Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
CIS 220 Identity, Access, and Records Security
Lesson 5 of 10CIS 220

Records and Data Security

Lesson Overview

A Principality held together by information lives or dies by the quality and the safety of its records. The registers of nationals, their identities and personal data above all, are the most sensitive thing the state holds. They are also the thing an attacker, a careless operator, or a curious bystander is most likely to reach for. The earlier lessons in this course guarded the doors: who may sign in, what a role may do, how keys and secrets are protected. This lesson guards what lies behind the doors, the data itself, so that even a person who gets close cannot read, alter, copy, or quietly keep what they have no lawful reason to touch.

Records security is not one control but a layered discipline. You decide how sensitive each kind of data is and handle it accordingly. You encrypt it where it is stored and while it moves, and you limit who may read it. You keep it only as long as the state has a lawful need, then you dispose of it safely. And over all of it you apply the data-protection principles that exist to defend the privacy of nationals: that data is handled lawfully and fairly, only for the stated purpose, kept to the minimum needed, kept accurate, kept no longer than necessary, and kept secure. These principles are not bureaucracy. They are how a small force earns and keeps the trust of the people whose lives are written into its registers.

This is the knowledge layer. Reading it teaches you the method and the language, but it does not by itself grant you access to any register, and it is not the same as doing the work. Hands-on practice, classifying a real data set, confirming that a register is encrypted at rest, running a safe-disposal step, or working a retention review, is done and signed off in person where supervision allows, on systems and records you are appointed to handle. By the end you will be able to explain why a state's records and its nationals' personal data are highly sensitive; classify data into public, internal, and sensitive and handle each tier correctly; describe and justify encryption at rest as well as in transit and the control of who may read data; apply retention and safe disposal so data is kept only as long as there is a lawful need; and apply the six data-protection principles to a real register to protect nationals' privacy by default.

Key Terms

  • Record / register: an authoritative store of information the state relies on. A register is a structured, official list (for example a register of nationals, of identity documents, or of honours); the records are the entries within it.
  • Personal data: any information that relates to an identified or identifiable person, a national. Names, dates of birth, document numbers, photographs, addresses, and account identifiers are all personal data.
  • Special-category data: personal data that is especially sensitive (for example health, biometric identifiers, or anything that could expose a person to harm). It deserves the strongest handling.
  • Data classification: sorting data into levels by sensitivity (here: public, internal, sensitive) so that handling rules can be applied consistently.
  • Encryption at rest: scrambling data while it is stored on a disk, in a database, or in a backup, so that stolen storage reveals nothing usable without the key.
  • Encryption in transit: scrambling data while it moves across a network, so that it cannot be read or altered on the way.
  • Data minimisation: collecting and keeping only the data actually needed for the task, and no more.
  • Retention: the period for which data is kept. Storage limitation is the principle that data is kept no longer than there is a lawful need.
  • Safe disposal: destroying or irreversibly erasing data so it cannot be recovered, when its retention period ends.
  • Data controller: the body that decides why and how personal data is processed, and is accountable for it. For state registers this is the responsible Organ of State, not the individual operator.
  • Privacy by default: the practice of choosing the most protective handling automatically, so a national's privacy is protected unless there is a specific, lawful reason to do otherwise.

Why a State's Records Are Highly Sensitive

The Principality is non-territorial and digitally organised. It has no border post and no filing cabinet in a guarded building; what it has is data. A national's identity, their nationality, their documents, and their standing all exist as records in self-hosted services. That makes those records the real substance of the state, and it makes them a concentrated target. One compromised register can expose thousands of people at once, in a way no single stolen wallet ever could.

The harm from a records breach is not abstract. Leaked personal data enables impersonation and fraud, lets an outsider build a picture of who the nationals are, and can expose individuals to real-world risk. Altered records are worse still: if an entry is silently changed, the state may act on a falsehood, and the integrity that the whole system depends on is broken. And unlike a leaked password, which can be changed, a person's date of birth or identity-document history cannot be reissued. Personal data, once exposed, stays exposed.

