Information and Guides
Please see the attached guidelines:
SECURITY GUIDANCE FOR 3RD PARTIES
April 2011
Handling of Sellafield Ltd information
1. Purpose of Brief
To ensure that information which has been deemed as commercially sensitive to Sellafield Ltd and / or government Protectively Marked, and which has been entrusted to its Customers, Partners and Contractors is controlled in a manner appropriate to the sensitivity of that information and in accordance with the applicable statutory requirements.
2. Scope of Brief
To provide guidelines for Customers (e.g. NDA), Partners and Contractors with regard to the minimum controls that should be applied to handling, storage and disposal of information that is marked and which has been transmitted to the Customer, Partner or Contractor. Prior to issue of such Information to a third party, there may well have been laid down Contractual Terms and Conditions, and these guidelines should be read in conjunction with those terms and conditions. Should these conditions be accepted, then documents should be handled in accordance with the details below.
Should the Customer, Partner or Contractor feel that there are conflicting requirements between this document and the agreed Contractual Terms and Conditions, they should contact their nominated contact before accepting ownership of Sellafield Ltd information. Until the conflicting requirements have been resolved, the more stringent of the controls should be applied.
A series of markings is applied to information in the nuclear industry. This is a requirement of the civil nuclear security regulations and standards, enforced within the industry by ONR (Office for Nuclear Regulation) Security Division.
Information type Applicable markings
Company/Commercially Sensitive
Personal, Medical etc
PROTECT
Low
High
Sensitive Nuclear Information (as defined by ONR Classification Policy) RESTRICTED
CONFIDENTIAL
SECRET
TOP SECRET
No information with any of the above markings should be released into the public domain but, subject to certain controls being met, may be distributed for official use* subject to the approval of Sellafield Ltd. This brief concentrates on information with the PROTECT and RESTRICTED markings, which constitute the bulk of marked information issued to 3rd parties.
*Official Use relates to any information distributed under the terms of an existing contract. Where no contract exists a formal Confidentiality Agreement must be in place prior to distribution.
As a minimum all information is to be treated on a ‘Need to Know’ principle, in other words, no more information should be provided than needed to carry out work in a safe, secure and efficient manner.
With regard to contracts; failure to meet minimum security requirements RESTRICTED and above may result in:
• Instructions to take certain actions to secure SNI.
• Retrieval of SNI from contractor’s premises.
• Removal of persons from the contract.
• Suspension of all or part of the contract.
3. Commercially Sensitive and Personal Information
Commercially sensitive and personal information may have previously have been issued with the marking ‘Commercial’, ‘Authorised Distribution’ or ‘Listed Readers Only’. With effect from May 2011 Sellafield Ltd has adopted the PROTECT marking to cover these types of information. Any information received historically should still be protected in accordance with these guidelines.
3.1 Definition of ‘PROTECT’
The PROTECT marking is to be used for information that requires a level of protection on account of its sensitivity, but is not sensitive to national security. This may mean information about contracts with other companies, personal information of individuals or any other information that could impede the commercial activities of Sellafield Ltd or the Nuclear Decommissioning Authority (NDA).
Details on how to manage PROTECT information can be found at Appendix 1 of this document.
4. Sensitive Nuclear Information (SNI)
4.1 Definition of Sensitive Nuclear Information
“Information relating to activities carried out on or in relation to nuclear sites or other nuclear premises which appear to the Secretary of State to be information which needs to be protected in the interest of national security.” extract from the Anti-terrorism Crime and Security Act 2001 (as amended).
4.2 Regulations
All companies and individuals employed by, contracted to or working in partnership with your organisation with responsibility for any protectively marked aspects will be bound by Section 79 (& 80 if applicable) of the Anti-Terrorism Crime and Security Act 2001 and Regulation 22 of the Nuclear Industries Security Regulations 2003.
Anti-Terrorism Crime and Security Act 2001:
• This applies to individuals in the UK and to UK nationals abroad.
• All persons in the UK and UK citizens abroad are bound by Section 79 of the above act, entitled: ‘Prohibition of Disclosures Relating to Nuclear Security’
• In basic terms: All those employed by or contracted to your organisation must not disclose, without appropriate authority, any information, whether or not it bears or attracts a protective marking, that may be counter to the interests of the United Kingdom or of Sellafield Ltd.
