Security classification exists to identify official information that needs special management to avoid risks that would arise if it was freely accessible. The system protects such information by controlling access to it, through a combination of protective markings, associated rules and procedures (eg handling requirements and rules restricting access to security cleared personnel) and physical or technical barriers (eg locked storage, encryption).
The primary classifications are categories of information, defined according to the level of risk of harm that might arise from open access to the information. Each classification is accompanied by rules about the security required around the information when it is stored and transmitted. Information is assigned a classification according to its risk and labelled (usually) with the corresponding protective marking.
Although “classification” in its broadest sense identifies the system for controlling access to official information, it has a more specific meaning within the system. A classification is a specific type of protective marking, identifying the level of sensitivity attaching to information. In the New Zealand system, TOP SECRET, SECRET, CONFIDENTIAL, RESTRICTED, SENSITIVE and IN CONFIDENCE are classifications.
Other markings used with classifications to indicate specific controls on access, the sensitivity of a source, or the nature of the information are not themselves classifications. When used with a classification, however, they add to its meaning. The ‘classification’ of that information will usually then be understood as encompassing the full set of controls applying to it, arising from its actual classification plus other markings.
Security clearance rules define classes of people who may have access to the information in each classification category. Whether they actually do have access generally depends on whether those who can establish and enforce controls on access are satisfied that those seeking access have a ‘need to know’.
A classification system exists to preserve the value of official information so that the public interest in retaining and using it can be realised. At the lower end of security, this might mean protecting personal information that agencies have been allowed to collect for the purpose of providing public services. At the higher end it might mean protecting intelligence that gives an advantage to national decision-makers. At every level the purpose is to protect information so it can be used to the best effect. Classification must limit access to the extent necessary for protection, but enable access to the extent necessary to realise its value and justify the effort and intrusion involved in acquiring it. Secrecy has no value for its own sake: its only purpose is to ensure that information is used as it should be.