TL;DR
- OFFICIAL is the baseline classification under the 2018 Government Security Classifications policy, covering the routine business of government.
- OFFICIAL-SENSITIVE is a handling caveat — not a separate classification tier — applied to data within OFFICIAL that needs tighter access controls.
- Cloud services meeting the NCSC Cloud Security Principles are accepted for OFFICIAL data; there is no separate certification regime.
- SECRET and TOP SECRET are higher tiers with their own accreditation routes and are not handled in the same way.
The Classification Tiers
The UK Government Security Classifications policy, refreshed in 2018, defines three tiers: OFFICIAL, SECRET and TOP SECRET. The previous five-tier system (PROTECT / RESTRICTED / CONFIDENTIAL / SECRET / TOP SECRET) was retired to align with the way modern government actually handles information.
OFFICIAL is by far the largest bucket. It covers the day-to-day work of government — internal correspondence, project management, most policy work, the vast majority of citizen-facing services. It is the default assumption: if data has not been explicitly classified higher, it is OFFICIAL.
| Tier | What it covers | Cloud-eligible? |
|---|---|---|
| OFFICIAL | Routine government business; the default tier for almost all departments. | Yes — any cloud meeting NCSC principles. |
| SECRET | Data whose compromise would cause serious damage to UK interests. | Only on accredited platforms (PSN-CS, MODCloud, etc.). |
| TOP SECRET | Data whose compromise would cause exceptionally grave damage. | Air-gapped or specialist sovereign infrastructure only. |
What OFFICIAL-SENSITIVE Means
OFFICIAL-SENSITIVE is not a fourth tier. It is a handling caveat applied to data within OFFICIAL that requires additional care because of who could be harmed if it leaked, the sensitivity of the source, or political/commercial impact.
Examples include personal data of vulnerable individuals, draft commercial bids, draft policy with high political sensitivity, or operational data from law-enforcement agencies. The underlying classification remains OFFICIAL — the same legal and contractual rules apply — but the dataholder marks it -SENSITIVE so that downstream consumers apply tighter access controls.
How This Affects Cloud Choice
Because OFFICIAL-SENSITIVE is still OFFICIAL, the same cloud platforms are eligible. Buyers do, however, typically press harder on a small number of NCSC principles when the data carries the caveat:
- Principle 3 (separation between customers) — tenant-isolation evidence is scrutinised more aggressively, sometimes pushing buyers towards single-tenant or sovereign-region deployments.
- Principle 6 (personnel security) — staff with privileged access may need BPSS or SC clearance rather than baseline checks.
- Principle 13 (audit information) — buyers expect richer, customer-readable audit logs and faster incident-notification timelines.
- Principle 2 (asset protection) — data residency is treated as non-negotiable, almost always UK-only.
Handling Rules in Practice
Beyond the cloud-platform choice, the policy imposes a number of operational rules. These are the supplier's responsibility under the shared-responsibility model — the cloud service alone cannot satisfy them.
- Need-to-know access — even cleared staff should not see OFFICIAL-SENSITIVE data without business justification.
- Encryption at rest, in transit, and where practical in memory.
- Print restrictions and watermarking where data flows outside controlled environments.
- Incident response with notification to the data owner within hours, not days.
- Data destruction on contract exit, certified.
Warning: OFFICIAL-SENSITIVE is sometimes used loosely as a synonym for 'a bit secret'. It is not. The official policy is clear: it is OFFICIAL data with additional handling rules. Suppliers asked to host OFFICIAL-SENSITIVE workloads on an unaccredited platform should accept — provided they meet the NCSC principles and the specific caveat handling rules in the contract.
Where Yobitel Sits
Yobitel's UK estate is designed to host OFFICIAL and OFFICIAL-SENSITIVE workloads. Personnel with privileged access undergo BPSS minimum (SC where the contract requires), data residency is UK-only by default, and the audit stack provides customer-readable logs with sub-hour incident notification timelines.
SECRET-tier workloads are not handled on the standard Yobitel platform — they are routed via Yobitel Professional Services to accredited sovereign partners.
References
- Government Security Classifications policy · Cabinet Office
- Handling guidance for OFFICIAL data · GOV.UK
- NCSC Cloud Security Principles · NCSC