• To do so, either intentionally or recklessly, may constitute a breach of section 79, which may result in prosecution.
Nuclear Industries Security Regulations 2003 (as amended):
• Specifically, Regulation 22 of the NISR 2003 is relevant where many Customers, Partners and Contractors are concerned. It details the duties of persons with sensitive nuclear information outside of a nuclear licensed site.
4.3 RESTRICTED SNI.
RESTRICTED SNI is classified as such in line with the ONR Classification Policy document, which is issued to Contracting Authorities (such as Sellafield Ltd) for use – the document is marked PROTECT-REGULATORY. Copies of this are available on request.
Prior to receiving information marked as RESTRICTED, each supplier will be asked to sign a Security Aspects Letter (SAL). A SAL is issued for each separate scope of work, so where multiple classified contracts are held by a single supplier, multiple SALs should be in place.
Details on how to manage RESTRICTED information can be found at Appendix 2 of this document.
4.4 CONFIDENTIAL SNI
4.4.1 General Information
Suppliers should note that CONFIDENTIAL SNI requires a significantly higher standard of security in order to protect it than that required for RESTRICTED SNI.
As such, the release of this level of information from Sellafield Ltd to the supply chain will be limited. Approval for releasing CONFIDENTIAL SNI is sought from the civil nuclear regulator, ONR (Office for Nuclear Regulation) Security Division, via the Sellafield Ltd Contract Security department.
Should you have a requirement to hold CONFIDENTIAL SNI for Sellafield Ltd contracts at your own premises, please contact the Contract Security team.
5. SECURITY CONTACT DETAILS
Email: contract.security@sellafieldsites.com
Tel:
019467 71534 (Sellafield)
01925 832054 (Risley)
Appendix 1 - Handling PROTECT marked information (or existing COMMERCIAL information)
ACTION HANDLING INSTRUCTION
General
Creation In hard copy/handwritten or on IT systems. No accreditation required for the IT system.
Creation – audio recording Yes. The media the recording is stored on should then be protected in line with this practice.
NB: Recordings may attract a higher marking than written word due to the number of contributors to a conversation.
Identification - paper Header and Footer to bear the word PROTECT in bold capital letters and any Descriptors to follow in the same manner.
Identification – Exchangeable Media CD/DVD/USB devices should be marked with PROTECT and the Descriptor where possible.
Identification – Email Emails and their attachments should be marked. The word, PROTECT, and the Descriptor should appear in the ‘Subject’ and within the text at the start of the email.
Storage (on a network/computer) On the Sellafield Ltd IT network or any other machine.
Storage (paper and Exchangeable media) Must be locked away when not in use. Keys should be stored away from the lock which they open, I.e in a controlled key press or removed from the building.
Standard office furniture will suffice.
Ideally 2 physical barriers overnight (I.e. Cabinet/drawer and room, both locked and the keys removed and secured).
Printing On networked printers. Remove from printer immediately.
Registration Not required.
Audit Not required.
Copying Keep to a minimum. Spare copies should be reviewed regularly for destruction. Remove from copier immediately.
Home Working Yes.
Must be authorised by SL line manager or S.O – if a property pass is required this should reference the materials taken home.
Protect information in line with this practice. No processing of company information should be undertaken on personal computing equipment unless using the Sellafield Sites Secure Portal.
Do not leave in the home unattended for long periods of time (E.g. holidays).
Personnel Security Clearance No formal requirement but basic employment checks should have been completed.
Caveat PROTECT is not recognised in other countries.
If sending overseas, information must be re-marked with the caveat “Handle as UK RESTRICTED” before it is sent to foreign governments or international organisations.
E.g. PROTECT – Handle as UK RESTRICTED
This information has been communicated in confidence to [the receiving government] and should not be released without the agreement of the British Government
Do not issue outside the UK without prior approval from Sellafield Ltd Security department.
Information lost or compromised Report to Sellafield Ltd Security department.
Transmission
Security Aspects Letter required prior to transmission? No.
Sending by internal Email Yes. Must be marked.
