Australian Government - Attorney-General's Department

Protective Security Policy Framework

Skip breadcrumbHome » Information » Access to information

9 Access to information

Purpose

The policy details security protections supporting entities' provision of timely, reliable and appropriate access to official information. Providing access to information helps develop new products and services, can enhance consumer and business outcomes and assists with decision-making and policy development.

Access to government information does not need to be limited for security purposes, except in select circumstances as identified in the requirements (primarily when sharing sensitive or classified information, or disclosing information outside government).

Requirements

Core requirement

Each entity must enable appropriate access to official information. This includes:

  1. sharing information within the entity, as well as with other relevant stakeholders
  2. ensuring that those who access sensitive or security classified information have an appropriate security clearance and need to know that information
  3. controlling access to supporting ICT systems, networks (including remote access), infrastructure and applications.

Supporting requirements

Supporting requirements for access to information
# Supporting requirements

Requirement 1.
Formalised agreements for sharing information and resources

When disclosing sensitive or security classified information or resources to a person or organisation outside of government, entities must have in place an agreement or arrangement, such as a contract or deed, governing how the information is used and protected.

Requirement 2.
Limiting access to sensitive and classified information and resources

To reduce the risk of unauthorised disclosure, entities must ensure access to sensitive and security classified information or resources is only provided to people with an operational need-to-know.

Requirement 3.
Ongoing access to sensitive or classified information and resources

  1. Entities must ensure that people requiring ongoing access to sensitive or security classified information or resources are security cleared to the appropriate level:
  2.  

     

     

     

    Sensitive information

    Security classified information

     

    UNOFFICIAL

    OFFICIAL

     

    PROTECTED

    SECRET

    TOP SECRET

     

     

     

    OFFICIAL: Sensitive

     

     

     

    Personnel security clearance for ongoing access

    Not applicable.
    Security clearance not required.

    Employment screening is sufficient, security clearance not required.

    Employment screening is sufficient, security clearance not required.

    Baseline security clearance or above.

    Negative Vetting 1 security clearance or above.

    Negative Vetting 2 security clearance or above.

    Note i Some Australian office holders are not required to hold a security clearance.

  3. In addition, entities must ensure that people requiring access to caveated information meet all clearance and suitability requirements imposed by the originator and caveat owner.

Note iiAccess to caveated material that involves a codeword requires a briefing and may require a Negative Vetting 1, Negative Vetting 2 level or Positive Vetting level security clearance as well as other additional requirements. For guidance, see the PSPF policy: Sensitive and classified information and supporting Security Caveats Guidelines.

Requirement 4.
Temporary access to classified information and resources

Entities may provide a person with temporary access to security classified information or resources on the basis of a risk assessment for each case. In such cases, entities must:

  1. limit the duration of access to security classified information or resources:
    1. to the period in which an application for a security clearance is being processed for the particular person
    2. up to a maximum of three months in a 12-month period
  2. conduct recommended employment screening checks (see the PSPF policy: Eligibility and suitability of personnel)
  3. supervise all temporary access
  4. for TOP SECRET information, ensure the person has an existing Negative Vetting 1 security clearance
  5. deny temporary access to caveated information (other than in exceptional circumstances, and only with approval of the caveat owner).

Requirement 5.
Managing access to information systems

To manage access to information systems holding sensitive or security classified information, entities must:

  1. apply the Australian Government Recordkeeping Metadata Standard properties:
    1. for security classified information, apply the 'Security Classification' property (and where relevant, the 'Security Caveat' property)
    2. for OFFICIAL: Sensitive information, apply the 'Dissemination Limiting Marker' property
    3. where an entity wishes to categorise information content by the type of restrictions on access, apply the 'Rights' property
  2. implement unique user identification, authentication and authorisation practices on each occasion where system access is granted.

