Lesson Overview
Most of what the Royal Kaharagian Army holds is not weapons or stores but information: the personal details of the nationals it serves, the identities and contact details of its own members, the records of its work, and the keys and certificates that prove who is who. A non-territorial Principality runs on that information, and the harm done by losing it, leaking it, or corrupting it can be as real as any physical loss. The previous lessons taught you to lock down accounts and devices. This lesson teaches the discipline of the information itself: how to decide what is sensitive, how much to hold, who may see it, by what channel it may travel, and how long it should be kept.
The thread running through this lesson is two of the three sides of the CIA triad you met in Lesson 01: confidentiality, meaning only the right people can see information, and integrity, meaning the information is accurate and has not been altered. Good data handling is mostly the daily practice of protecting those two things, by people who never touch a security tool. It rests on a few plain ideas: hold and share only what is needed, treat different information with the care it deserves, send it to the right people by the right channel, and let go of it when its job is done. None of this is technical wizardry. It is judgement and habit, and it is everyone's job.
This is the knowledge layer. The hands-on parts, configuring an encrypted bearer, sharing a file through the approved service, running a retention clear-out, or reporting a suspected disclosure, are practised and signed off in person where supervision allows. Here you learn the reasoning that makes those drills make sense, so that when you meet a situation no checklist covered you can still decide well. By the end you will be able to explain why information is a thing the Army protects and how the confidentiality and integrity sides of the CIA triad apply to handling it; apply data minimisation to what you collect, hold, and pass on; sort everyday information into a simple public, internal, or sensitive classification and handle each correctly; share information with the right people, by the right channel, with sensitive material on an encrypted bearer; apply communications discipline in line with SIG 220 so that sensitive detail never goes out in clear on an open bearer; and keep information only as long as it is needed.
Key Terms
- Data: any recorded information, from a single name and phone number to a register of nationals or a member's appointment record; the thing this lesson protects.
- Confidentiality: the principle that information is seen only by the people entitled to see it; the side of the CIA triad most threatened by leaks, loose talk, and over-sharing.
- Integrity: the principle that information stays accurate and complete and is not altered, by accident or on purpose, without authority; a corrupted record can be more dangerous than a lost one.
- Data minimisation: collecting, holding, and sharing only the information actually needed for the task, and no more, because what you do not hold cannot be leaked or misused.
- Data classification: sorting information by how sensitive it is, so that the level of care matches the level of risk; in this course, the simple three tiers public, internal, and sensitive.
- Personal data: information that identifies a living person, such as a national's name, address, contact details, or circumstances; it deserves particular care because the harm of disclosure falls on a real person.
- Sensitive information: the highest everyday tier; information whose disclosure or alteration could harm a person, the force, or its work, including nationals' personal data and members' identities.
- Need to know: the rule that a person is given access to a piece of information only if their task genuinely requires it, regardless of their rank or clearance.
- Bearer: the means by which a message or file travels, for example an app, an email, a radio net, a phone call, or a removable drive; bearers differ greatly in how well they protect what they carry.
- Encryption: the scrambling of information so that only the intended recipient can read it; an encrypted bearer protects a message in transit even if someone intercepts it.
- In clear: sent without encryption, readable by anyone who intercepts it; the opposite of encrypted.
- Retention: the period for which information is deliberately kept; good practice keeps it only as long as the task or a lawful obligation requires, then disposes of it safely.
Why information is something we protect
It is easy to think of security as guarding things you can touch, and harder to feel the same way about a list of names in a file. Yet for a Principality that has no territory, information is the substance of the state. The register of the nationals it serves, the record of who holds which appointment, the identities of members who may not wish them widely known, the certificates and keys that let a person prove who they are: lose control of these and you have not lost an object, you have exposed people and weakened the force. A leaked list of nationals can put real people at risk of fraud or harassment. A member's identity in the wrong hands can endanger that member. A record quietly altered, so that the wrong person appears to hold an appointment, can do damage that no one notices until too late.
