission consultative du secret de la défense nationale (CCSDN), an independent authority. Transfer of classified information is done with double envelopes, the outer layer being plastified and numbered, and the inner in strong paper. Reception of the document involves examination of the physical integrity of the container and registration of the document. In foreign countries, the document must be transferred through specialised military mail or diplomatic bag. Transport is done by an authorised conveyor or habilitated person for mail under 20 kg. The letter must bear a seal mentioning "Par Valise Accompagnee-Sacoche". Once a year, ministers have an inventory of classified information and supports by competent authorities.

Once their usage period is expired, documents are transferred to archives, where they are either destroyed (by incineration, crushing, or overvoltage), or stored.

In case of unauthorized release of classified information, competent authorities are the Ministry of Interior, the 'Haut fonctionnaire de défense et de sécurité ("high civil servant for defence and security") of the relevant ministry, and the General secretary for National Defence. Violation of such secrets is an offence punishable with seven years of imprisonment and a 100,000-euro fine; if the offence is committed by imprudence or negligence, the penalties are three years of imprisonment and a 45,000-euro fine.

The Security Bureau is responsible for developing policies in regards to the protection and handling of confidential government information. In general, the system used in Hong Kong is very similar to the UK system, developed from the colonial era of Hong Kong.

Four classifications exists in Hong Kong, from highest to lowest in sensitivity:^[36]

• Top Secret (絕對機密)
• Secret (高度機密)
• Confidential (機密)
  • Temporary Confidential (臨時保密)
• Restricted (限閱文件/內部文件)
  • Restricted (staff) (限閱文件(人事))
  • Restricted (tender) (限閱文件 (投標))
  • Restricted (administration) (限閱文件 (行政))

Restricted documents are not classified per se, but only those who have a need to know will have access to such information, in accordance with the Personal Data (Privacy) Ordinance.^[37]

New Zealand uses the Restricted classification, which is lower than Confidential. People may be given access to Restricted information on the strength of an authorisation by their Head of department, without being subjected to the background vetting associated with Confidential, Secret and Top Secret clearances. New Zealand's security classifications and the national-harm requirements associated with their use are roughly similar to those of the United States.

In addition to national security classifications there are two additional security classifications, In Confidence and Sensitive, which are used to protect information of a policy and privacy nature. There are also a number of information markings used within ministries and departments of the government, to indicate, for example, that information should not be released outside the originating ministry.

Because of strict privacy requirements around personal information, personnel files are controlled in all parts of the public and private sectors. Information relating to the security vetting of an individual is usually classified at the In Confidence level.

In Romania, classified information is referred to as "state secrets" (secrete de stat) and is defined by the Penal Code as "documents and data that manifestly appear to have this status or have been declared or qualified as such by decision of Government".^[38] There are three levels of classification: "Secret" (Secret/S), "Top Secret" (Strict Secret/SS), and "Top Secret of Particular Importance" (Strict secret de interes deosebit/SSID).^[39] The levels are set by the Romanian Intelligence Service and must be aligned with NATO regulations—in case of conflicting regulations, the latter are applied with priority. Dissemination of classified information to foreign agents or powers is punishable by up to life imprisonment, if such dissemination threatens Romania's national security.^[40]

In the Russian Federation, a state secret (Государственная тайна) is information protected by the state on its military, foreign policy, economic, intelligence, counterintelligence, operational and investigative and other activities, dissemination of which could harm state security.

The Swedish classification has been updated due to increased NATO/PfP cooperation. All classified defence documents will now have both a Swedish classification (Kvalificerat hemlig, Hemlig, Konfidentiell or Begränsat Hemlig), and an English classification (Top Secret, Secret, Confidential, or Restricted).^{[citation needed]} The term skyddad identitet, "protected identity", is used in the case of protection of a threatened person, basically implying "secret identity", accessible only to certain members of the police force and explicitly authorised officials.

At the federal level, classified information in Switzerland is assigned one of three levels, which are from lowest to highest: Internal, Confidential, Secret.^[41] Respectively, these are, in German, Intern, Vertraulich, Geheim; in French, Interne, Confidentiel, Secret; in Italian, Ad Uso Interno, Confidenziale, Segreto. As in other countries, the choice of classification depends on the potential impact that the unauthorised release of the classified document would have on Switzerland, the federal authorities or the authorities of a foreign government.

According to the Ordinance on the Protection of Federal Information, information is classified as Internal if its "disclosure to unauthorised persons may be disadvantageous to national interests."^[41] Information classified as Confidential could, if disclosed, compromise "the free formation of opinions and decision-making of the Federal Assembly or the Federal Council," jeopardise national monetary/economic policy, put the population at risk or adversely affect the operations of the Swiss Armed Forces. Finally, the unauthorised release of Secret information could seriously compromise the ability of either the Federal Assembly or the Federal Council to function or impede the ability of the Federal Government or the Armed Forces to act.

According to the related regulations in Turkey, there are four levels of document classification:^[42] çok gizli (top secret), gizli (secret), özel (confidential) and hizmete özel (restricted). The fifth is tasnif dışı, which means unclassified.

Until 2013, the United Kingdom used five levels of classification—from lowest to highest, they were: Protect, Restricted, Confidential, Secret and Top Secret (formerly Most Secret). The Cabinet Office provides guidance on how to protect information, including the security clearances required for personnel. Staff may be required to sign to confirm their understanding and acceptance of the Official Secrets Acts 1911 to 1989, although the Act applies regardless of signature. Protect is not in itself a security protective marking level (such as Restricted or greater), but is used to indicate information which should not be disclosed because, for instance, the document contains tax, national insurance, or other personal information.

Government documents without a classification may be marked as Unclassified or Not Protectively Marked.^[43]

This system was replaced by the Government Security Classifications Policy, which has a simpler model: Top Secret, Secret, and Official from April 2014.^[11] Official Sensitive is a security marking which may be followed by one of three authorised descriptors: Commercial, LocSen (location sensitive) or Personal. Secret and Top Secret may include a caveat such as UK Eyes Only.

Also useful is that scientific discoveries may be classified via the D-Notice system if they are deemed to have applications relevant to national security. These may later emerge when technology improves so for example the specialised processors and routing engines used in graphics cards are loosely based on top secret military chips designed for code breaking and image processing. They may or may not have safeguards built in to generate errors when specific tasks are attempted and this is invariably independent of the card's operating system.^{[citation needed]}

The U.S. classification system is currently established under Executive Order 13526 and has three levels of classification—Confidential, Secret, and Top Secret. The U.S. had a Restricted level during World War II but no longer does. U.S. regulations state that information received from other countries at the Restricted level should be handled as Confidential. A variety of markings are used for material that is not classified, but whose distribution is limited administratively or by other laws, e.g., For Official Use Only (FOUO), or sensitive but unclassified (SBU). The Atomic Energy Act of 1954 provides for the protection of information related to the design of nuclear weapons. The term "Restricted Data" is used to denote certain nuclear technology. Information about the storage, use or handling of nuclear material or weapons is marked "Formerly Restricted Data". These designations are used in addition to level markings (Confidential, Secret and Top Secret). Information protected by the Atomic Energy Act is protected by law and information classified under the Executive Order is protected by Executive privilege.

The U.S. government insists it is "not appropriate" for a court to question whether any document is legally classified.^[44] In the 1973 trial of Daniel Ellsberg for releasing the Pentagon Papers, the judge did not allow any testimony from Ellsberg, claiming it was "irrelevant", because the assigned classification could not be challenged. The charges against Ellsberg were ultimately dismissed after it was revealed that the government had broken the law in secretly breaking into the office of Ellsberg's psychiatrist and in tapping his telephone without a warrant. Ellsberg insists that the legal situation in the U.S. in 2014 is worse than it was in 1973, and Edward Snowden could not get a fair trial.^[45] The State Secrets Protection Act of 2008 might have given judges the authority to review such questions in camera, but the bill was not passed.^[44]

When a government agency acquires classified information through covert means, or designates a program as classified, the agency asserts "ownership" of that information and considers any public availability of it to be a violation of their ownership—even if the same information was acquired independently through "parallel reporting" by the press or others. For example, although the CIA drone program has been widely discussed in public since the early 2000s, and reporters personally observed and reported on drone missile strikes, the CIA still considers the very existence of the program to be classified in its entirety, and any public discussion of it technically constitutes exposure of classified information. "Parallel reporting" was an issue in determining what constitutes "classified" information during the Hillary Clinton email controversy when Assistant Secretary of State for Legislative Affairs Julia Frifield noted, "When policy officials obtain information from open sources, 'think tanks,' experts, foreign government officials, or others, the fact that some of the information may also have been available through intelligence channels does not mean that the information is necessarily classified."^[46][47][48]

Former government intelligence officials are usually able to retain their security clearance, but it is a privilege not a right, with the President being the grantor.^[49] The Washington Post reported in an investigation entitled "Top Secret America" that, as of 2010, "An estimated 854,000 people ... hold top-secret security clearances" in the United States.^[50]

Clearance is a general classification, that comprises a variety of rules controlling the level of permission required to view some classified information, and how it must be stored, transmitted, and destroyed. Additionally, access is restricted on a "need to know" basis. Simply possessing a clearance does not automatically authorize the individual to view all material classified at that level or below that level. The individual must present a legitimate "need to know" in addition to the proper level of clearance.

The classification markings NOFORN (NF) is information may not be disseminated to any foreign government, foreign national, foreigners, international organizations or any individuals that are not citizens of the United States of America.

The document designation classification Federal Employees Only (FED ONLY) is a limited dissemination control established by the Controlled Unclassified Information (CUI) executive. FED ONLY dissemination controls are authorized only to U.S. Government official employees, executive branch agencies, or United States armed forces of the U.S. Active Guard Reserve.

Federal Employees and Contractors Only (FEDCON) is a limited dissemination control for authorized individuals or employees who enter a contract with the United States to perform a specific job.

The document designation marking indicator for Sensitive But Unclassified (SBU) is information that requires special handling and limited dissemination controls that falls under category of the CUI Policy.

Controlled Unclassified Information (CUI) is information that falls within a law, regulation, and government-wide policy that require safeguarding to be protected from unauthorized disclosure. No individual may have access to CUI information unless he or she has been granted an authorization.

In addition to the general risk-based classification levels, additional compartmented constraints on access exist, such as (in the U.S.) Special Intelligence (SI), which protects intelligence sources and methods, No Foreign dissemination (NoForn), which restricts dissemination to U.S. nationals, and Originator Controlled dissemination (OrCon), which ensures that the originator can track possessors of the information. Information in these compartments is usually marked with specific keywords in addition to the classification level.

Government information about nuclear weapons often has an additional marking to show it contains such information (CNWDI).

For originally classified documents, the date of the original classification is scheduled for an automatic declassification of 10 years or 25 years, from the date of original classification. "50X1-HUM" is information that reveals the identity of a confidential human source or a human intelligence source which is exempt from scheduled automatic declassification.^[51] "50X2-WMD" is classified information exempt from automatic declassification at 10 years and 25 years that reveal information that reveals key elements and design of weapons of mass destruction assembly, production and deployment.