ARCHIVED – Chapter 5: Handling and safeguarding of classified and protected information and assets

Archived information

This information has been archived and replaced by the Contract Security Manual.

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived.

On this page

500. General

  1. The Government of Canada is responsible for stipulating and applying the required level of security for its information and assets. These levels are Protected A, B, or C and as well as Confidential, Secret and Top Secret.

    When an organization is awarded a contract that calls for safeguarding at any of these security levels, the company security officer (CSO) is responsible for consulting the appropriate government department regarding the level of security to be applied for any in-house documentation created by the organization in support of the contract. The creator of the documentation must then ensure that it is appropriately marked and safeguarded.

  2. The improper handling and safeguarding of protected and classified information and assets is the leading cause of difficulties that result in the suspension or revocation of an organization's designated organization screening (DOS) or facility security clearance (FSC). The application of the procedures, detailed throughout this chapter, will help to reduce the risk of a security infraction or breach.

  3. Access to information and assets must be limited to persons who have the appropriate reliability screening or security clearance and who have a need-to-know. Precautions must be taken to ensure that persons who are not cleared and who may be in the proximity of information and assets do not gain access to this information and assets.

  4. Particular attention should be paid to the requirements for control and registration of information and assets and to the proper procedures for their packaging and transmittal predicated on the Policy on Government Security.

  5. Additional requirements exist for the handling of communications security (COMSEC) information and assets, over and above those safeguards outlined in this chapter.

Refer to the COMSEC Support to the Private Sector—Project Managers' Quick Reference Guide. Contact the Contract Security Program to request a copy of this guide.

501. Security warning for contractor produced publications

  1. Unless otherwise specified in the contract, where a contractor is producing a publication on behalf of the Government of Canada that contains protected information, the following warning must be printed on both the front cover and title page:

    "This publication contains PROTECTED information, which must be safeguarded under the provisions of Canada's Policy on Government Security. It has been produced by (contractor's name) under the provisions of (contract number or other authorization) on behalf of (the Government of Canada the department, as applicable). Release of this publication or of any information contained herein to any person not authorized by the originating agency to receive it is prohibited."

  2. All classified publications, pamphlets, handbooks or brochures which are produced by a contractor on behalf of the Government of Canada must have, in addition to the regular security classification markings as prescribed in this chapter, the following security warning on both the front cover and the title page:

    "This publication contains CLASSIFIED information affecting the national interest of Canada. It has been produced by (contractor's name) under the provisions of (contract number or other authorization) on behalf of (the Government of Canada or the department, as applicable) and is to be safeguarded, handled and transported in accordance with the Policy on Government Security. Release of this publication, or of any CLASSIFIED information contained herein, to any person not authorized to receive it is prohibited by the Security of Information Act."

  3. Where a contractor produces classified publications on behalf of a foreign government department or agency, any warning must be worded as stipulated in the contractual documentation.

You may contact international contract security to obtain further advice and assistance.

For more information, refer to the Security of Information Act.

502. Marking protected and classified information

General

Protected and classified information must be marked, as a minimum, according to the standards detailed in this manual.

Marking

Organizations are required to implement the following procedures for marking information:

  1. for protected information, mark the word "PROTECTED" in the upper right corner of the face of the document and where required, with the letter "A", "B" or "C" to indicate the level of safeguarding
  2. for Confidential information, mark the word "CONFIDENTIAL" in the upper right corner of the face of the document
  3. for Secret information, mark the word "SECRET" in the upper right corner of each document page
  4. for Top Secret information, mark the words "TOP SECRET" in the upper right corner of each document page and show the total number of pages on each page of the document (for example, "Page 2 of 10")
  5. mark covering or transmittal letters or forms or circulation slips to show the highest level of classification or protection of the attachments
  6. mark all materials used in preparing protected and classified information (such material includes notes, drafts, carbon copies and photocopies)
  7. the letters used in marking should be larger than those used in the text of the document
  8. printed forms that only become protected and classified when completed should be so marked, for example:

    a. "CONFIDENTIAL"
    (when completed)

  9. in addition to marking individual pages as stipulated above, documents must be appropriately marked on the outside of both the front and back covers
  10. loose documents must be marked on every sheet
  11. images such as charts, maps and drawings must be prominently marked near the margin or title block in such manner that the marking is clearly visible when the document is folded
  12. security markings should include the applicable protection or classification and the date or event at which declassification or downgrading is to occur, if it is possible to determine this at the time the information is created or collected

Marking copies

Organizations are required to implement the following procedures for controlling copies of classified information:

  1. control copies of Confidential documents as for secret when warranted by a threat and risk assessment
  2. for secret information, number each copy, show the copy number on the face of each copy and maintain a distribution list
  3. for top secret information, assign a unique whole number to each copy, marking the copy number on each page and maintain a distribution list. Recipients of top secret information must not copy it without specific authorization of Public Services and Procurement Canada (PSPC)

Marking microforms

  1. Microform is a generic term for any storage medium that contains micro-images
  2. Organizations are required to implement the following procedures for the marking of microforms:
    1. assign a protection or security classification at the highest protection or classification of the information contained on the microform
    2. mark microforms containing protected information "PROTECTED" in eye-readable form, with the microform number and the total number of microforms
    3. mark microforms containing classified information with the proper classification in eye-readable form, with the microform number and the total number of microforms

Marking electronic storage material

  1. Electronic material on which is stored protected and classified information is to be assigned a protection and security classification at the highest protection or classification of the information it contains
  2. Where possible, the security marking should be in both eye-readable and machine-readable form. Where this is not possible, as with certain types of hard disks, the security marking should be machine-readable
  3. Electronic storage material includes flexible disks, hard disks (both removable and permanent), storage cartridges, printed output from computers, video display units, magnetic tapes, magnetic cassettes, punched cards and punched paper tapes
  4. Removable storage material should bear standard labels. Where bypass label processing is allowed, procedures are needed to ensure that the proper item is loaded into the computer.

    Refer to ARCHIVED - Chapter 8: Information Technology Security of this manual.

  5. Specific advice on how to mark various forms of electronic storage material may be obtained from PSPC's Contract Security Program (CSP)

International documentation

Marking must be in accordance with international industrial security memoranda of understanding, agreements or other international standards and guidelines.

You may contact international contract security to obtain further advice and assistance.

503. Records management

General

Organizations must maintain records and establish adequate facilities, such as a records office, for receiving, distributing and storing protected and classified information and assets.

Recording of protected information and assets

Unless specifically identified in a contract, there is no requirement to keep records of protected information and assets, except for Protected C, which must be recorded in the same manner as classified information and assets. Persons receiving or granted access to protected information and assets must be briefed on their responsibilities for its safeguarding.

Recording of classified information and assets

A record must be kept of the dates, names and transactions of all classified information and assets indicating:

  1. receipt by the facility
  2. distribution within the facility
  3. creation within the facility
  4. reproduction within the facility
  5. destruction within the facility
  6. transmittal outside the facility
    • Transmittal of information and assets outside the facility must be performed as detailed in section 506. Packaging and transmittal of classified and protected information and assets of this chapter. Records of distribution, circulation and return within the facility must include receipt by signature, of the persons involved. Persons who have access to classified information and assets must be briefed on their responsibilities for its protection, and any special restrictions concerning its use or further dissemination
  7. All records of classified information and assets and all classified information and assets must be made available for inspection by field industrial security officers of PSPC's CSP

Records office security

Management of records offices, or parts thereof, where protected and classified information is stored or processed must ensure the following procedures are followed:

  1. as a minimum, these offices must be managed as a security zone
  2. records office staff who have access to protected and classified information must hold a reliability status or personnel security clearance to the highest level required
  3. protected and classified information must be filed and circulated in marked file jackets that clearly indicate they contain protected and classified information
  4. a file must be marked according to the highest level of sensitivity retained in the file
  5. areas where mail is opened must be managed according to mailroom security standards. Refer to the section on Mailroom security below
  6. release of protected files from records offices must be limited to employees with reliability status with a need-to-know
  7. release of confidential files from records offices must be limited to security-cleared employees with a need-to-know
  8. release of top secret and secret files from records offices must be limited to appropriately security-cleared employees with a need-to-know. Those personnel authorized access must be identified on an access list approved by the responsible manager (such as the project manager)
  9. classified information of foreign origin must be accorded the same protection as Canadian information of equivalent classification. If in doubt, contact international contract security to obtain further advice and assistance
  10. special precautions are necessary to prevent unauthorized disclosure or access to classified information and assets to non-Canadian citizens:
    • such persons must not be given access to information that bears restrictive markings such as "FOR CANADIAN EYES ONLY" without prior approval of PSPC's CSP
    • further restrictions may apply to bilateral and multinational contracts, programs or projects. If in doubt, contact PSPC's CSP

Mailroom security

Areas where mail is opened must be managed as a security zone or high-security zone. Mail that is marked "to be opened only by the addressee" must be delivered to the intended recipient directly. Classified mail must only be opened by the appointed authority within the facility responsible for ensuring its registration.

