Skip to main content

Classify information

Questions 3 to 9 — classify the information accurately, so you can properly assess its value and risks.

Questions 3 to 9 — information classification

Table 1 lists who is responsible for answering each question.

Context and help for questions 3 to 9

Record your answers to these questions in either:

Questions to answer

  1. What is the security classification of the information based on the NZ government guidelines for protection of official information?
  2. Are there any specific concerns related to the confidentiality of the information that will be stored or processed by the public cloud service?
  3. Does the data include any personal information?
  4. Who are the users of the information?
  5. What permissions to the information do the users need?
    • For example — do they require permissions to read, write, modify, delete or a combination of these?
  6. What legislation applies to the information — for example, the Privacy Act 2020, Official Information Act 1982, Public Records Act 2005 or a combination of these or others?
  7. What contractual obligations apply to the information?

Table 1: Who answers each question

Entity Questions to answer
Government organisation 3, 4, 5, 6, 7, 8, 9
Service provider None

Context and help for questions 3 to 9

The following guidance gives you context and help for answering questions about information classification.

Why government organisations must classify information

If you do not classify data that will be stored, processed and sent in a public cloud service, there may be a mismatch between the information’s classification level and a public cloud service’s:

  • security controls
  • cost
  • availability to help in achieving your organisation’s business objectives.

Work out the classification level for the information

To do a risk assessment, the business owner and stakeholders need to classify the information they’re planning to use with a public cloud service.

Classify information

How to avoid mistakes in classifying information

The business owner leads the classification of the information and should make sure to:

  • consult the right stakeholders
  • use 2-way communication to learn the details needed for classifying the information.

Setting up a successful risk assessment

Classification levels that can use public cloud services

Government organisations are encouraged, with appropriate security controls, to use public cloud services for information that is:

  • unclassified
  • in-confidence
  • sensitive
  • restricted.

Classification levels that cannot use public cloud services

Government organisations, as decided by Cabinet, cannot use public cloud services for information that is:

  • confidential
  • secret
  • top-secret.

Cabinet minutes for public cloud services

Under-classifying information

If you wrongly classify information at a lower level than it is in reality, the public cloud service might:

  • not have the needed security controls
  • be used insecurely — the proper security controls exists, but you do not set them up because you think the information has less value and risk than it does in reality.

Be careful — confidential, secret and top-secret

Information with these levels of classification should never be used in public cloud services, regardless of the security controls in place.

If under-classifying information that’s actually confidential, secret or top-secret, you might end up using a public cloud service when it’s inappropriate to do so.

Example of under-classifying information

The business owner assesses information as being ‘RESTRICTED’, but it’s actually ‘CONFIDENTIAL’ in reality.

Over-classifying information

If you wrongly classify information at a higher level than it is in reality, the public cloud service might:

  • have unnecessary security controls, increasing its cost for no reason
  • be rejected.

Be careful — unclassified, in-confidence, sensitive and restricted

If over-classifying information that’s actually unclassified, in-confidence, sensitive or restricted, you might end up turning down public cloud services that could actually help your organisation to achieve its business objectives.

Example of over-classifying information

The business owner assesses information as being ‘SECRET’, but it’s actually ‘RESTRICTED’ in reality.

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated