Protection Data Classification
Protection data classification assigns sensitivity levels to information collected in safeguarding and humanitarian protection contexts, with handling requirements calibrated to the risk of harm that disclosure or misuse would cause to survivors, witnesses, and affected populations. This reference defines classification levels specific to protection data, distinct from general organisational data classification, and provides lookup tables for handling, marking, storage, and transmission requirements.
Classification Levels
Protection data uses five classification levels. The level assigned to any data element reflects the maximum harm that could result from unauthorised access, not the probability of such access occurring.
| Level | Name | Definition | Example Data |
|---|---|---|---|
| P0 | Unrestricted | Aggregated, anonymised data with no possible re-identification pathway and no operational sensitivity | Published programme statistics, annual report figures, sector-wide trend analyses |
| P1 | Internal | Operational data that identifies programmes or locations but not individuals; disclosure would cause reputational or operational impact | Service delivery volumes by location, staff deployment patterns, facility addresses |
| P2 | Confidential | Individual-level data where disclosure would cause distress, discrimination, or social harm to the data subject | Beneficiary registration records, vulnerability assessments, general case notes |
| P3 | Strictly Confidential | Protection case data where disclosure creates risk of violence, persecution, or severe harm to the data subject or others | GBV incident reports, child protection cases, trafficking survivor records, witness statements |
| P4 | Critical | Data where disclosure creates imminent risk to life or physical safety; includes perpetrator information and high-risk location data | Safe house addresses, witness protection details, active threat assessments, perpetrator identification linked to survivors |
The classification level applies to the entire record or document containing the highest-sensitivity element. A case file containing P3 protection incident details receives P3 classification in its entirety, regardless of whether some fields within it would independently qualify as P2 or lower.
Level Assignment Criteria
Classification decisions follow the maximum harm principle: assign the level corresponding to the worst realistic outcome from unauthorised disclosure. The assessment considers harm to the data subject, harm to third parties (family members, witnesses, other survivors), and harm to operational capacity (compromised safe houses, exposed referral pathways).
| Criterion | P0 | P1 | P2 | P3 | P4 |
|---|---|---|---|---|---|
| Individual identifiability | None possible | None | Direct or indirect | Direct or indirect | Direct |
| Harm from disclosure | None | Operational/reputational | Social harm, discrimination | Violence, persecution, severe harm | Imminent life-threatening |
| Re-identification risk with external data | None | Negligible | Low to moderate | Moderate to high | High |
| Perpetrator connection | None | None | None | Possible | Direct |
| Location sensitivity | None | General area only | Service location | Case-specific location | Safe house or hiding location |
When multiple criteria suggest different levels, assign the highest indicated level.
Special Categories
Three protection data categories carry additional handling requirements beyond their base classification level due to the nature of the harm they document and the vulnerability of affected populations.
Gender-Based Violence Data
GBV data encompasses information about sexual violence, intimate partner violence, forced marriage, female genital mutilation, and other forms of gender-based harm. GBV data receives minimum P3 classification when it identifies or could identify a survivor. No GBV incident data, however anonymised, falls below P2.
| Data Element | Minimum Classification | Rationale |
|---|---|---|
| Aggregate GBV statistics (no location below district level) | P2 | Re-identification risk in small populations |
| GBV incident type and date (no survivor details) | P2 | Pattern analysis could identify survivors |
| Survivor identity or demographic details | P3 | Direct identification risk |
| Perpetrator identity linked to survivor | P4 | Imminent risk if perpetrator aware of disclosure |
| Safe house or shelter location | P4 | Compromise endangers all residents |
| Medical-legal evidence | P3 | Stigma and legal implications |
GBV data sharing requires explicit, documented consent from the survivor except where mandatory reporting laws apply or where non-disclosure would result in serious harm to the survivor or others. Even with consent, GBV data never transfers to organisations without demonstrated secure handling capacity.
Child Protection Data
Child protection data covers information about children at risk of or affected by abuse, neglect, exploitation, or violence. The minimum classification for any identifiable child protection data is P3. Age verification uncertainty defaults to treating the individual as a child.
| Data Element | Minimum Classification | Rationale |
|---|---|---|
| Aggregate child protection caseload | P1 | No individual identification |
| Unaccompanied minor registration | P3 | Child vulnerability plus family tracing sensitivity |
| Child abuse or exploitation details | P3 | Severe harm potential, stigma |
| Perpetrator identity (intra-family) | P4 | Family reunification risks, retaliation |
| Child’s undisclosed location (hiding from family member) | P4 | Life safety |
| Best interest assessment | P3 | Contains sensitive personal and family details |
Child protection data requires best interest determination before any sharing decision. The child’s views, appropriately weighted for age and maturity, inform but do not solely determine classification and handling decisions.
