TL;DR
- OFFICIAL is the baseline classification under the 2018 Government Security Classifications policy, covering the routine business of government.
- OFFICIAL-SENSITIVE is a handling caveat — not a separate classification tier — applied to data within OFFICIAL that needs tighter access controls.
- Cloud services meeting the NCSC Cloud Security Principles are accepted for OFFICIAL data; there is no separate certification regime.
- SECRET and TOP SECRET are higher tiers with their own accreditation routes and are not handled in the same way.
The Classification Tiers#
The UK Government Security Classifications policy, refreshed in 2018, defines three tiers: OFFICIAL, SECRET and TOP SECRET. The previous five-tier system (PROTECT / RESTRICTED / CONFIDENTIAL / SECRET / TOP SECRET) was retired to align with the way modern government actually handles information.
OFFICIAL is by far the largest bucket. It covers the day-to-day work of government — internal correspondence, project management, most policy work, the vast majority of citizen-facing services. It is the default assumption: if data has not been explicitly classified higher, it is OFFICIAL.
| Tier | What it covers | Cloud-eligible? |
|---|---|---|
| OFFICIAL | Routine government business; the default tier for almost all departments. | Yes — any cloud meeting NCSC principles. |
| SECRET | Data whose compromise would cause serious damage to UK interests. | Only on accredited platforms (PSN-CS, MODCloud, etc.). |
| TOP SECRET | Data whose compromise would cause exceptionally grave damage. | Air-gapped or specialist sovereign infrastructure only. |
What OFFICIAL-SENSITIVE Means#
OFFICIAL-SENSITIVE is not a fourth tier. It is a handling caveat applied to data within OFFICIAL that requires additional care because of who could be harmed if it leaked, the sensitivity of the source, or political/commercial impact.
Examples include personal data of vulnerable individuals, draft commercial bids, draft policy with high political sensitivity, or operational data from law-enforcement agencies. The underlying classification remains OFFICIAL — the same legal and contractual rules apply — but the dataholder marks it -SENSITIVE so that downstream consumers apply tighter access controls.
How This Affects Cloud Choice#
Because OFFICIAL-SENSITIVE is still OFFICIAL, the same cloud platforms are eligible. Buyers do, however, typically press harder on a small number of NCSC principles when the data carries the caveat:
- Principle 3 (separation between customers) — tenant-isolation evidence is scrutinised more aggressively, sometimes pushing buyers towards single-tenant or sovereign-region deployments.
- Principle 6 (personnel security) — staff with privileged access may need BPSS or SC clearance rather than baseline checks.
- Principle 13 (audit information) — buyers expect richer, customer-readable audit logs and faster incident-notification timelines.
- Principle 2 (asset protection) — data residency is treated as non-negotiable, almost always UK-only.
Handling Rules in Practice#
Beyond the cloud-platform choice, the policy imposes a number of operational rules. These are the supplier's responsibility under the shared-responsibility model — the cloud service alone cannot satisfy them.
- Need-to-know access — even cleared staff should not see OFFICIAL-SENSITIVE data without business justification.
- Encryption at rest, in transit, and where practical in memory.
- Print restrictions and watermarking where data flows outside controlled environments.
- Incident response with notification to the data owner within hours, not days.
- Data destruction on contract exit, certified.
OFFICIAL-SENSITIVE is sometimes used loosely as a synonym for 'a bit secret'. It is not. The official policy is clear: it is OFFICIAL data with additional handling rules. Suppliers asked to host OFFICIAL-SENSITIVE workloads on an unaccredited platform should accept — provided they meet the NCSC principles and the specific caveat handling rules in the contract.
Where Yobitel Sits#
Yobitel's UK estate is designed to host OFFICIAL and OFFICIAL-SENSITIVE workloads. Personnel with privileged access undergo BPSS minimum (SC where the contract requires), data residency is UK-only by default, and the audit stack provides customer-readable logs with sub-hour incident notification timelines.
SECRET-tier workloads are not handled on the standard Yobitel platform — they are routed via Yobitel Professional Services to accredited sovereign partners.
References
- Government Security Classifications policy · Cabinet Office
- Handling guidance for OFFICIAL data · GOV.UK
- NCSC Cloud Security Principles · NCSC