Sending by external Email (over the Internet) Yes. Must be marked. The benefit to the business must outweigh the risk of loss or compromise of the information.
Use the Caveat (above) if emailing overseas. Prior approval required.
Sharing in E-rooms Yes. Must be marked. The benefit to the business must outweigh the risk of loss or compromise of the information.
Sending by Fax (UK) Yes. Make sure the recipient is available to receive the fax before sending and do not send to unoccupied premises.
Sending by Fax (Overseas) Yes. Use the Caveat (above). Prior approval required.
The benefit to the business must outweigh the risk of loss or compromise of the information.
Make sure the recipient is available to receive the fax before sending and do not send to unoccupied premises.
Sending by Post (Internal Mail) Yes. A single envelope is acceptable. Addressed to a specific person. Do not mark the envelope with the word PROTECT or the Descriptor.
Sending by Post (UK) Yes. A single envelope is acceptable. Addressed to a specific person. Do not mark the envelope with the word PROTECT or the Descriptor.
Sending by Post (overseas) Yes. Use the Caveat (above). Prior approval required.
The benefit to the business must outweigh the risk of loss or compromise of the information.
In a sealed cover or secured container or by post, courier or messenger service.
Preferably by guaranteed next day delivery against a signature, or by commercial courier.
Addressed to a specific person. Do not mark the envelope with the word PROTECT or the Descriptor.
Discussion over a landline telephone Yes.
Discussion over a mobile telephone Yes.
Discussion over video conferencing Yes.
Removal from premises/travelling Avoid if possible.
Where required, use a briefcase, box or pouch which must remain with the carrier at all times.
Travelling within a site Yes. Where required, use a briefcase, box or pouch which must remain with the carrier at all times.
Audience/Distribution
All recipients The ‘Need to Know’ principle is to be applied at all times – if a person does not NEED to know the information, they should not be given it, nor should there be any way that they can access it.
External organisations – paper
(Supply chain/contractors) Yes.
External organisations – electronic media
(Supply chain/contractors) Yes.
External organisations – paper
(non-contracted bodies) No. Contact the Sellafield Ltf Security Department if this requirement arises.
External organisations – electronic Exchangeable media
(non-contracted bodies) No. Contact the Sellafield Ltd Security Department if this requirement arises.
Publication
Can it be released into the public domain? No.
Can it be used in presentations internally? Yes – the Need to Know principle must be adhered to.
Can it be used in presentations externally? No. Contact the Sellafield Ltd Security Department if this requirement arises.
Destruction & Disposal
General Should be destroyed by the originator, their successor or duly authorised individual.
Destruction of paper Must be shredded at source.
Destruction of Exchangeable media Magnetic and optical media to be wiped of all data before re-use. CD ROMs should be cut into four or more pieces and disposed of with Non Protectively Marked waste.
Destruction of hard drives from PC’s and Laptops Hard drives from PC’s and laptops to be wiped using an approved HMG secure erasure package. Then can be re-used or destroyed using local IT department.
Appendix 2 – Handling RESTRICTED marked information
ACTION HANDLING INSTRUCTION
General
Creation Hard copy/handwritten. Or, on Accredited Sellafield Ltd IT Network or Accredited Standalone IT Systems.
Contact the Security Department to enquire about Accreditation.
Creation – audio recording Yes. The media the recording is stored on should then be protected in line with this practice.
NB: Recordings may attract a higher marking than written word due to the number of contributors to a conversation.
Identification - paper Header and Footer to bear the word RESTRICTED in bold capital letters and any Descriptors to follow in the same manner.
Identification – Exchangeable Media CD/DVD/USB devices should be marked with RESTRICTED and the Descriptor where possible.
Identification – Email Emails and their attachments should be marked. The word RESTRICTED and the Descriptor should appear in the ‘Subject’ and within the text at the start of the email.
Storage (on a network/computer) On an Accredited IT network or an Accredited IT Standalone system.
The Sellafield Ltd IT network is Accredited up to RESTRICTED level.
Storage (paper and Exchangeable media) Must be locked away when not in use. Keys should be stored away from the lock which they open, I.e in a controlled key press or removed from the building.
Standard office furniture will suffice.