There is also a duty owed to the people themselves. Nationals hand their information to the state on the understanding that it will be guarded and used only for proper purposes. That trust is the foundation of a digital state's legitimacy. Protecting records is therefore not only a security task; it is a promise being kept. Treat every register as if the person it describes were standing beside you, because in effect they are.

Classifying Data and Handling Each Tier

You cannot apply the same care to everything, and you should not try to. A published statement and a register of identity documents need very different handling. Classification is the act of sorting data into a small number of levels by sensitivity, so that the right handling follows automatically and consistently rather than by guesswork. A small force needs only a simple, three-level scheme.

Public data is information that is already meant for anyone: published notices, public guidance, the public face of the state. The risk if it leaks is low, because it was never secret. Internal data is working information that is not secret but is not for outsiders either: routine operational notes, internal contact lists, draft documents. Its exposure is awkward and unprofessional rather than dangerous. Sensitive data is the personal data of nationals, the registers, keys and secrets, and anything whose exposure could harm a person or the state. This tier carries the strongest controls, and almost everything in CIS 220 lives here.

The point of a label is the handling that comes with it. A classification with no consequences is decoration. The table below sets out what each tier means in practice, so that the same decision is made the same way every time.

DATA CLASSIFICATION AND HANDLING (CIS 220)
+-------------+------------------------+--------------------------+--------------------------+
| Tier        | Examples               | Who may read it          | Handling rules           |
+-------------+------------------------+--------------------------+--------------------------+
| PUBLIC      | Published notices,      | Anyone                   | No special storage.       |
|             | public guidance,        |                          | Still protect integrity   |
|             | the public site         |                          | (no unauthorised edits).  |
+-------------+------------------------+--------------------------+--------------------------+
| INTERNAL    | Working notes, internal | Members of the force,    | Behind sign-in. Not       |
|             | contact lists, drafts,  | by role                  | shared outside. Encrypt   |
|             | operational planning    |                          | in transit. Least access. |
+-------------+------------------------+--------------------------+--------------------------+
| SENSITIVE   | Registers of nationals, | Only those appointed to  | Encrypt at rest AND in    |
|             | identity documents,     | that register, on a      | transit. Strict need to   |
|             | personal data, keys,    | strict need-to-know      | know. Access logged.      |
|             | secrets, special-       | basis                    | Retention + safe disposal.|
|             | category data           |                          | MFA-gated. Never on chat. |
+-------------+------------------------+--------------------------+--------------------------+

Two practical rules keep classification honest. First, classify at the point of creation: decide the tier when the data is made, not after a leak forces the question. Second, when unsure, classify up: if you cannot tell whether something is internal or sensitive, treat it as sensitive until someone with authority says otherwise. Over-protecting a draft costs a little friction. Under-protecting a register costs the state its credibility.

Encrypting Data and Controlling Who May Read It

Encryption is how data stays safe even when other controls fail. It comes in two settings, and you need both. In transit means the data is encrypted while it travels across a network, so that no one between sender and receiver can read or tamper with it; in practice this is the everyday work of TLS, the protected channel behind a service that loads correctly. At rest means the data is encrypted while it sits in storage, on a disk, in a database, or inside a backup file, so that if the storage itself is stolen or copied, the contents are useless without the key.

For a state's registers, encryption at rest is the one people forget, and it is exactly the one that matters most. A register protected only in transit is wide open the moment someone gets a copy of the disk or the backup. Sensitive data, the nationals' registers above all, must be encrypted at rest as a matter of course, and so must the backups of that data, because a backup is just another copy of the same secrets. The keys that perform the encryption are themselves sensitive secrets: they are stored in the vault, never beside the data they protect, and they are rotated and revoked under the rules you learned in Lesson 04.