504. Safeguarding of information and assets

Storage

  1. As a minimum, protected information and assets must be stored in a locked container. Protected C information and assets and all classified information must be stored in an approved security container in accordance with the Royal Canadian Mounted Police (RCMP) Technical Security Branch Security Equipment Guide (G1-001). Protected or classified information and assets may be stored on open shelving in a secure room, only after inspection and approval by PSPC's CSP and only to the level approved by PSPC's CSP
  2. Protected and classified information and assets must not be stored in the same container as negotiable or attractive assets
  3. Organizations required to store protected and classified information and assets are permitted to purchase approved security equipment through PSPC's CSP. In consultation with the field industrial security officer (FISO), the CSO or alternate company security officer (ACSO) should determine the equipment to meet the specific requirement, and submit the ARCHIVED - Annex 5-A: Registering a document for equipment purchase form in this chapter. After endorsement by the FISO, PSPC's CSP will process the request, although the invoicing and delivery for the equipment is between the purchaser (the CSO) and the supplier. Examples of equipment available through this procedure are listed in ARCHIVED - Annex 5-B: Approved equipment available for purchase by organizations

Keys for containers

  1. Keys (devices such as instruments, cards, combinations and code numbers used to open and close containers) must be safeguarded at the highest level of sensitivity of the information or assets to which they provide access. This also applies to recorded information that would allow a key to be produced
  2. When a key is issued, the recipient must sign for the key. The number of the key, the location of the container it opens, and the name of the recipient must be recorded and kept by the CSO
  3. The organization's security office must maintain a record of the dates of, and reasons for, all key changes
  4. Assigned keys should be changed:
    • at least every 12 months
    • when those with access to the container are transferred, released or no longer require access

    The key must be changed immediately when a container has been or may have been compromised.

Precautions during use

Special care must be taken to safeguard against disclosure or unauthorized access when protected and classified information and assets are removed from approved storage containers. Specific points to observe are:

  1. do not leave protected and classified information and assets unattended
  2. ensure that protected and classified information and assets cannot be viewed, or discussion of it overheard, by persons not possessing reliability screening or the appropriate level of clearance or without a need-to-know

505. Use of laptop computers

1. If laptop computers are utilized for protected or classified information, they must not be removed from the organization that holds the facility security clearance (FSC) or designated organization screening (DOS). If such laptops need to be transported, written permission must be obtained from the CSO or an ACSO by completing the ARCHIVED - Annex 5-D: Appendix A-1—Courier certificate/itinerary form.

2. Storage of laptop computers used to handle protected or classified information must be in accordance with security procedures established by the organization for the level of sensitivity of the information.

506. Packaging and transmittal of classified and protected information and assets

1. The security of protected and classified information and assets during transmission depends on:

  1. proper packaging
  2. record while in transit
  3. record of delivery
  4. transmission by an approved postal service or security-cleared courier. Contact international contract security regarding approved postal services and security-cleared couriers

2. Protected and classified information and assets must be packaged and transmitted in accordance with the standards outlined in ARCHIVED - Annex 5-C: Standard for the transmittal of classified and protected information and assets.

3. In addition, specific procedures for the hand carriage of and/or bulk shipment of specific protected and classified information and assets are necessary. These procedures are detailed in the following annexes and appendices:

507. Temporary removal of classified and protected information and assets

1. Protected and classified information and assets cannot be removed from an organization, for transportation or use outside of Canada, without the prior approval of PSPC's CSP.

2. In Canada, with the exception of Top Secret, Protected C and COMSEC material, protected and classified information and assets may be taken temporarily from an organization. Written permission must be obtained from the CSO or an authorized ACSO by completing the ARCHIVED - Annex 5-D: Appendix A-1—Courier certificate/itinerary form.

3. The CSO or ACSO must record, and obtain a receipt for the information and assets to be removed.

4. If protected and classified information and asset removal is authorized for overnight use, the employee must be informed that this does not constitute continued retention authority and the information and assets are to remain in the possession of the employee at all times.

5. The CSO or ACSO must account for and record the material upon its return, and give the employee a receipt for the returned material.

508. Reproduction

1. Reproductions of protected information must be marked in the same manner as the originals. Reproduction of classified information must only be done with the authorization of the CSO, or an authorized ACSO. Reproductions must be marked, registered and accounted for, in the same manner as for the originals.

2. Some classified information bears a caveat prohibiting or restricting reproduction. In such cases, authorization of the originator is required before reproduction. Protected C, Top Secret, and COMSEC information must never be reproduced without written authorization from PSPC.

3. Special precautions must be taken with the use of photocopy machines. Notices concerning the proper procedures for reproduction of information must be placed in an obvious place close to each machine. Care should be taken to ensure that original documents are not left in the machine, and all copies, including waste, are removed.

4. Contracts for printing and microfiching of protected and classified documents must only be awarded to commercial firms that have the appropriate level of DOS or FSC.

509. Reclassification and declassification

1. Documents whose classification markings include a schedule for downgrading or declassification may be downgraded or declassified in accordance with the schedule, unless in receipt of notification to the contrary. Documentation that does not contain such provisions may only be downgraded or declassified upon receipt of written authorization from the originator through PSPC's CSP.

2. When an organization considers that foreign or North Atlantic Treaty Organization (NATO) classified information should be downgraded or declassified, it must submit a written request to international contract security with full details, including justification.

3. When official notification is received from PSPC's CSP authorizing the reclassification of a document, all copies must be re-marked with the new classification as follows:

Declassified
or
Downgraded to (insert new classification)
or
Upgraded to (insert new classification)
by authority of Public Services and Procurement Canada letter dated (insert date)
or
by authority of Security Requirements Checklist dated (insert date)
or
by authority of contract dated (insert date)

510. Retention

1. When a bid is not accepted, or upon completion or termination of the contract, protected and classified material and assets must be returned to PSPC's CSP for disposal or, with the written concurrence of PSPC, be destroyed by the organization or returned to the originator. Upon request, organizations may be authorized to retain such material when approved by the originator through PSPC's CSP.

2. Requests for retention authority must identify:

If the organization has been authorized to retain protected and classified information for a specific period after contract completion, details of this authorization must be included with the retention request.

3. Unless the retention authority is received in writing, disposal of protected and classified information must be made in accordance with the provisions of this manual and instructions from PSPC's CSP.

511. Destruction

1. Unless otherwise specified, Protected C, Top Secret, COMSEC and foreign classified information and assets must be returned to PSPC's CSP for disposal.

2. Unless otherwise specified, Protected A and B, Secret and Confidential information and assets, of Canadian origin, may be destroyed by the organization with the approval of PSPC.

Note: Destruction of classified information and assets must be recorded on a certificate of destruction form, a copy of which must be forwarded to PSPC's CSP Document Control Unit (DCU) at tpsgc.dgsssiprojetintl-dobissintlproject.pwgsc@tpsgc-pwgsc.gc.ca.

3. Protected and classified information and assets that have been authorized for destruction must be disposed of in accordance with the following:

  1. it must be destroyed only by approved destruction equipment, or at a facility authorized by PSPC
  2. information awaiting destruction or in transit to destruction must be safeguarded in the manner prescribed for the most highly protected and classified information asset involved
  3. protected and classified information and assets awaiting destruction must be kept separate from other information and assets awaiting destruction
  4. an employee with a reliability status or with a proper security clearance, as applicable, must be present to monitor the destruction of protected and classified information respectively
  5. surplus copies and waste that could reveal protected and classified and information must be protected to the appropriate level and should be promptly destroyed

512. Security violations, breaches, and compromises

1. Organizations must establish a procedure to ensure that suspected or actual violations of security, breaches and compromises are recorded and immediately reported to the CSO. Records should be kept by the organization for a period of 2 years following the incident and are subject to inspection by the field industrial security officer.

2. Upon receipt of such a report, the CSO must immediately conduct a preliminary inquiry into the incident to determine all of the circumstances, including:

  1. What, where and when did the incident occur?
  2. Who reported it, to whom, and when?
  3. What information or asset was involved (in detail)?
  4. What was the security marking and description of the information or asset involved?
  5. Who originated the information or asset?
  6. When, for how long, and under what circumstances was the information or asset vulnerable to unauthorized disclosure, and to whom?
  7. What actions were taken to secure the information or asset and limit the damage?
  8. Is any information or asset lost or unaccounted for?

3. When the results of the preliminary inquiry indicate a suspected or actual breach or compromise of information and assets, PSPC's CSP is to be immediately notified by the CSO. A full report covering the preliminary inquiry and any subsequent investigative results are to be forwarded to PSPC's CSP as soon as possible.

513. Verbal and message communication

1. Unprotected telephones or facsimiles are not to be used to communicate classified or sensitive information. Requirements for secure telephones or facsimiles must be coordinated through the Communications Security Establishment (CSE).

2. Any conference rooms used for discussion of classified matters should be:

  1. a sensitive discussion area located in a security zone or high-security zone
  2. safeguarded against acoustic or electronic eavesdropping and should not contain items such as:
    1. telephones
    2. intercoms
    3. radios
    4. tape recorders

Annexes

Date modified: