7 Security governance for international sharing

Purpose

This policy details protections for valuable information and assets under international sharing agreements or arrangements to which Australia is a party.

These international agreements or arrangements also help to safeguard Australian information and assets when shared with foreign partners.

 

Legislative provisions on international sharing

Communicating, or making available, classified information with another country or foreign organisation could be considered espionage under the Criminal Code.

However, specific legislative provisions1 authorise entities to share information internationally under arrangements made or directions given by the relevant minister.

Requirements

Core requirement

Each entity must adhere to any provisions concerning the security of people, information and assets contained in international agreements and arrangements to which Australia is a party.

Supporting requirements

 

Supporting requirements for security governance for international sharing

#

Supporting requirement

Requirement 1.
Sharing information with a foreign entity

  1. When an entity shares sensitive or security classified Australian Government information or assets with a foreign entity there must be an explicit legislative provision, an international agreement or an international arrangement in place for its protection.
  2. The following limitations apply, even when an international agreement or international arrangement is in place:
      1. entities must not share Australian Government information bearing the Australian Eyes Only (AUSTEO) caveat with a person who is not an Australian citizen
      2. entities, other than the Australian Signals Directorate (ASD), Australian Security Intelligence Organisation (ASIO), Australian Secret Intelligence Service (ASIS), Department of Defence, and Office of National Assessments must not share Australian Government information bearing the Australian Government Access Only (AGAO) caveat with a person who is not an Australian citizen.

Requirement 2.
Safeguarding foreign information

Where an international agreement or international arrangement is in place, entities must safeguard sensitive or security classified foreign entity information or assets in accordance with the provisions set out in the agreement or arrangement.

 

A foreign entity includes a foreign government and foreign contractors (meaning any individual or legal entity entering into or bound by a classified contract and includes subcontractors).

Guidance

International security agreements and arrangements

Australia has international treaty-level agreements, or less-than-treaty-status arrangements, that provide for equivalent international protection of Australian Government security classified information or assets (some also cover protection of sensitive unclassified information):

  1. An international agreement constitutes a treaty and is binding under international law.
  2. An international arrangement has less-than-treaty status, such as a Memorandum of Understanding, and does not create legal rights or obligations. Arrangements do, however, create commitments that are politically and morally binding.

The Australian Government takes, wherever possible, a whole-of-government approach to international information sharing agreements. This builds consistency across government and is preferable to entity-to-entity-level agreements and arrangements. Existing whole-of-government international agreements for the security of information and assets exist between Australia and the following:

  1. European Union (EU)
  2. Japan
  3. Republic of France
  4. United States of America (US).

Australia also has agreements or arrangements with each of Australia's Five Eyes partners (US, United Kingdom, New Zealand and Canada).2 These partners share similar security cultures and structures and the agreements or arrangements are based on high levels of trust and longstanding relationships and practices.

Some Australian entities, such as the Department of Defence, have specific entity-to-entity-level treaties that enable classified information sharing and provide certain protections.3 Other entities have arrangements that provide similar entity-to-entity-level assurances and protections (including for ad hoc or one-off sharing). These arrangements can vary in format and substance, for example letters of assurance.

  1. It is important that entities have appropriate written arrangements in place that adhere to whole-of-government requirements and established classification alignment.

Key provisions in international security agreements and arrangements

International agreements or arrangements covering protective security matters commonly include provisions relating to:

  1. marking of sensitive and security classified information and assets
  2. protection of sensitive and security classified information and assets, including how they are handled and transferred
  3. access to and disclosure of sensitive and security classified information and assets, including personnel security clearance requirements and recognition
  4. responding to breaches or security violations
  5. undertaking security inspections and visits.

Many international agreements and arrangements include provisions for classified contracts. Before an entity engages a foreign contractor on a classified contract it is important that an international agreement or arrangement is in place if the contract involves sharing classified information or assets.

Where Australia engages foreign industry on a classified contract, under General Security Agreements the foreign government is generally responsible for administering security requirements (such as providing facility and personnel security clearances) and for ensuring the security conduct of contractors within its territory.

Key governance roles in international sharing

The Attorney-General's Department establishes whole-of-government priorities for international agreements and arrangements. As the National Security Authority for the Australian Government, it is responsible for general oversight and administration of international General Security Agreements. This includes determining the policy for protecting and sharing sensitive or classified information and assets.

Some agreements give particular Australian Government entities (referred to as Competent Security Authorities) responsibility for administering international agreements or arrangements in specific fields. For example, the Department of Defence is a Competent Security Authority for defence matters.

Entities wanting to negotiate a treaty, or an instrument of less than treaty status, including treaties or instruments that involve national security issue, must be aware of their obligations under the Legal Services Directions 2017. The Directions tie certain categories of legal work to specified providers unless approval to use a non-tied provider is obtained. This includes that legal advice preparatory to, or in the course of, treaty negotiations (which includes negotiation of instruments of less than treaty status) must be sought from the Office of International Law in the Attorney General's Department, the Australian Government Solicitor or the Department of Foreign Affairs and Trade (as required under the Directions), unless approval is otherwise obtained.

Entities establishing new agreements and arrangements are encouraged to contact the Protective Security Policy section at the Attorney-General's Department (PSPF@ag.gov.au) to discuss their information sharing requirements. This consultation process establishes consistent protections for security classified information (such as equivalent classifications) and identifies whole-of-government policy issues.4

Sharing information and assets without an agreement or arrangement

Sharing information internationally under an explicit legislative provision

The security and protection of information is crucial, even where explicit legislative provisions authorise certain entities to share information internationally.

The Attorney-General's Department recommends that entities sharing information internationally under a legislative provision take appropriate measures to protect that information. If it is not viable to establish an international agreement or arrangement, it is recommended entities include appropriate handling instructions on all information to be shared or, alternatively use ad hoc sharing arrangements (see Other sharing).

Other sharing

Requirement 1 prevents sharing of security classified Australian Government resources with a foreign entity unless explicit legislative provisions, international agreements or arrangements for protection of classified information and assets are in place.

  1. This requirement ensures appropriate mutual arrangements for the protection of information have been considered and agreed. Risk-based approaches to ad hoc or one-off sharing of classified information can be through arrangements such as a letter of assurance or using temporary access provisions under the PSPF policy: Access to information. The Attorney-General's Department recommends that ad hoc arrangements are:
    1. documented
    2. for a limited time period
    3. for a specific purpose, project or activity.
  2. In all other circumstances, sharing classified information with a foreign national or international entity may be in breach of Requirement 1. For guidance on investigating, responding to and reporting on security breaches, see Breaches or security violations involving foreign entity assets and information and the PSPF policy: Management structure and responsibilities.

Where foreign entity information or assets are received, but are not covered by an international agreement or arrangement, the Attorney-General's Department recommends applying an Australian Government security classification. Application of an Australian security classification is based on an assessment of the value and sensitivity of the information asset in accordance with the PSPF policy: Sensitive and classified information. The Attorney-General's Department also recommends applying the following protections:

  1. ensuring individuals who access foreign entity information hold a security clearance at the appropriate level
  2. limiting access to the foreign entity information or assets to individuals with a need to know
  3. protecting the foreign entity information or assets from unauthorised access
  4. transmitting the information by secure means
  5. seeking approval from the originating government before releasing their information to any other foreign government or foreign entity.

Identifying sensitive and classified information and assets from foreign entities

Classifications reflect each government's assessment of the possible harm to the national interest, organisations or individuals that could be caused by the unauthorised disclosure or compromise of classified information or assets and indicate the level of protection required. Where equivalent classifications between foreign and Australian Government information or assets are established, international agreements or arrangements require entities to stamp, mark or otherwise designate the foreign information with the corresponding Australian security classification.

For guidance on marking sensitive and classified information, see the PSPF policy: Sensitive and classified information.

Table 1 Australian Government information and asset classification equivalencies:

In addition to the security classification, the Attorney-General's Department recommends marking foreign entity information and assets with the caveat RELEASABLE TO. This identifies the source of information or asset and restricts release to certain nationalities.

For guidance on how to mark information with a caveat, see the PSPF policy: Sensitive and classified information.

Handling protections for sensitive and classified information and assets from foreign entities

International agreements or arrangements require entities to handle foreign entity information and assets using the safeguards protecting equivalent Australian Government information or assets.

The Attorney-General's Department recommends entities review the relevant international agreement or arrangement to identify additional obligations or protections that may differ from the PSPF core requirements.

It may be an offence under the Crimes Act 1914 or Criminal Code to share information with a foreign person or entity inappropriately. Sound record keeping that demonstrates the appropriateness of information sharing is recommended. The Attorney-General's Department suggests entities implement processes for sharing Australian Government security classified information with a foreign entity or person that includes:

  1. obtaining appropriate authorisation prior to sharing information (approval at the Senior Executive Service level is recommended)
  2. making the purpose of the information sharing clear
  3. keeping a record of the information transfer
  4. maintaining a register, where appropriate, of all security classified Australian Government information shared, even if a register is not prescribed in the agreement or arrangement (including the date of sharing, recipient of the information, description and classification of the information shared and reason for sharing is recommended).

For guidance on handling and operational requirements for sensitive and classified information, see the PSPF policy: Sensitive and classified information.

Security clearances for access to, release and disclosure of foreign entity information and assets

The PSPF policy: Access to information requires that access to sensitive or classified information is restricted to those who have appropriate security clearances and need to know that information. This security clearance requirement applies to foreign entity information. Access is based on the security clearance required for the corresponding Australian Government security classification:

  1. The General Security Agreement with France expressly provides for mutual recognition of each country's security clearances for access to classified information. This enables flexibility when engaging outside formalised processes with French Government personnel and contractors who deal with sensitive or classified information. This also opens up industry engagement between France and Australia across government sectors. An official government visit is not required for clearance recognition to be arranged. Authorised vetting agencies, such as the Australian Government Security Vetting Agency, provide specific advice on arrangements for verifying a clearance with the foreign authority.
  2. Entities may recognise clearances issued by Five Eyes country governments (US, United Kingdom, New Zealand and Canada) and consequently issue corresponding Australian clearances for specific operational purposes.
  3. Other international agreements and arrangements do not expressly provide for mutual recognition of clearances. Instead, the international agreements and arrangements include provisions outlining personnel security clearance vetting provisions each party is required to apply. Recognising a foreign clearance is only possible as part of an official government visit by the other party. Authorised vetting agencies, such as the Australian Government Security Vetting Agency, can provide specific advice on vetting foreign nationals or on verifying a clearance with the foreign authority.

Under the PSPF policy: Access to information, the Attorney-General's Department recommends obtaining originator agreement for third party access to classified information. In line with this, international agreements or arrangements commonly require written approval from the originator (the foreign government) for release of classified information to any other third-party government or foreign entity. If these provisions are not included in an agreement, the Attorney-General's Department recommends written approval from the originating foreign government before releasing information to any other foreign government or foreign national.

The release of classified foreign government information under the Freedom of Information Act 1983 (FOI Act) is not required. Under section 33(b) of the FOI Act, any information of a foreign government communicated in confidence to the Australian Government is an 'exempt document'. However, classified or sensitive foreign government information is not exempt from legal processes. The Attorney-General's Department recommends that entities involved in legal processes where foreign government information is, or is likely to be, relevant:

  1. seek legal advice on issues of relevance, disclosure and protection (including claims of public interest immunity)
  2. seek foreign government permission to disclose the information, noting that disclosure may still be required under Australia's domestic legal proceedings even if permission is not obtained.

For guidance on access to sensitive and security classified information, see the PSPF policy: Access to information.

Breaches or security violations involving foreign entity assets and information

Under the PSPF policy: Management structure and responsibilities, Chief Security Officers (or appropriate security advisor delegates) investigate, respond to and report on security incidents:

  1. Sharing classified Australian information and assets inappropriately with a foreign national or international entity without the protection of an agreement or arrangement may be in breach or violation of Requirement 1 and may be an offence under the Crimes Act 1914 or Criminal Code. Ensuring all instances of international information sharing without agreement or arrangement are reported to the entity Chief Security Officer (or appropriate security advisor delegate) will assist security incident investigations.
  2. Failing to safeguard sensitive or security classified foreign entity information or assets covered by an international agreement or arrangement may be in breach or violation of Requirement 2. Security breaches or violation incidents can involve the actual (or suspected) compromise of foreign entity classified information or assets. The Attorney-General's Department recommends entities report security incidents to the originating foreign government as soon as they are able.

International agreements or arrangements may impose additional reporting and security violation handling requirements beyond those detailed in the PSPF.

Foreign access to information caveated 'Australian Eyes Only' is a security incident

The Australian Eyes Only (AUSTEO) caveat denotes Australian Government information that is restricted to Australian citizens exclusively. This includes Australian citizens who also hold other nationalities, such as dual nationals. Requirement 1 information sharing limitations are that information bearing the AUSTEO caveat cannot be shared with a person who is not an Australian citizen, even when an international agreement or arrangement is in place. As such, foreign access to AUSTEO caveated information is a security incident requiring Chief Security Officer (or appropriate security advisor delegate) investigation, response and reporting.

The Australian Government Access Only (AGAO) caveat denotes information that is restricted to Australian officers or representatives of foreign governments from Five Eyes countries who are on exchange, long-term posting or attachment to the Australian Government. For entities outside the Australian Signals Directorate, ASIO, Australian Security Intelligence Service, Department of Defence and Office of National Assessments, information caveated AGAO is considered to be also caveated AUSTEO. As such, foreign access to caveated information is a security incident.

Foreign personnel conducting security assessment visits

Some international agreements or arrangements allow security assessment visits where foreign personnel access secure areas or facilities. The purpose of these visits is to assure foreign governments of the suitability and implementation of security procedures and the protection of areas or facilities where their information is stored and handled.

International agreements and arrangements commonly require that security assessment visits have prior written approval from the Attorney-General's Department or a Competent Security Authority. Visits will only be approved for foreign government personnel who have a valid level of Australian or foreign government security clearance for access to the foreign government information in the facility.

Find out more

The Australian Treaties Database provides further details of international agreements to which Australia is a party, including entity and subject-specific agreements. However, not all international arrangements are publicly available. In such cases, entity security advisors may be able to assist in determining if there is a relevant international arrangement in place.

1 For example, section 19 of the Australian Security Intelligence Organisation Act 1979 allows for cooperation with authorities of other countries approved by the minister as being capable of assisting in the performance of ASIO's functions.

2In some cases, these are at an entity-to-entity level and are less formal arrangements, such as letters of assurance.

3The Department of Defence has agreements with Canada, Denmark, New Zealand, Singapore, South Africa and Sweden for reciprocal protection of classified information.

4For example, when negotiating an international agreement on information sharing with a foreign government that has the death penalty.