Encryption protects data from those with no key. Access control decides who holds a key and who may read the plain data at all, and it is the partner of encryption, not a replacement. Everything from earlier in this course applies directly here: least privilege and need to know, so an operator sees only the records the task requires; role-based access, so reading a register is granted by appointment to that register and not handed out individually; and logging, so that every read and change to sensitive data leaves a trail that can be reviewed. Encryption and access control work together: encryption defends the data if the boundary is breached, and access control keeps the boundary small in the first place.

Retention and Safe Disposal

Data you no longer need is not a harmless leftover; it is a liability that can still leak. The discipline of retention answers a single question for every kind of record: how long does the state have a lawful need to keep this, and what happens when that need ends. Keeping personal data "just in case", forever, is not caution. It is an unnecessary store of risk and a breach of the storage-limitation principle.

Set a retention period for each category of data, driven by lawful need rather than convenience. Some records must be kept for a defined period because law or proper administration requires it. Others should go as soon as the task that justified them is finished. The exact periods are set by the responsible Organ of State, not by an individual operator; your job is to know that a period exists, to honour it, and never to quietly keep a copy beyond it.

When the period ends, dispose of the data safely, which means irreversibly. Deleting a file or emptying a recycle bin is not safe disposal; the data is often still recoverable, and it still sits in backups. Safe disposal means secure erasure or destruction of every copy, including backups and any working extracts, so the data cannot be reconstructed. Disposal is also a logged, deliberate act, carried out under authority, never an off-hand decision by whoever happens to hold the file. The principle to remember: the safest personal data is the data you no longer hold, because it cannot be breached, but it must be removed by design, not abandoned.

The Data-Protection Principles Applied to a Register

The handling above is held together by six principles for personal data. They exist for one purpose: to protect the privacy of nationals by default. Learn them as a checklist you can run over any register you are appointed to.

  • Lawfulness and fairness: there is a proper, lawful basis for holding the data, and nationals are not misled about how it is used.
  • Purpose limitation: data collected for one stated purpose is used only for that purpose, not quietly repurposed.
  • Data minimisation: you collect and keep only what the purpose actually needs, and no more.
  • Accuracy: data is kept correct and up to date, and errors are corrected, because the state acts on what the record says.
  • Storage limitation: data is kept only as long as there is a lawful need, then disposed of safely (the retention discipline above).
  • Security: data is protected against unauthorised access, loss, or alteration, by classification, encryption, access control, and logging.

The figure below runs these six principles across a single example, a register of national identity records, to show what each one demands in practice. This is the form of reasoning to apply to any register before you touch it.

DATA-PROTECTION PRINCIPLES APPLIED TO A REGISTER OF NATIONAL IDENTITY RECORDS
+------------------------+------------------------------------------------------------+
| Principle              | Applied to this register                                   |
+------------------------+------------------------------------------------------------+
| Lawfulness & fairness  | Held under the state's lawful authority to maintain the    |
|                        | register; nationals know it exists and why.                |
+------------------------+------------------------------------------------------------+
| Purpose limitation     | Used to identify and serve nationals. NOT mined for        |
|                        | unrelated profiling or shared for other ends.              |
+------------------------+------------------------------------------------------------+
| Data minimisation      | Holds the fields the purpose needs. No "nice to have"      |
|                        | extra personal detail collected just in case.              |
+------------------------+------------------------------------------------------------+
| Accuracy               | Corrections are applied promptly; errors are not left to   |
|                        | propagate into documents and decisions.                    |
+------------------------+------------------------------------------------------------+
| Storage limitation     | Each record kept only while the lawful need lasts, then    |
|                        | safely disposed of; no indefinite "forever" retention.     |
+------------------------+------------------------------------------------------------+
| Security               | SENSITIVE tier: encrypted at rest and in transit, strict   |
|                        | need-to-know, MFA-gated, every access logged and reviewed. |
+------------------------+------------------------------------------------------------+
| Accountability runs across all six: the responsible Organ of State (the data    |
| controller) can show, on the record, that each principle is being met.          |
+---------------------------------------------------------------------------------+

Privacy by default ties the principles together in conduct. When you are unsure how to handle a national's data, the protective choice is the right one: collect less, show less, keep less, and lock it down more. The burden is always on a clear, lawful reason to do otherwise, never on the national to defend their own privacy.

