Stemming the flow: An urgent look at tackling a culture of leaks Contents

3The Classification and Sharing of Information

15.Sir Simon McDonald told us “Every communication these days is electronic, and every machine has a forward button.”18 Although it is not possible to forward material outside of secure networks, his point that communications can readily be forwarded is a major concern in the secure management of sensitive information.

16.The number of people who receive a communication will depend on the type of communication and its level of classification. Whilst diptels may be received widely, ‘in many cases all round the world’,19 the most sensitive letters have a distribution of as few as 5–10 people.20 The ability of officials to be able to share information with a wide range of colleagues is what Sir Ivan Rogers described as ‘a massive strength’21 of the British diplomatic system and one that adds value to work across government for those who have access to it. But such wide distribution lists are also a potential vulnerability: it only takes one person to leak. The benefits of shared knowledge therefore must be offset against the vulnerabilities to the system that wide distribution of sensitive communication introduces.

17.The Government’s Security Classifications policy, May 2018, sets out how the Government classifies information assets and how,

Everyone who works with government has a duty to respect the confidentiality and integrity of any HMG information and data that they access, and is personally accountable for safeguarding assets in line with this policy.22

18.This policy defines three levels of classification which indicate the sensitivity of information: official, secret and top secret. The higher the classification the greater the protective measures used to defend against accidental or deliberate compromise.23 The current policy on classification was launched in 2014 and as a part of that process the classification of Confidential was removed.24 Both Sir Adam Thomson and Sir Peter Westmacott referred to the gap the removal of Confidential created in the classification system. The Committee believes this gap, whether perceived or actual, may be indicative of a lapse in confidence in the classification system which suggests that the system is not working as effectively as it could, or indeed has in the past.

19.Sir Adam Thomson told us that the more robust secure systems (for documents classified higher than official) within the Foreign Office are ‘clunkier’25 and Sir Peter Westmacott described it as a ‘bit of a clog dance to get access to it.’26 If a secure system is impractical for the users then it may inadvertently have deterred users from utilising the system. Sir Simon McDonald confirmed that a new secure communication system Rosa had been rolled out already and that this system “is critically important to what happens next.”27

20.The Government should review its classification and distribution policy and assess whether it is fit for purpose. As part of that review it should consider whether additional levels of classification would be useful to help further demarcate the level of sensitivity of communications, if more explicit guidance on distribution and onwards dissemination should be produced, and whether a ‘no forward’ function should be applied as standard to any sensitive communications going out and the ability to forward to be removeable on the new Rosa system. Instead if a recipient wanted to pass the email on they would have to go back to the originator to request that they forward it instead. Whilst the Committee acknowledges the importance and advantages of sharing information, the Government must make sure that the risks do not outweigh the benefits.

21.In the Government’s response to this report the Committee would like to know how the effectiveness of the new Rosa system will be assessed, what steps are being taken to make sure it is as user friendly as possible, who is the Senior Responsible Owner, how regularly will the system be reviewed and what contingency plans are in place if the system fails.

22 The Cabinet Office, Government Security Classifications, May 2018, p3

23 The Cabinet Office, Government Security Classifications, May 2018, p4

Published: 25 July 2019