Counter-Trafficking Data
Counter-trafficking data includes information about victims of human trafficking, smuggling routes, trafficker networks, and exploitation venues. Minimum classification for identifiable trafficking victim data is P3. Network and route information receives P3 or P4 based on operational sensitivity.
| Data Element | Minimum Classification | Rationale |
|---|---|---|
| Trafficking trend statistics | P1 | No individual or route identification |
| Trafficking victim case record | P3 | Re-trafficking risk, stigma, legal status |
| Trafficker or network identification | P4 | Retaliation risk if linked to victim |
| Exploitation venue location (active) | P4 | Operational security for law enforcement |
| Smuggling route details | P3 | Route compromise could endanger persons in transit |
| Victim nationality and transit route combined | P3 | Re-identification of individuals in transit |
Counter-trafficking data sharing with law enforcement requires survivor consent except where mandatory reporting applies or imminent risk exists to others. Protection organisations maintain primacy of survivor safety over prosecution objectives.
Marking and Labelling
Every protection data record, document, and file carries visible classification marking. Marking enables handling decisions by anyone who encounters the data, including during incident response or emergency evacuation.
Document Marking Format
Protection classification marks appear in document headers and footers using the format:
PROTECTION DATA - [LEVEL NAME] (P[0-4])Example markings:
PROTECTION DATA - STRICTLY CONFIDENTIAL (P3)PROTECTION DATA - CRITICAL (P4)PROTECTION DATA - INTERNAL (P1)For documents containing GBV, child protection, or counter-trafficking data, append the category:
PROTECTION DATA - STRICTLY CONFIDENTIAL (P3) - GBVPROTECTION DATA - CRITICAL (P4) - CHILD PROTECTIONPROTECTION DATA - STRICTLY CONFIDENTIAL (P3) - TRAFFICKINGElectronic File Marking
Electronic files use both filename conventions and metadata properties.
Filename prefix convention:
| Classification | Prefix |
|---|---|
| P0 | No prefix required |
| P1 | P1_ |
| P2 | P2_CONF_ |
| P3 | P3_STRICT_ |
| P4 | P4_CRIT_ |
Example: P3_STRICT_GBV_CaseNotes_2024-11-15.docx
Metadata requirements:
| Property | Value Format |
|---|---|
| Classification | P0 through P4 |
| Category | GBV, CP, CT, or GENERAL |
| Handling caveat | NOFORWARD, NOPRINT, ENCRYPT as applicable |
| Review date | ISO 8601 date for classification review |
Case management systems embed classification as a required field with no default value, forcing explicit classification at record creation.
Physical Document Marking
Paper documents display classification marks:
- Top and bottom centre of each page
- Minimum 12-point bold font
- Red text for P3 and P4 classifications
- Cover sheet required for P3 and P4 when documents leave secure storage
Physical folders containing protection data display the highest classification of any contained document on the folder exterior and spine.
Storage Requirements
Storage requirements escalate with classification level. Higher classifications require additional technical controls, physical protections, and access restrictions.
| Requirement | P0 | P1 | P2 | P3 | P4 |
|---|---|---|---|---|---|
| Encryption at rest | Not required | Recommended | Required (AES-256) | Required (AES-256) | Required (AES-256) |
| Access control | None | Role-based | Role-based, named users | Named users only, case-specific | Individual authorisation per access |
| Access logging | Not required | Recommended | Required | Required, tamper-evident | Required, real-time alerting |
| Backup encryption | Not required | Required | Required | Required, separate keys | Required, offline storage |
| Physical storage | Standard | Locked office | Locked cabinet | Safe or vault | Vault, dual-key access |
| Cloud storage permitted | Yes | Yes | Yes, approved providers | Restricted providers, approved jurisdictions | Generally prohibited |
| Offline copies permitted | Yes | Yes | Controlled | Prohibited except emergency kit | Prohibited |
| Personal device storage | Yes | Managed devices | Managed devices, encrypted | Prohibited | Prohibited |
| Retention location | Standard repositories | Standard repositories | Protected repositories | Dedicated protection systems | Air-gapped or isolated systems |
Storage Location Requirements
P2 and below may reside on general organisational systems meeting baseline security standards: current operating system patches, endpoint protection, encrypted storage, access logging.
P3 data requires storage in dedicated protection case management systems or segregated repositories with enhanced access controls. Approved systems include purpose-built protection platforms (Primero, CPIMS+) and appropriately configured general platforms with protection-specific access compartments. The system must support case-level access control, not merely role-based access to all cases of a given type.
P4 data requires storage on systems with no direct internet connectivity or on air-gapped systems for the most sensitive elements. Where operational requirements necessitate connected storage, the system must employ real-time monitoring with immediate alerting on access attempts and automated lockout after anomalous access patterns.
Cloud Storage Jurisdictional Constraints
Cloud storage of P3 and P4 data is subject to jurisdictional restrictions based on where the data subjects are located and where the cloud provider is incorporated.
| Data Subject Location | Prohibited Provider Jurisdictions | Required Provider Certifications |
|---|---|---|
| EU/EEA residents | None (adequate GDPR safeguards required) | ISO 27001, SOC 2 Type II |
| Persons in active conflict zones | Provider home country parties to conflict | ISO 27001, humanitarian sector attestation |
| Refugees/asylum seekers | Country of origin, transit countries with return agreements | ISO 27001, no government data access history |
| Trafficking survivors | Provider jurisdictions with weak trafficking laws | ISO 27001, explicit trafficking data handling policy |
For P4 data involving persons at risk from state actors, cloud storage with providers subject to national security data demands (US CLOUD Act, UK IPA, similar legislation) requires explicit risk acceptance documented at director level.
Transmission Requirements
Transmission of protection data requires security measures proportionate to classification level. The transmission medium, encryption, and recipient verification requirements vary by level.
| Requirement | P0 | P1 | P2 | P3 | P4 |
|---|---|---|---|---|---|
| Email transmission | Permitted | Permitted | Encrypted (TLS 1.2+) | End-to-end encrypted only | Prohibited |
| Messaging apps | Any | Business accounts | Approved apps (TLS) | End-to-end encrypted apps only | Prohibited |
| File transfer | Any | Organisational platforms | Encrypted platforms | Dedicated secure transfer | Encrypted physical media only |
| Voice discussion | Any | Standard calls | Verified participants | Secure voice only | In-person only |
| Recipient verification | None | Organisational address | Known recipient, verified address | Pre-arranged recipient, secondary verification | In-person identity confirmation |
| Transmission logging | Not required | Recommended | Required | Required, both ends | Required, chain of custody |
Email Transmission
P2 data may transmit via email only when the email system enforces TLS 1.2 or higher for transmission and the recipient address is verified. Password-protected attachments add a layer of protection but do not substitute for transport encryption.
P3 data requires end-to-end encryption (S/MIME, PGP, or platform-native E2EE such as ProtonMail) with recipient verification before transmission. The recipient must confirm receipt and secure storage within 48 hours; absent confirmation, the sender must invoke data recall procedures.
P4 data never transmits via email. No email encryption provides adequate protection for critical protection data. Physical transfer with chain of custody documentation is required.
Messaging and Communication
Approved messaging platforms for P2 data: Microsoft Teams (organisational tenants), Google Chat (Workspace), Slack Enterprise Grid.
Approved messaging platforms for P3 data: Signal, Wire, WhatsApp (E2EE enabled, business accounts), Wickr. Platforms must provide end-to-end encryption with forward secrecy and must not retain message content on servers after delivery confirmation.
For voice discussions of P3 data, approved options include Signal voice calls, Wire calls, and SRTP-encrypted VoIP. Standard mobile or landline calls are prohibited for P3 discussions.
P4 data discussions occur only in person in swept or verified-secure locations. Where in-person is impossible, pre-arranged secure voice (Signal) with verification protocol is the only permitted alternative.
File Transfer
P2 file transfer uses organisational file sharing platforms (SharePoint, Google Drive, Nextcloud) with link expiry and access logging.
P3 file transfer requires dedicated secure transfer platforms or encrypted archive transmission (AES-256 encrypted ZIP with password shared via separate channel). Approved platforms include UNHCR’s secure file exchange, organisation-operated SFTP with certificate authentication, and dedicated secure transfer services with end-to-end encryption.
P4 file transfer uses encrypted physical media (hardware-encrypted USB drives, encrypted optical media) with documented chain of custody. Media remains in personal possession throughout transport and uses tamper-evident packaging for any handover.
Declassification and Reclassification
Classification levels are not permanent. Data may be declassified as risk decreases over time or reclassified upward if circumstances change.
Declassification Triggers
| From Level | To Level | Permitted Trigger |
|---|---|---|
| P4 | P3 | Imminent threat resolved, perpetrator no longer active, safe house decommissioned |
| P3 | P2 | Case closed for 5+ years, survivor deceased (natural causes), explicit survivor request with informed consent |
| P2 | P1 | Individual identifiers removed, re-identification analysis confirms no pathway |
| P1 | P0 | Aggregation at population level, no operational sensitivity remaining |
Declassification requires documented approval from the protection lead or designated data controller. For P4 to P3 transitions, approval requires two authorised reviewers.
Reclassification Triggers
| From Level | To Level | Required Trigger |
|---|---|---|
| P3 | P4 | New threat information, perpetrator release, compromise of related case |
| P2 | P3 | Re-identification pathway discovered, survivor enters new protection programme |
| P1 | P2 | Data linked to identifiable individuals through combination with other sources |
Reclassification upward is mandatory upon discovery of the triggering condition. The individual identifying the trigger is responsible for immediate reclassification pending formal review.
Review Schedule
| Classification | Review Frequency |
|---|---|
| P4 | Every 6 months or upon case status change |
| P3 | Annually or upon case closure |
| P2 | Every 2 years |
| P1 | Every 5 years |
| P0 | No scheduled review |
Review dates embed in document metadata. Case management systems generate automated review reminders.