Government of Canada Records Management Metadata Standard - securityClearance
[To be actioned by Treasury Board of Canada, Secretariat before publication]
The level of security clearance held by an individual.
To provide details about the security level of the individual who took an action on a specific record or file.
To support audit of records management processes.
To enhance the security and control of records by limiting access based on security levels of individuals.
"The regulatory environment, in which the organization operates, establishes broad principles on access rights, conditions or restrictions that should be incorporated into the operation of records systems…Records may contain personal, commercial or operationally sensitive information. In some cases, access to the records, or information about them, should not be permitted…. Ensuring appropriate access controls is done by assigning access status to both records and individuals." ISO International Standard 15489-1, s. 9.7
"Managing the access process involves ensuring that:…
b) records are only released to those who are authorized to see them,
d) records processes and transactions are only undertaken by those authorized to perform them…" ISO International Standard 15489-1, s. 9.7
"Security metadata should …ensure that records can only be accessed by authorized personnel…" ISO Technical Specification 23081-1, s. 184.108.40.206
Enumerated strings of text representing security clearances.
Government Security Policy (GSP)
Access Rights; Agent Individual Identifier; Agent Individual Name; Sensitivity
Conditions of Application - Record
Pre Record Declared Locked
Pre Record Declared Locked
Conditions of Application - File
Comments and Guidance
a) Explanation of Definition/Usage
This element defines the security level held by an individual, thereby determining the individual's right to perform an action on a record or file on a need-to-know basis.
This element has a different function than other elements in that it applies only to the individual, not to the file or record. In the above table, the constraint for these levels is "Not applicable". While this element is not applied to the record or file in any way, it is still important for the security and integrity of the record or file. The security level of the individual will be matched against the Sensitivity level of the record or file to determine the individual's right to perform an action on a record or file on a need-to-know basis.
b) Best Practices
This element will not play a part in determining access to internally sensitive records and files such as budgets, memos, etc. Institution-specific business rules and policies will determine which internally sensitive files an individual is allowed access to.
Recommended best practice is to select a value from the Government Security Policy. The list of available security levels is dictated by the Government Security Policy.
Just as with the Agent elements, the Security Clearance of an individual must be maintained for audit and evidentiary purposes and will therefore be part of the management and event history log.
It is up to the institution to determine how to implement the management and event history log. Each time an individual performs an action on a record or file, the Security Clearance of the individual may be written to the log of the record or file, or alternatively, only one element (e.g. Agent Individual Identifier) may be written to the log of the record or file yet permit linkage to a separate Security Clearance table within the database containing the Security Clearance of the individual. If this table is maintained in a way that results in a separate entry in the table for each change to an individual's security clearance, a "snapshot" of an agent's status can always be retrieved for evidentiary purposes.
In this scenario, when moving records and files out of the institution, the information about the individual's security clearance must be moved also in order to properly maintain the integrity of the management and event history log of the records and files.
An authorized official only may modify the value for this element in an individual's profile.
This element is mandatory in order to ensure access is granted at the correct level.
d) Default Values/Auto-populate
The value will be auto-populated according to the profile of the person.
This element is linked to the agent elements, Sensitivity and Access Rights. It is a combination of these three concepts that determines an individual's access to records.