In Practice: Standing Up a New Register

Corporal Aren of the Information Systems and Cyber Security speciality is appointed to help bring a small new register online for an Organ of State: a list of nationals enrolled in a particular service. The appointment, not the certificate, is what gives Aren the right to touch it, and the appointment is specific to this register.

Aren starts with classification. The register holds names, document numbers, and contact details of nationals, so it is plainly sensitive, and Aren handles it on that tier from the first entry. Before any data is loaded, Aren confirms two things: that the database is encrypted at rest, and that the service is reached only over an encrypted-in-transit channel that loads correctly. The encryption keys live in the vault, not on the same disk as the data.

Next, Aren applies minimisation. The draft schema included a free-text "notes" field and a date-of-birth column that the service does not actually use. Aren queries the purpose with the responsible officer, and both surplus fields are dropped before launch: data not collected cannot be breached. Access is granted by role to the handful of operators appointed to this register, on a need-to-know basis and behind MFA, and read access is logged. Aren also records the retention period the officer sets, so that when a national's enrolment ends, their record is disposed of safely rather than left to accumulate, and notes that disposal will be a logged, authorised act.

Aren writes none of this down on a chat channel and copies no extract to a personal device. The register is handled where it lives, under the appointment, on the sensitive tier. When the work is signed off in person, the supervising operator checks the same list Aren used: classified, encrypted at rest and in transit, minimised, access by role with logging, retention set. That checklist is the lesson made real.

Check Your Understanding

  1. A register of nationals is served over an encrypted-in-transit (TLS) connection, but its database is not encrypted at rest. An attacker obtains a copy of last night's backup file. What protection has failed, and why does encryption in transit not help here?
  2. You are asked to add a "comments" free-text field and a "spare" date-of-birth column to a sensitive register "in case they are useful later". Which data-protection principle should make you push back, and what should you do instead?
  3. A national's enrolment has ended and their record has reached the end of its retention period. Explain why deleting the file from the live system is not enough, and what safe disposal actually requires.

Reflection (write a short paragraph):

Think about the registers and personal data your future appointment might let you touch, and about a national whose details sit inside one of them. Which of the six data-protection principles do you think is easiest to neglect in day-to-day work, and what habit could you build now so that you protect that person's privacy by default rather than by exception?

Summary

  • A digital state's records, and the personal data of nationals above all, are its most sensitive asset: concentrated, hard to undo once exposed, and held on a trust the state must keep.
  • Classify data into public, internal, and sensitive, handle each tier by its rules, classify at the point of creation, and classify up when unsure.
  • Encrypt at rest as well as in transit. At rest is the one people forget and the one that defends a stolen disk or backup. Protect the keys in the vault, separate from the data.
  • Control who may read data with least privilege, need to know, role-based access, and logging, working alongside encryption rather than instead of it.
  • Retention and safe disposal: keep data only as long as there is a lawful need, then dispose of it irreversibly, including backups, as a logged and authorised act.
  • Run the six data-protection principles (lawfulness and fairness, purpose limitation, data minimisation, accuracy, storage limitation, security) over any register, and default to privacy.
  • Access here, as everywhere in CIS 220, follows appointment, not qualification, and is revoked when the appointment ends.
  • Related study: Lesson 04 (Protecting Credentials, Keys, and Secrets) for the keys that encrypt these records; Lesson 10 (Audit, Review, and Accountability) for logging and reviewing access to them; CIS 310 for incident response and continuity when a register is at risk; SIG 220 for the same disciplined mindset in communications; and PME 210 for the custody of records and written orders.

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 5 · Knowledge Check

Question 1 of 3

Records and personal data are described as: