2.9.7 Information Classification Policy

Effective date: June 30, 2014
Responsibility: Vice-President, Legal Services, General Counsel and Corporate Secretary

Application

This policy applies to all CBC/Radio-Canada employees.

Responsibility

This policy is the responsibility of the Corporate Secretary. All questions pertaining to its interpretation or application should be referred to the Corporate Secretariat.

Statement of Policy

All CBC/Radio-Canada employees must properly classify information (i.e., documents and records) they create, regardless of their format (i.e., written, electronic, analog, or digital) to ensure that the information is appropriately protected, stored or handled. Employees are also responsible for handling information they receive, access, use, store and dispose in a manner that is consistent with their assigned classification. Any use of, or access to, CBC/Radio-Canada information constitutes a consent to the terms and conditions of this policy.

NOTE: An assigned classification does not automatically shield information from release under the Access to Information Act. Information, regardless of its assigned classification, will continue to be reviewed by the ATIP Office to ensure that the provisions of the Access to Information Act are appropriately applied.

Classification Levels

The following information classification levels are in effect at CBC/Radio-Canada:

Unrestricted information does not contain any sensitive information and, if made public, would have insignificant operational, financial, legal or reputational impact on the Corporation. It can be accessed or copied without restriction and can be shared without approval from their authors or owners.

Information that is intended to be used solely within CBC/Radio-Canada or by its designated partners on a “need to know” basis is classified as For Internal Use, Confidential, or Restricted use depending on its level of sensitivity, the risk and extent of potential operational, financial, legal or reputational impact on the Corporation and its employees if the information is compromised (i.e., is lost, corrupted, or made public without proper authorization).

  • The For Internal Use classification is assigned to information that is sensitive which, if compromised, would likely have minor operational, financial, legal or reputational impact on the Corporation. (See Appendix for general thresholds from Risk Management Policy.)

  • The Confidential classification is assigned to information that is very sensitive which, if compromised, would likely have moderate operational, financial, legal or reputational impact on the Corporation. (See Appendix for general thresholds from Risk Management Policy.)

  • The Restricted classification is assigned to information that is highly confidential and sensitive which would be accessed by a very limited and controlled number of employees and which, if compromised, would likely have major or severe operational, financial, legal or reputational impact on the Corporation. (See Appendix for general thresholds from Risk Management Policy.)

Other Applicable Policies:

  • Records and Information Management Policy
  • Personal Information and Privacy Protection Policy
  • Access to Information Policy
  • Email Management Policy
  • Risk Management Policy

Information Classification Rules and Procedures

  1. For Internal Use Records
    • For Internal Use records are stored in E-Archives, kept in CBCRadio-Canada premises or at a designated offsite storage facility and disposed of using local secure shredding facilities.
    • If it is operationally necessary to transmit a For Internal Use record to a third party, to carry it outside a CBC/Radio-Canada premise, or to store it on a mobile device, employees must ensure that it is done with care.
  2. Confidential Records
    • Confidential records must be visibly identified as being “CONFIDENTIAL”.
    • Confidential records are stored in E-Archives, kept in CBCRadio-Canada premises or at a designated offsite storage facility and disposed of using local secure shredding facilities.
    • Confidential records are accessible by, or shared with, employees or groups of employees who require access to such information to perform their specific duties.
    • If it is operationally necessary to transmit a Confidential record to a third party, to carry it outside a CBC/Radio-Canada premise, or to store it on a mobile device, employees must ensure that it is done in a secure manner.
  3. Restricted Records
    • Restricted records must be visibly and fully identified as being “RESTRICTED”.
    • Restricted records must be stored in E-Archives, kept in CBCRadio-Canada premises under lock and key and disposed of using local secure shredding facilities.
    • Access to, distribution of, Restricted records must be controlled, very secure, and limited to only a few explicitly identified employees.
    • If it is operationally necessary to transmit a Restricted record to a third party, to carry it outside a CBC/Radio-Canada premise, or to store it on a mobile device, employees must ensure that it is done in a controlled and secure manner.
  4. Records containing personal information
    • Records containing personal information must, at a minimum, be classified as Confidential. (see Appendix for Personal Information and Privacy Protection Policy)

  • Business records that are not classified as either Confidential or Restricted or that are not public should be generally handled as if they were classified For Internal Use.

  • While it is not necessary to affix a “FOR INTERNAL USE” label on all documents classified as For Internal Use, those that are clearly not meant to be circulated externally even though they are distributed widely within the corporation should be clearly labelled “FOR INTERNAL USE”.

  • Records created prior to the coming to force of this policy should be handled as if they were appropriately classified.

  • A record may be declassified or reclassified to a different level by its author or the person subsequently occupying the author’s position, the manager to whom the author or author’s position reports to, or any person authorized to do so by the Component’s vice-president.

Tools and Resources

APPENDIX

Risk Management Policy – Risk Assessment Definitions / Impact Definitions:

Severe Multiple deaths and/or significant asset loss with extreme consequences and/or total service cessation for a day or more and/or severe revenue or cost impact and/or severe impact on the Corporation’s reputation.
Major Single death and/or multiple injuries and/or loss of asset(s) with high consequences and/or total service cessation for the number of hours and/or serious revenue impact or cost and/or major impact on the Corporation’s reputation.
Moderate Individual injury and/or loss of asset(s) with medium consequences and/or partial service cessation and/or significant revenue or cost impact and/or moderate impact on the Corporation’s reputation.
Minor First aid and/or loss of asset(s) with minimal consequences and/or minor service interruption and/or small revenue or cost impact and/or minor impact to the Corporation’s reputation.
Insignificant No injuries and/or minor loss of asset(s) and/or negligible revenue or cost impact and/or insignificant impact on the Corporation’s Reputation.

Search highlight tool