Ideally 2 physical barriers overnight (I.e. Cabinet/drawer and room, both locked and the keys removed and secured).
Printing Printers linked to Accredited systems only. Remove from printer immediately.
Registration Not required.
Audit Not required.
Copying Keep to a minimum. Spare copies should be reviewed regularly for destruction. Remove from copier immediately.
Home Working Yes.
Must be authorised by SL line manager or S.O – if a property pass is required this should reference the materials taken home.
Protect information in line with this practice. No processing of company information or RESTRICTED information should be undertaken on personal computing equipment.
Do not leave in the home unattended for long periods of time (E.g. holidays).
Personnel Security Clearance For regular access, the requirements of Baseline Personnel Security Standard (BPSS) should be met.
Caveat Do not issue outside the UK without prior approval from Sellafield Ltd Security Department.
If sending overseas, the letters ‘UK’ should be added before the marking.
Add the following text:
This information has been communicated in confidence to [the receiving government] and should not be released without the agreement of the British Government
Information lost or compromised Must be reported to ONR via the Information Security Department as soon as a breach or loss is discovered, a maximum period of 24 hours after the discovery of the event.
May result in disciplinary action.
Transmission
Security Aspects Letter required prior to transmission? Yes if sending externally to any other party – contact the Sellafield Ltd Security Department in all cases for prior approval.
Sending by internal Email Only on formally Accredited IT systems.
Sending by external Email (over the Internet) No.
Sharing in E-rooms No as the E-room is on the wider internet.
Sending by Fax (UK) Yes. Make sure the recipient is available to receive the fax before sending and do not send to unoccupied premises.
Sending by Fax (Overseas) No.
Sending by Post (Internal Mail) Yes. A single envelope is acceptable. Addressed to a specific person. Do not mark the envelope with the word RESTRICTED or the Descriptor.
Sending by Post (UK) Yes. A single envelope is acceptable. Addressed to a specific person. Do not mark the envelope with the word RESTRICTED or the Descriptor.
Envelope must bear a return address.
Sending by Post (overseas) Yes, only with approval from ONR via the Sellafield Ltd Security Department. Use the Caveat (above).
In a sealed cover or secured container or by post, courier or messenger service.
Preferably by guaranteed next day delivery against a signature, or by commercial courier.
Addressed to a specific person. Do not mark the envelope with the word RESTRICTED or the Descriptor.
Consideration should be given as to whether an export licence is required – refer to Safeguards department.
Discussion over a landline telephone Yes – only information that is not related to defence or is nuclear proliferation sensitive.
Discussion over a mobile telephone No.
Discussion over video conferencing Not over public networks.
Removal from premises/travelling Avoid if possible.
Where required, use a briefcase, box or pouch which must remain with the carrier at all times.
Travelling within a site Yes. Where required, use a briefcase, box or pouch which must remain with the carrier at all times.
Audience/Distribution
All recipients The ‘Need to Know’ principle is to be applied at all times – if a person does not NEED to know the information, they should not be given it, nor should there be any way that they can access it.
External organisations – paper
(Supply chain/contractors) Yes. Security Department to be contacted prior to sending information to authorise and issue Security Aspects Letter.
External organisations – electronic media
(Supply chain/contractors) Yes on an Accredited computer or IT system. Security Department to be contacted prior to sending information to authorise and issue Security Aspects Letter.
External organisations – paper
(non-contracted bodies) No. Contact the Security Department if this requirement arises.
External organisations – electronic Exchangeable media
(non-contracted bodies) No. Contact the Security Department if this requirement arises.
Publication
Can it be released into the public domain? No.
Can it be used in presentations internally? Yes – the Need to Know principle must be adhered to.
Can it be used in presentations externally? No.
Destruction & Disposal
General Should be destroyed by the originator, their successor or duly authorised individual.
Destruction of paper Must be shredded at source.
Destruction of Exchangeable media Magnetic or optical media wiped using an approved HMG secure erasure package. May then be destroyed or re-used.
CD ROMs should be cut into four or more pieces and disposed of with Non Protectively Marked waste.
Destruction of hard drives from PC’s and Laptops As per IT system accreditation documentation agreed with Sellafield Ltd Security Department.
