NATO nations or NATO bodies with whom data are shared, act as custodians of the data, and shall comply with the requirements and legal restrictions of the owner for the sharing and use of the data. Data stewards will support the custodians in enabling and ensuring compliance to stated requirements.
Unless otherwise specified by the information owner, data shared with NATO in NATO-led operations and exercises will be protected and handled in accordance with NATO agreed security, legal, and regulatory frameworks.
Data can be categorized as either national or NATO data, as indicated in the information owner and originator metadata that accompanies the data. The information owner and originator will facilitate proper handling by providing the appropriate originator, ownership, and confidentiality security policy metadata values, as well as any special handling rules. iv) In order to facilitate the digital management of data, the information owner will ensure that data is accompanied with complete and high quality metadata, as specified in the Data Management Policy (Reference J), Metadata Management Principles, and supporting directives or implementation guidance, to enable protection, handling, and management of the data throughout its full lifecycle. To ensure traceability and auditability, the following additional guidance should be followed:
(1) Certain original metadata of the data shall be preserved throughout its lifecycle. Specifically, the Originator metadata should be specified and should become protected fields that do not change throughout the data/information lifecycle.
(2) Ownership should be specified, and could change, but only in accordance with provided transfer of ownership rules (Reference G).
(3) Confidentiality metadata values could change, but only with the permission of the information owner or in accordance to the specified handling rules. When these values do change, alternative metadata fields should be used if the original confidentiality metadata values have also to be maintained, to enable proper processing, such as to enable protected sharing through technical firewalls or information exchange gateways.
(4) The confidentiality “security policy” metadata should not be used in place of the originator and ownership metadata.
(5) If applicable, transfer of ownership rules and metadata changes should be stored electronically with the data/information.