This is why two sides of the CIA triad carry most of the weight in data handling. Confidentiality is the promise that information is seen only by those entitled to see it; nearly every data-handling habit in this lesson exists to keep that promise. Integrity is the promise that information is accurate and unaltered; a corrupted record can mislead a decision in a way a merely lost one cannot. The third side, availability, that information is there when needed, is mostly the subject of the backup and continuity work in other lessons and in HCR 220. Here we concentrate on the first two, because they are the ones an ordinary member protects or breaks by the way they handle a file, a message, or a conversation. Protecting them is rarely about technology. It is about judgement: deciding what to collect, who should see it, how it should travel, and when to let it go. Those decisions are the body of this lesson.
Data minimisation: hold and share only what is needed
The simplest and most powerful data-handling habit is to hold less. Information you never collected cannot leak. Information you have already disposed of cannot be stolen. A field you left blank cannot be exposed. Data minimisation is the discipline of collecting, holding, and sharing only what the task in front of you genuinely needs, and it works at three moments.
The first moment is collection. Before you write something down or type it into a form, ask whether the task truly needs it. If you are recording that a national has been helped, you may need their name and a way to reach them; you very probably do not need their date of birth, their health details, or the names of their family. Every extra field is a small future liability that someone must protect, and most of them earn nothing. Collect the minimum that does the job.
The second moment is holding. Information already gathered should not be copied and scattered. Every spare copy on a personal device, in a downloads folder, in a chat thread, or on a memory stick is another place that can be lost or read by the wrong person. Keep information in the approved place, the system built to protect it, and resist the easy habit of pulling copies out to work on. The fewer copies exist, the fewer there are to go wrong.
The third moment is sharing. When you pass information on, send only the part the recipient needs. If a colleague needs to know that a national requires a follow-up visit, they may need the name and the address; they do not need the whole record. Trimming what you share is minimisation in motion, and it is the single most common place where well-meaning members over-expose data, by forwarding the entire thing because it was easier than extracting the relevant line.
DATA MINIMISATION: THREE QUESTIONS, THREE MOMENTS
COLLECTING -> "Does this task actually need this field?"
Leave out what earns nothing. A blank field
cannot leak.
HOLDING -> "Is this the only copy, in the approved place?"
Kill spare copies. Each one is another thing
to protect.
SHARING -> "Does the recipient need the whole thing,
or just one line?"
Send the part, not the file.
The rule: what you do not hold cannot be lost,
and what you do not send cannot be over-shared.
A simple data classification
Not all information carries the same risk, and treating everything as top secret is as unworkable as treating everything as public. The answer is classification: sorting information into a few tiers so that the care you take matches the harm a mistake would cause. A small force does not need an elaborate scheme. Three tiers are enough for everyday work.
Public information is material that is already meant for everyone, or that would do no harm if everyone saw it: a published notice, a public web page, a recruiting leaflet, the contents of a gazette. It still must be accurate, integrity matters even for public data, but it needs no protection of confidentiality, because disclosure is the point.
Internal information is the routine working material of the force that is not secret but is not for the public either: ordinary correspondence, draft documents, timings and locations for a routine activity, internal notices. Disclosure would be untidy and unprofessional rather than harmful. Internal information should stay within the force and travel by force channels, but it does not demand the strongest protections.
Sensitive information is the tier that needs real care, because its disclosure or alteration could harm a person, the force, or its work. This is where the personal data of nationals lives: names tied to circumstances, addresses, contact details, anything that could be used to find, defraud, or harm someone. It is also where the identities of members live, since a member may have good reason not to want their service widely known, and where keys, certificates, credentials, and security details belong. Sensitive information must travel only to the right people, by the right and encrypted channels, and must never be left in clear on an open bearer or in an unprotected copy.
When you are unsure which tier something belongs to, treat it as the higher one until you can check. The cost of over-protecting a piece of internal information is a little inconvenience; the cost of under-protecting a piece of sensitive information is a person harmed. The table below sets out the handling rule for each tier.
THREE TIERS AND THEIR HANDLING RULES
TIER EXAMPLES HANDLING RULE
-------- --------------------------- -----------------------------
PUBLIC published notices, web No confidentiality needed.
pages, recruiting material Keep it ACCURATE (integrity
still matters). Share freely.
