Sarah Higgins
Principal Associate
Non-solicitor
Article
6
On 30 June 2023, the Cabinet Office published Procurement Policy Note (PPN) 07/23: Government Security Classifications Policy to implement updates to the Government Security Classifications Policy (GSCP). These updates are designed to address gaps in the previous policy and reflect changes to Government working practices since the last major update in 2013 – like working from home.
The GSCP is a Cabinet Office policy that sets out an administrative system to be used by Government to protect any information or data that has been created, processed, stored or managed as part of His Majesty's Government's work – including as a result of Government contracts – from prevalent threats through the use of 'classification tiers'.
Each 'classification tier' sets out baseline behaviours and protective controls proportionate to the threat profile and potential impact of data compromise, loss or incorrect disclosure of information.
Unless more stringent requirements are required by Government (for example, as set out in a Government contract), the GSCP is the baseline requirement.
Want to know more but short on time? Read the Government Security Classifications Policy Quick Read.
Otherwise, you can read the full GSCP for more details.
If your organisation is a supplier to Government, then "yes".
If your organisation is an NHS body, a Central Government Department, or an Executive Agency, or Non-Departmental Public Body of a Central Government Department ("In-Scope Organisations"), then "yes".
If your organisation is a public sector contracting authority but is not an In-Scope Organisation, the PPN states that you "may wish to" implement the PPN – whilst it is not mandated for your organisation to do so, we recommend you do to ensure alignment with public policy and robust security measures to protect Government data are in place.
The majority of the updates are minor.
Here are the top seven changes that you need to know:
Whilst the updated GSCP came into force on 30 June 2023, an implementation window of 12 months has been given. All In-Scope Organisations must ensure that appropriate protective security controls compliant with the updated GSCP are established for all contracts with suppliers – that means existing and new contracts - by 29 June 2024.
Full implementation might seem a long time away, but time flies. There will be operational implications to these changes and if you are procuring new goods, works or services you will want to ensure your draft contracts reflect the changes.
So use the 12 month implementation period wisely and use our checklists below now to make sure you comply.
If you are in a commercial, procurement and/or contract management role, your checklist is below to make sure you comply:
Don't be. Contact us so we can:
Sign up here to receive more essential public sector insights from our Government Sector team, or read our other public sector updates.
CECI NE CONSTITUE PAS UN AVIS JURIDIQUE. L'information qui est présentée dans le site Web sous quelque forme que ce soit est fournie à titre informatif uniquement. Elle ne constitue pas un avis juridique et ne devrait pas être interprétée comme tel. Aucun utilisateur ne devrait prendre ou négliger de prendre des décisions en se fiant uniquement à ces renseignements, ni ignorer les conseils juridiques d'un professionnel ou tarder à consulter un professionnel sur la base de ce qu'il a lu dans ce site Web. Les professionnels de Gowling WLG seront heureux de discuter avec l'utilisateur des différentes options possibles concernant certaines questions juridiques précises.