26th October 2022
26th October 2022
Data security classification improves information security
Work on the data security classification of the state has now been completed. The purpose of the work is to guide institutions and ensure the security of information of individuals and companies which the state is obliged to keep.
Development and preparation of data security classification are based on the following principles, which guide users of the classification in case of doubt regarding the correct treatment and classification.
All data has value for the government, the individual, the legal entity or society as a whole.
Appropriate and transparent treatment and appropriate security of data must be provided, in accordance with their value and purpose.
Data shall be open and accessible to all, except when otherwise required by the interests of governments, legal entities, natural persons, the public or international cooperation.
Access controls invoked in order to safeguard data shall be based on minimisation of rights, i.e. only those requiring access have it.
All persons handling data in the custody of government entities, staff, third parties, and service providers shall have appropriate knowledge of data storage, administration, and security.
The main priorities in describing the approach and giving guidance on the design and use of the classification system shall be worked out.
Data shall be open unless otherwise decided.
Data security is ensured in an appropriate manner.
The classification of data shall be systematic and consistent.
The consequences of classification must be clear and defined.
Government entities are instructed to use four categories of data and to use them in their activities. It is understood that classification will be compulsory when rules on the handling of classified information are established. Data shall be classified according to the level of security required by their value:
Open data
Non-personally identifiable data or data open and accessible for use and re-use. Examples of such documents are names, domiciles, and real estate registers.Protected Data
All data other than open data that is part of the day-to-day operations of a government entity. Examples of such data are the criminal records of individuals, wage data of government employees, and bills in progress.Specific Data
Data that, due to a sensitive time or content situation, can cause extensive and long-term damage to groups of natural or legal persons or state entities. Examples of such documents are matters in the investigation phase of the police and government minutes.
Limited data
Data is sensitive to society as a whole or to the international situation of the nation.
The security classification of data directly affects how cloud services are used and thus where, for example, data from government bodies may be saved.
Next steps are to prepare more detailed guidelines, handy tools and more detailed information for state parties.
Work on drafting the data security classification began in November 2021 with the appointment of a working group. The meeting was composed of representatives of the Prime Minister's Office, the Ministry of Finance and Economic Affairs, the Ministry of Health and the Ministry of Justice. In addition, the group was composed of a representative from the private company GRID. The working group presented its work to government ministries and consulted extensively with agencies that produce, store, process and publish data.
For further information see (only Icelandic):