INTERNAL routine correspondence, Keep within the force, by
drafts, ordinary timings force channels. Do not post
and internal notices publicly. Modest care.
SENSITIVE nationals' personal data, Right people only (need to
members' identities, keys, know). Encrypted bearer only.
certificates, credentials Never in clear on an open
bearer. No stray copies.
When in doubt, handle it as the HIGHER tier until you can check.
A word on labelling. In a system built for the job, the classification is often set for you: the register that holds nationals' data is sensitive by design, and your task is to respect it rather than to assign it. Where you do create something new, pause and place it in one of these three tiers in your own mind before you decide how to send or store it. That half-second of judgement is the whole of classification for an ordinary member.
Sharing safely: the right people, the right channel
Sharing is where most everyday data accidents happen, because it is so easy and so quick. Two questions govern safe sharing, and they must both be answered before anything leaves your hands: the right people and the right channel.
The right people is the rule of need to know in action. A person is entitled to a piece of information because their task requires it, not because of their rank and not because they asked. Before you send, picture the actual recipients. Is each one a person who needs this for a task? Are you sure of the address or the account, and not a near-identical name your software helpfully suggested? Sending sensitive information to the wrong person is one of the commonest disclosures there is, a mistyped address, a reply-all that swept in people who should not be there, a forward to a friendly colleague who had no need to know. Slow down, name the recipients to yourself, and confirm them.
The right channel is the rule that the bearer must match the sensitivity of what it carries. Public information can go almost anywhere. Internal information should travel by force channels. Sensitive information may go only by a channel that protects it, which in practice means an encrypted bearer: the approved messaging or file-sharing service, an encrypted link, a secure system access, rather than an ordinary email, a personal chat app, or a memory stick passed hand to hand. The test is simple: if someone intercepted this in transit, could they read it? For sensitive material the answer must be no, and that means encryption.
These two questions combine into a single flow you can run in your head before any share. The diagram below lays it out.
THE SHARING FLOW: BEFORE ANYTHING LEAVES YOUR HANDS
What am I sharing?
|
v
Which tier is it? -- PUBLIC ----> share freely; keep it accurate
|
|-- INTERNAL --> RIGHT PEOPLE? (in the force, need it)
| | yes
| v
| RIGHT CHANNEL? (force channel) -> send
|
+-- SENSITIVE -> RIGHT PEOPLE? (need to know, address confirmed)
| yes
v
RIGHT CHANNEL? (ENCRYPTED bearer only)
| yes
v
Send ONLY the part they need (minimise)
If you cannot answer "yes" to right people AND right channel,
do NOT send. Stop and check.
The flow has a deliberate dead end. If you cannot confidently answer yes to both questions, the correct action is not to send. A delayed message costs minutes; a misdirected sensitive one cannot be recalled.
Safe messaging and the tie to SIG 220
Everything above applies with special force to messaging and communications, which is the meeting point of this course with SIG 220 · Communications Security and Digital Discipline. The two courses share one principle: a message is only as safe as the bearer it travels on, and the bearer is rarely as private as it feels.
The first habit is to encrypt where it is lawful and available. When you have an encrypted messaging service or file-sharing channel for sensitive material, use it, and do not fall back to an ordinary email or a personal app because it was nearer to hand. Encryption is what lets you send sensitive information at all; without it, sensitive material has no safe channel.
The second habit is discipline where encryption is not available. There will be times, on an open bearer such as an ordinary phone call, a plain radio net, or an unprotected message, when you cannot encrypt. The rule then is the oldest in signals security and the heart of SIG 220: never put sensitive detail in clear on an open bearer. You may still communicate, but you keep the content innocuous. You do not read out a national's name and address over an open channel; you do not announce a member's identity in clear; you do not discuss anything sensitive where it could be intercepted and understood. If the detail is sensitive and the bearer cannot protect it, the detail waits for a bearer that can, or it goes by a means agreed in advance that does not give the substance away. Encrypt where you can; where you cannot, say less.