Back to top

Guidance

Sharing information in the entity and with external stakeholders

Access to, and use of, government information is necessary for an entity's operational processes and productivity. However, risks may arise from poor or outdated collection, storage and management practices.1

 

Legislative provisions on access to information

Commonwealth legislation, common law and policy regulate the disclosure of sensitive information. This includes relevant secrecy provisions, privacy law and legal professional privilege that restrict information access in some cases.2

It may be an offence under the Crimes Act 1914 or Criminal Code to share or disclose information inappropriately. In addition, under some legislation, it may be necessary to limit sharing of information depending on the purpose for which it was collected. Some government policy and legislation may also require agreement or consent to disclose information (eg sharing sensitive personal information covered by Australian Privacy Principles3).

 

Risks may arise when information is shared outside of government. This is because PSPF information handling and protection requirements apply only to government unless included in an agreement, such as a contract or deed. Even where these instruments exist, there may be limited avenues for recourse in the event of a security incident.

Requirement 1 mandates that written agreements, such as contracts or deeds, are in place to protect sensitive or classified information disclosed to non-government stakeholders.4 This includes external parties accessing, processing, communicating or managing information assets, or adding products, services or functions to government information systems.

Agreements for information disclosure provide assurance that external stakeholders understand the obligations to protect government information. The Attorney-General's Department recommends the use of legally binding deeds of agreement (or other agreements) to protect government information disclosed externally especially where that information is sensitive or classified. For guidance, see the PSPF policy: Security governance for contracted goods and service providers.

Regular monitoring of security controls, service definitions and delivery levels that are included in deeds or contract agreements assist the implementation of PSPF protections. This can include regular reviews and audits of services, reports and records.

Limiting access to sensitive and classified information to those who need to know

The need-to-know principle applies to all sensitive and classified information. It reflects the need for personnel to access this information only where there is an operational requirement to do so. The practice helps personnel understand their responsibility to protect information, including the correct methods for storage, handling and dissemination.

Requirement 2 mandates that access to, and dissemination of, sensitive and security classified information is limited to personnel who need the resources to do their work. This involves:

  1. providing access to information only to personnel who need that access; not based on convenience or because of their status, position, rank or level of authorised access
  2. a positive obligation to share relevant information so that people with an operational need-to-know the information have access.

Personnel security clearances for access to classified information

Access to sensitive and security classified information necessitates a high level of assurance of a person's integrity. This is due to the potential harm associated with compromise of that information.

In addition to having a need-to-know (as per Requirement 2), Requirement 3 limits access to security classified information to those with the necessary security clearance.

Minimum security clearance levels for access to each information classification level are detailed in Table 1.

Table 1 Minimum security clearance levels for ongoing access to information

 

 

 

Sensitive information

Security classified information Note i

 

UNOFFICAL

OFFICIAL

 

PROTECTED

SECRET

TOP SECRET

 

 

 

OFFICIAL: Sensitive

 

 

 

Personnel security clearance for ongoing access

Not applicable.

Not applicable. Employment screening is sufficient, security clearance not required.

Not applicable. Employment screening is sufficient, security clearance not required.

Baseline security clearance or above.

Negative Vetting 1 security clearance or above.

Negative Vetting 2 security clearance or above.

Table 1 notes
i Access to caveated material that involves a codeword requires a briefing and may require a Negative Vetting 1, Negative Vetting 2 level or Positive Vetting level security clearance as well as other additional requirements. For guidance, see the PSPF policy: Sensitive and classified information and supporting Security Caveats Guidelines.

Back to top

Some Australian office holders are not required to hold a security clearance to access security classified information while exercising the duties of the office (however, staff of these office holders are not exempt from security clearance requirements). Australian office holders who do not need a security clearance are:

  1. members and senators of the Commonwealth, state parliaments and territory legislative assemblies
  2. judges of the High Court of Australia, the Supreme Court, Family Court of Australia, the Federal Circuit Court of Australia, and magistrates
  3. royal commissioners
  4. the Governor-General, state governors, Northern Territory administrator
  5. members of the Executive Council
  6. appointed office holders with enabling legislation that gives the same privileges as the office holders already identified eg members of the Administrative Appeals Tribunal.

For information regarding personnel security clearance assessments, see the PSPF policy: Eligibility and suitability of personnel.

Access to caveated information

Stringent protections apply to caveated information. Requirement 3 mandates that people requiring access to caveated information meet all clearance and suitability requirements imposed by the originator and caveat owner.

Table 11 in the PSPF policy: Sensitive and classified information provides guidance on commonly used caveats. Of particular note, the three releasability caveats – Australian Eyes Only (AUSTEO), Australian Government Access Only (AGAO) and Releasable to (REL) – limit access to information based on citizenship.

  1. The PSPF policy: Security governance for international sharing generally requires an agreement or arrangement to be in place for a foreign national to access sensitive or classified information
  2. Supporting requirements in the PSPF policy: Security governance for international sharing limit foreign access to sensitive and security classified information even when an international agreement or arrangement is in place:
    1. Entities must not share information bearing the AUSTEO caveat with a person who is not an Australian citizen, (dual citizenship does not preclude access).5
    2. Entities, other than ASD, ASIO, ASIS, the Department of Defence and ONA, must not share information bearing the AGAO caveat with a person who is not an Australian citizen.

Handling and protection requirements for caveated information are not all publicly available. The Sensitive Material Security Management Protocol (SMSMP) sets out the protection and handling requirements for caveated information. The SMSMP is available to entity security advisors.

Temporary access to classified resources

Temporary (rather than ongoing access) to classified information may be required in some limited circumstance. Temporary access may be provided up to and including SECRET level information. This can be achieved without a security clearance after the risks of doing so have been assessed. Temporary access to security classified material includes:

  1. short-term access, where the person does not hold a clearance at the appropriate level (but has a valid need-to-know and requires access to relevant information) and the risks can be mitigated. This may include, but is not limited to:
    1. new starters
    2. people on short-term projects
    3. people who are reasonably expected to have only incidental or accidental contact with security classified material (eg security guards, cleaners, external IT personnel, researchers and visitors such as children who do not have an ability to comprehend the classified information)6
  2. provisional access, where the person has commenced a clearance process by providing the relevant details for assessment by a vetting agency. The type of temporary access can be changed from short-term to provisional once the vetting agency has confirmed that the completed security clearance pack has been received and advises the entity that no initial concerns have been identified.

Requirement 4 mandates the following minimum protections to safeguard classified resources that are accessed on a temporary basis:

  1. entities must limit the duration of access to security classified information as follows:
    1. for short-term access – a maximum of three months in a 12-month period
    2. for provisional access – until a security clearance is granted or denied
  2. entities must supervise all temporary access. Examples include:
    1. escorting visitors in premises where classified information is being stored or used
    2. management oversight of the work of personnel who have the temporary access
    3. monitoring or audit logging incidents of contact with security classified material7 (eg contract conditions that require service providers to report when any of their contractors have had contact with classified information).
  3. entities must ensure that personnel have an existing Negative Vetting 1 security clearance for short-term or provisional access to TOP SECRET information. In exceptional circumstances, short-term or provisional access to caveated information may be granted by the originator and caveat owner. Approval of the caveat owner is based on assessed risk and granted on a case-by-case basis. For further information see Access to caveated information.

Requirement 4 mandates that entities conduct a risk assessment to determine whether to allow temporary access to classified information. The Attorney-General's Department recommends the assessment include:

  1. the need for temporary access, including if the role can be performed by a person who already holds the necessary clearance
  2. confirmation from the authorised vetting agency that the person has no identified security concerns, or a clearance that has been cancelled or denied
  3. the quantum and classification level of information that could be accessed, and the potential business impact if this information was compromised
  4. how access to classified information will be supervised, including how access to caveat or compartmented information will be prevented
  5. other risk mitigating factors such as pre-engagement screening, entity specific character checks, knowledge of personal history, or having an existing or previous security clearance.

Where an entity intends to grant temporary access to classified information from another entity or third party, the Attorney-General's Department recommends consulting the other entity or party, where appropriate, and obtaining agreement for temporary access to their classified information.

The Attorney-General's Department considers there is merit in obtaining an undertaking (eg through a confidentiality or non-disclosure agreement) from the person to protect official information.

Back to top

Information access controls

Having well structured, robust ICT systems provides access for personnel to undertake their work. It also protects information, technology and intellectual property.

Access to networks, operating systems, applications and sensitive or classified information that is processed, stored or communicated is controlled through:

  1. a clear understanding of the information held on such systems
  2. effective user identification and authentication practices.

For guidance on ICT system development, see the PSPF policy: Robust ICT systems.

Categorising information as an access control management tool

Metadata describes, among other things, key security characteristics of information.

The National Archives of Australia produces the Australian Government Recordkeeping Metadata Standard to provide standardised metadata terms and definitions for consistency across government. The minimum metadata set is a practical application of the standard that identifies the metadata properties essential for agency management and use of business information.

The metadata properties are used to describe access to information. From an information security perspective, there are three metadata properties of importance:

  1. the 'security classification' property identifies the security classification of the information and is used to identify information that is restricted to users with appropriate security clearance permissions. Requirement 5 mandates application of this property for all classified information
  2. the 'security caveat' (in addition to a security classification property) is a warning that, where relevant, security classified information requires additional special handling and that only people cleared and briefed to see it may have access. Security caveats are additional to security classifications. Requirement 5 mandates application of this property for classified information where relevant
  3. the 'rights' property:
    1. can be used to identify information that is limited, other than for security reasons, to a defined audience only. For example, this may include restrictions on use of information protected under the Privacy Act 1988 or under legal professional privilege
    2. provides a standard set of terms to describe types of sensitivity ensuring common understanding and consistency across systems and government entities. The National Archives of Australia identifies a subset of rights property terms for common usage as information management markers to categorise information.
Table 2 Categorising information as an access control management tool – information management markers Note i
Information
management marker

Definition

Legal privilege

Restrictions on access to, or use of, information covered by legal professional privilege.

Legislative secrecy

Restrictions on access to, or use of, information covered by legislative secrecy provisions.

Personal privacy

Restrictions, under the Privacy Act 1988, on access to, or use of, personal information collected for business purposes. The Act defines personal information as 'information or an opinion about an identified individual, or an individual who is reasonable identifiable'. 'Sensitive information' under the Act includes personal information about an individual's:

  1. racial or ethnic origin
  2. political opinions
  3. membership of a political organisation
  4. religious beliefs or affiliations
  5. philosophical beliefs
  6. membership of a professional or trade organisation or trade union
  7. sexual orientation or practices
  8. criminal record
  9. health or genetic information
  10. certain defined biometric information.
Table 2 notes
i The PSPF Policy: Sensitive and classified information provides guidance on identifying sensitive and security classified information with a protective marking. The order of precedence or hierarchy for protective markings is: classification, foreign government information markings (if any), caveats or other special handling instructions (if any) then optional information management markers (if any).

Back to top

The Attorney-General's Department encourages use of the Australian Government Recordkeeping Metadata Standards to describe official information where relevant.

User identification, authentication and authorisation practices

User identification and authentication

Entities are encouraged to establish a formal user registration and de-registration procedure for granting and revoking access; this helps entities have confidence about who is accessing their information. The Attorney-General's Department recommends entities regularly review user access rights; this provides confidence that users can only access the sensitive or security classified information they have been specifically authorised to use.

Having uniquely identifiable users helps to ensure accountability. Authenticating the identity of users on each occasion that system access is granted helps provide assurance that information is being accessed appropriately. Entities can authenticate access by various methods including:

  1. passphrases or passwords
  2. biometrics
  3. cryptographic tokens
  4. smart cards.

Entities may reduce the risk of user accounts being compromised by:

  1. using multi-factor authentication (two or more authentication methods) where users provide something they know, like a passphrase; something they have, like a physical token; and/or something they are, like biometric data
  2. increasing the complexity of single authentication methods (such as passphrases or passwords) by increasing the minimum password length and using a mix of alphanumeric and special characters.

Systems and network managers normally need increased administrative access rights to perform their jobs. This implies a high degree of trust and stringent controls to balance the need for privileged access to systems and networks against risks to these peoples' trustworthiness and competence.

The Attorney-General's Department recommends using multi-factor authentication to assure the identity of a higher-risk user. This includes system administrators, database administrators, privileged users (and other similar positions of trust) as well as remote access users. Strengthened personnel and physical security controls for privileged access can also be beneficial.

For guidance, see the PSPF policy: Safeguarding information from cyber threats (in particular, the supporting requirement, Restricting administrative privileges). Technical guidance is available in the Information Security Manual.

Authorising access to ICT systems

Sound authorisation measures allow entities to effectively control access to their information, ICT systems, networks (including remote access), infrastructure and applications. The Attorney-General's Department recommends that entities implement measures to manage authorised access to systems holding its sensitive and classified information as detailed in Table 3.

Back to top

Table 3 Recommended access authorisation measures
User access management Note i Authorised network access Note ii Authorised operating system access Note iii Application and information access Mobile computing and communications Note iv

Ensure that systems for managing passwords are interactive and require users to follow good security practices in the selection and use of passwords or passphrases.

Consider the use of automatic equipment identification as a means to authenticate connections from specific locations and equipment.

Control access to operating systems through a secure log-on procedure.

Afford sensitive systems a dedicated (isolated) computing environment, in accordance with entity risk assessment.

Adopt security measures to protect against the risks of using mobile computing and communications facilities.

 

Control physical and logical access to diagnostic and configuration ports.

Restrict and tightly control the use of utility programs that may be capable of overriding system and application controls.

 

 

 

Restrict the ability of users to connect to shared networks, including those that extend across entity boundaries.

Display restricted access and authorised use only (or equivalent) warnings upon access to all entity ICT systems, and shut down inactive sessions after a defined period of inactivity.

 

 

 

Segregate groups of information services, users and information systems, based on an entity risk assessment.

Consider restricting connection times to provide additional security for high risk applications.

 

 

 

Implement routing controls for networks to ensure computer connections and information flows do not breach other relevant access management measures.

 

 

 

Table 3 notes
i The Information Security Manual provides details on user access management, including on passphrase management.
ii See the Information Security Manual for controls on network segmentation and guidance on authorised network access.
iii Further guidance on authorised operating system access control is available in the Information Security Manual.
iv See the Information Security Manual for guidance on working offsite using mobile computing and communications.


Back to top

Find out more

Other legislation and policies:

  1. Australian Signals Directorate Information Security Manual
  2. Office of the Australian Information Commissioner Guide to securing personal information for Australian Government entities covered by the Privacy Act 1988
  3. ACSI 53 – Communications Security Handbook (Rules and Procedures for Agency Comsec Officer and Custodian). Available to Comsec officers via ASD.

Further guidance and support is available in the Australian Standard AS/NZS ISO/IEC 27002 Information technology – Security techniques – Code of practice for information security management.

Back to top


1 Refer to the 2017 Productivity Commission Inquiry Report for Data Availability and Use.

2 Australian Law Reform Commission Report 112, Secrecy Laws and Open Government in Australia, identified 506 secrecy provisions in 176 pieces of legislation, including 358 distinct criminal offences.

3 See the OAIC Guide to securing personal information for entities covered by the Privacy Act regarding access controls to protect personal information.

4This requirement for agreements with non-government stakeholders broadly aligns with related provisions under s95B of the Privacy Act that mandates entities take contractual measures to ensure that a contracted service provider does not do an act, or engage in a practice, that would breach an Australian Privacy Principle.

5 To facilitate information sharing if needed for business purposes, the originator can, on a case-by-case basis, reconsider application of the AUSTEO caveat to its information and, if warranted, apply a different caveat or classification to that information (eg the REL caveat). For guidance on reclassifying information, see the PSPF policy: Sensitive and classified information.

6 The Attorney-General's Department considers this to be children aged under 10 years.

7 Monitoring and audit logging (and related audit trails) are key measures to control access to ICT systems and the information held on those systems. Further information about developing and maintaining robust ICT systems is included under the PSPF policy: Robust ICT systems.

​​

<<< Sensitive and classified information

Safeguarding information from cyber threats >>>

​​​​​​​​​​