Classification
The are generally four levels of security classification. These are:
- Unrestricted (formerly Unclassified)
- Restricted
- Confidential
- Most Confidential
| Classification | Definition | Dissemination | Level of protection | Volume | Typical Examples |
|---|---|---|---|---|---|
| Unrestricted | Information that may be shared without restrictions because it is unlikely to result in any harm if disclosed to outside parties. | No restrictions, but Public Affairs must be consulted before external publication. | Requires no specific protection against unauthorised access. | Around 10-20% of generated information | Routine emails about non-sensitive issues. Notice board material. Information received from partners or government that is freely available in the public domain. |
| Restricted | Information that may be freely shared with staff in Shell and Associated Companies* but not with third parties. | May be freely shared with other staff and Group companies, but not with third parties. | Should only be shared with staff or contractors who have a need-to-know. | Around 80-90% of generated information | Company directories. Best practices. Internal technical publications. Unclassified material that (1) was received from business partners or governments and (2) is not in the public domain. |
| Confidential | Information that should be shared with selected staff only, because it could harm the interests of a Group company or individual if disclosed to unauthorised persons. | Apply controls based on due diligence to prevent access by third parties. | Apply security measures that are strong enough to deter attempts to gain unauthorised access. | Around 5-10% of generated information | Information that, if disclosed, could affect the share price. Competitor assessments. Customer information. Information that, if disclosed, might cause significant loss (e.g. USD 5 million). Diaries and travel arrangements of senior executives. Government material marked RESTRICTED. |
| Most Confidential | Information that should be made available on a strict need-to-know basis only, because it could cause very serious damage to the interests of a Group company or individual if disclosed to unauthorised persons. | Less than 1% of generated information | Must be strictly controlled and limited to a minimal list of named individuals. | Apply the highest level of protection available within the business environment. | Information about negotiating positions. Details of a major acquisition, divestment or merger. Items of high political or legal sensitivity. High-level business plans. Personal or personnel related information (e.g. medical, performance). Travel arrangements of senior executives to high-threat countries. Information that involves a major reorganisation or has a high staff impact. Information or data that, if disclosed, might cause very high loss (e.g. USD 50 million). Government material marked CONFIDENTIAL. |
* "Company staff" includes all staff, contractor staff with a personal
contract, and designated staff if such access is required for the
business. Additionally access must be authorised by a line manager and
a confidentiality agreement has been signed.
"Associated Companies" are those where a business rationale for access
to Restricted information has been approved for selected categories
of staff by the responsible regional business adviser.