The third habit is care with the small things that leak almost invisibly: a sensitive document attached to a message that then gets forwarded onward, a group chat that quietly grows to include people who should not see what is posted there, a screenshot of a record shared to make a point, a voice note left on a personal phone. Each is a confidentiality breach waiting to happen, and each is avoided by the same pause: which tier is this, who can see this bearer, and should this be here at all.
THE BEARER TEST (the SIG 220 rule, in one picture)
You have something to say or send.
|
v
Is the content SENSITIVE?
| no | yes
v v
Ordinary channels fine Is the bearer ENCRYPTED and approved?
(still keep it tidy) | yes | no (open)
v v
Send it, to the Do NOT put the detail
right people, the in clear. Keep the
part they need message innocuous;
send the substance by
an encrypted bearer
instead.
ENCRYPT where lawful and available.
Where you cannot, exercise DISCIPLINE: say less.
Sensitive detail NEVER goes in clear on an open bearer.
Protecting the privacy of nationals and members
Behind every record is a person, and the deepest reason for all of this is the duty of care the Army owes to the people whose information it holds. The nationals the force serves have entrusted it with their details, often at a difficult moment, and that trust is a real obligation. A national's personal data, their name tied to a circumstance, their address, their need, must be handled as something borrowed and precious, used only for the task it was given for, seen only by those who must see it, and never turned into gossip, a story to tell, or a screenshot to share. The harm of a leak here is not abstract; it falls on a real person who relied on the force.
The identities of members deserve the same protection, and sometimes more. A member may have sound personal, professional, or safety reasons for not wanting their service in the Army widely known. Their identity, their role, and their association with the force are sensitive information, to be shared on a need-to-know basis and never broadcast, posted, or mentioned in clear on an open bearer. Respecting a comrade's privacy is part of looking after them.
This duty also shapes how you talk, not only how you type. Loose conversation in a public place, a name dropped where it can be overheard, a record discussed within earshot of someone with no need to know, all breach confidentiality just as surely as a leaked file. The same discipline that governs your bearers should govern your voice. The privacy of nationals and members is not a compliance box; it is part of the trust the force depends on, and every member is its keeper.
Keeping data only as long as it is needed
Information has a working life, and when that life is over the safest thing to do with it is to dispose of it properly. Retention is the discipline of keeping information only as long as the task or a lawful obligation requires, and then no longer. This matters for the same reason minimisation matters: data you no longer hold cannot be leaked, stolen, or misused, and a record kept past its purpose is pure liability, all risk and no remaining value.
In practice this means a few simple habits. Working copies, the file you downloaded to do a job, the note you made along the way, the message thread that carried a sensitive detail, should be cleared away once the job is done, not left to accumulate on a device or in a folder. Information held in the approved system is governed by whatever retention the force has set for that kind of record; your part is to respect those rules rather than to keep private duplicates that outlive them. And disposal must be real: deleting a sensitive file means removing it properly, not just dragging it to a recycle bin where it sits recoverable, and disposing of a device or a drive means having its contents securely wiped, a step that links straight to the device-security teaching of Lesson 04.
There is a balance to strike, and it is not always in the direction of deletion. Some records must be kept, for continuity, for accountability, or because an obligation requires it, and deleting those would itself be a failure of integrity and availability. The judgement is not delete everything but keep deliberately: hold what there is a reason to hold, in the place built to protect it, for as long as the reason lasts, and let go of the rest safely. When you are unsure whether something must be retained, ask before you delete, just as you would treat an uncertain classification as the higher tier.
In Practice: A Systems Assistant Handles a Welfare List
Private Adeyemi, a systems assistant supporting a welfare activity, is asked by a colleague in another section to "send over the list of the people we helped last week so we can plan the follow-ups." It would take ten seconds to forward the whole record, and the colleague is a trusted comrade, but Adeyemi stops and runs the lesson in his head. He classifies the list first: it holds nationals' names tied to their circumstances and addresses, so it is sensitive personal data, the highest everyday tier. He applies minimisation: the colleague is planning follow-up visits, so they need names and addresses and the fact that a visit is due, but they do not need the notes on each person's situation, so Adeyemi extracts only the columns that the task requires rather than sending the lot.
Then he runs the sharing flow. Right people: the colleague does have a genuine need, and Adeyemi confirms the account carefully rather than trusting the name his software suggested. Right channel: this is sensitive, so an ordinary email or the personal chat app the colleague mentioned will not do; he sends the trimmed list through the approved encrypted file-sharing service instead. When the colleague later asks a quick question about one national by phone, on an open line, Adeyemi keeps to the SIG 220 rule and does not read the name and address aloud; he confirms only that the person on the list is the one being discussed and arranges to settle the detail over the encrypted channel. Once the follow-ups are planned and the working copy has done its job, he clears the extract from his device rather than leaving it to linger, applying retention. Nothing he did was technical, and none of it took long. It was judgement, exercised four times, that kept the confidentiality and integrity of real people's information intact.
Check Your Understanding
- Explain data minimisation and describe how it applies at the three moments of collecting, holding, and sharing information. Why is "what you do not hold cannot be lost" a useful way to think about data security, and where do well-meaning members most often over-expose data when sharing?
- Set out the three classification tiers used in this lesson, with an example of each and the handling rule for each, and explain where nationals' personal data and members' identities belong and why. When you are unsure which tier something is, what should you do, and why?
- State the two questions you must answer before sharing anything, and explain the rule that links them to the SIG 220 communications-security principle. What is the rule for sensitive detail on an open bearer that cannot be encrypted, and how do confidentiality and integrity, two sides of the CIA triad, sit behind all of this?
Reflection (write a short paragraph): This lesson argues that protecting information is mostly judgement and habit rather than technology, and that behind every record is a real person who trusted the force with their details. Think about the information you are likely to handle as a member, whether a national's personal data or a comrade's identity. Which one habit from this lesson, minimising what you collect, classifying before you send, confirming the right people and the right channel, holding the SIG 220 line on an open bearer, or clearing data when its job is done, do you most want to make automatic, and why might that habit matter most for the people whose trust the force depends on?
Summary
- For a non-territorial Principality, information is the substance of the state, and handling it well is mostly about protecting two sides of the CIA triad: confidentiality, that only the right people see it, and integrity, that it stays accurate and unaltered. These are protected or broken by the everyday way a member handles a file, a message, or a conversation.
- Data minimisation is the most powerful habit: collect only the fields the task needs, hold the fewest copies in the approved place, and share only the part the recipient needs. What you do not hold cannot be lost, and what you do not send cannot be over-shared.
- A simple three-tier classification, public, internal, and sensitive, lets the care you take match the risk. Public data needs accuracy but no confidentiality; internal data stays within force channels; sensitive data, including nationals' personal data, members' identities, and keys and credentials, goes only to the right people by an encrypted bearer. When unsure, handle it as the higher tier.
- Safe sharing turns on two questions answered before anything leaves your hands: the right people (need to know, address confirmed) and the right channel (an encrypted bearer for sensitive material). If you cannot answer yes to both, do not send.
- Safe messaging follows the SIG 220 rule: encrypt where it is lawful and available, exercise discipline where it is not, and never put sensitive detail in clear on an open bearer. Guard the small leaks too: forwarded attachments, growing group chats, screenshots, and loose talk.
- The privacy of nationals and members is a duty of care, not a compliance box; personal data is borrowed and precious, and a member's identity is theirs to keep private. Retention completes the cycle: keep information only as long as the task or an obligation requires, dispose of it properly, but keep deliberately what there is a reason to keep.
- This lesson is the natural partner of SIG 220 · Communications Security and Digital Discipline, draws on the access and identity work of CIS 220, supports the records discipline of PME 210 · Basic Staff Duties and Written Orders and the continuity work of HCR 220 · Emergency Preparedness and Civil Resilience, and leads on to Lesson 10: Spotting and Reporting Trouble. Throughout, the framework rule holds: access follows appointment, not qualification.
Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia