Australian Government - Attorney-General's Department

Protective Security Policy Framework

Skip breadcrumbHome » Information » Sensitive and classified information

8 Sensitive and classified information

Purpose

This policy details how entities correctly classify their information and adopt handling arrangements that guard against information compromise (as defined in Table 1).

Information is a valuable resource. Protecting the confidentiality, integrity and availability of information is critical to business operations:

  1. Confidentiality refers to the limiting of access to information to authorised persons for approved purposes.
  2. Integrity of information refers to the assurance that information has been created, amended or deleted only by the intended authorised means and is correct and valid.
  3. Availability of information refers to allowing authorised persons to access information for authorised purposes at the time they need to do so.

Requirements

Core requirement

Each entity must:

  1. identify information asset holdings
  2. assess the sensitivity and security classification of information asset holdings
  3. implement operational controls for these assets proportional to their value, importance and sensitivity.

Supporting requirements

Supporting requirements help an originator (the Australian Government entity that initially generated the information) to maintain the confidentiality, integrity and availability of official information.

 

Supporting requirements for sensitive and classified information

#

Supporting requirements

Requirement 1.
Identifying information assets

The originator must determine whether information being generated is intended for use as an official record and whether that information is sensitive or security classified.

Requirement 2.
Assessing sensitive and security classified information

  1. To decide which security classification to apply, the originator must:
    1. assess the value, importance or sensitivity of official information by considering the potential damage to the national interest, organisations or individuals, that would arise if the information's confidentiality was compromised (refer to the following table)
    2. set the security classification at the lowest reasonable level.
  2.  The originator must assess the information as OFFICIAL: Sensitive if:
    1. a security classification does not apply
    2. compromise of the information's confidentiality may result in limited damage to an individual, organisation or government generally.

 

 

 

Sensitive information

Security classified information

 

UNOFFICIAL

OFFICIAL

 

PROTECTED

SECRET

TOP SECRET

 

 

 

OFFICIAL: Sensitive

 

 

 

Compromise of information confidentiality would be expected to cause →

No business impact

1 Low business impact

2 Low to medium business impact

3 High business impact

4 Extreme business impact

5 Catastrophic business impact

Not applicable.
This information does not form part of official duty.

Not applicable.
This is the majority of routine information created or processed by the public sector.

Limited damage to an individual, organisation or government generally if compromised.

Damage to the national interest, organisations or individuals.

Serious damage to the national interest, organisations or individuals.

Exceptionally grave damage to the national interest, organisations or individuals.

Requirement 3.
Marking information

The originator must clearly identify sensitive and security classified information, including emails, using applicable protective markings by:

  1. using text-based protective markings to mark sensitive and security classified information (and associated metadata), unless impractical for operational reasons
  2. if text-based protective markings cannot be used, colour-based protective markings
  3. if text or colour-based protective markings cannot be used (eg verbal information), entities must document a marking scheme and train personnel appropriately.

Requirement 4.
Declassification

The originator must remain responsible for controlling the sanitisation, reclassification or declassification of the information. An entity must not remove or change information's classification without the originator's approval.

Requirement 5.
Transfer

Entities must ensure sensitive and security classified information is transferred and transmitted by means that deter and detect compromise.

Requirement 6.
Storage

Entities must ensure sensitive and security classified information is stored securely in an appropriate security container for the approved zone.

Requirement 7.
Disposal

Entities must ensure sensitive and security classified information is disposed of securely. This includes ensuring sensitive and classified information is appropriately destroyed when it has passed minimum retention requirements or reaches authorised destruction dates.

Requirement 8.
Caveats and accountable material
  1. Caveats must be marked as text and only appear in conjunction with a security classification.
  2. Entities must ensure that accountable material:
    1. has page and reference numbering
    2. is handled in accordance with any special handling requirements imposed by the originator and caveat owner
    3. has an auditable record of all incoming and outgoing material, transfer, copy or movements.

Back to top

Guidance

Identifying official information

Official information is all information created, sent and received as part of work of the Australian Government. This information is an official record and it provides evidence of what an entity has done and why.

Official information can be collected, processed, stored and transmitted in many forms including electronic, physical and verbal (eg conversations and presentations).

The National Archives of Australia Australian Government Information Management Standard notes that business information is a valuable asset. It contributes to good government through supporting efficient business, informing decision-making, demonstrating government accountability and transparency, mitigating risks, adding economic value and protecting rights and entitlements.

All official information requires an appropriate degree of protection as information and assets are subject to intentional and accidental threats. In addition, related processes, systems, networks and people have inherent vulnerabilities. A deliberate or accidental threat that compromises information security could adversely impact on government business.

 

Table 1 Information compromise

Definition of information compromise

Information compromise includes, but is not limited to:

  1. loss
  2. misuse
  3. interference
  4. unauthorised access
  5. unauthorised modification
  6. unauthorised disclosure.

Back to top

How to assess information sensitivity or security classification

Who assesses information sensitivity or security classification

The person responsible for generating or preparing information on behalf of an entity (or for actioning information produced outside the Australian Government) assesses whether the information is sensitive or needs to be security classified. The Australian Government entity that prepared the information and made the initial sensitivity or security classification assessment is the originating entity, referred to as the originator.

Only the originator can change the sensitivity or security classification applied to its information. Classifications considered as inappropriate can be queried with the originator.

When to assess information sensitivity or security classification

Assessing the sensitivity or security classification of information when it is created helps protect the information. Limiting the quantity, scope, or timeframe of classified information is desirable (eg by setting a specific date or event for automatic declassification).1 Appropriately limiting classification of information:

  1. promotes an open and transparent democratic government
  2. provides for accountability in government policies and practices that may be subject to inappropriate or over-classification
  3. allows external oversight of government operations and programs
  4. promotes efficiency and economy in managing information across government.

Over-classification can result in:

  1. access to official information being unnecessarily limited or delayed
  2. onerous administration and procedural overheads that add to costs
  3. classifications being devalued or ignored by personnel and receiving parties.

Assessing whether information is sensitive or security classified

Requirement 2 mandates that the originator assesses the sensitivity or security classification of information by considering the potential impacts to national interest, organisations or individuals that could arise from compromise of the information's confidentiality.

The more valuable, important or sensitive the official information, the greater the level of business impact that would result from its compromise.

  1. The Australian Government uses three security classifications (PROTECTED, SECRET and TOP SECRET) based on the likely damage resulting from compromise of the information's confidentiality.
  2. Where information compromise would have some limited damage but does not warrant a security classification, that information is considered OFFICIAL: Sensitive.2
  3. Other information from routine business operations and services is OFFICIAL, and information that does not form part of official duty is UNOFFICIAL.

It is not consistent with this policy to apply a security classification to information where it:

  1. restrains competition
  2. hides violations of law, inefficiency, or administrative error to prevent embarrassment to an individual, organisation or entity
  3. prevents or delays the release of information that does not need protection in the national interest.

The Business Impact Levels tool (see Table 2) provides examples of potential damage from compromise of information's confidentiality. The tool assists in the consistent classification of information and the assessment of impacts on government business. The tool can also be used for secondary assessments of the potential damage from compromise of the availability or integrity of information.

The potential damage from compromise of information's confidentiality determines the classification of that information. If compromise of availability or integrity of information (described numerically, eg 1 Low business impact) has a higher impact than confidentiality compromise, additional security measures (such as ICT, personnel or physical controls) may be warranted.

Back to top

Figure 1 Assessing whether information is sensitive or security classified3

This figure presents a decision-making flow chart for assessing whether information is sensitive or security classified. Was the information created, sent or recieved as part of your work for the government? Yes, this is official information. It may need security protections, including classification. No, this is UNOFFICIAL information. Would compromise of the information's confidentiality cause exceptionally grave damage to the national interest? Yes, this information needs the hightest degree of protection. It is security classified TOP SECRET. No, refer below. Would compromise of the information's confidentiality cause serious damage to the national interest, organisations or individuals? Yes, this information needs a substantial degree of protection. It is security classified SECRET. No, refer below. Would compromise of the information's confidentiality cause damage to the national interest, organisations or individuals? Yes, this information needs a moderate degree of protection. It is seurity classifed PROTECTED. No, refer below. Is it caveated information (eg CABINET information) not already captured by a higher security classification? Yes, this information needs a moderate degree of protection. It is security classifed PROTECTED. No, refer below. Would compromise of the information's confidentiality cause limited damage to the national interest, organisations or individuals? Yes, it is OFFICIAL: Sensitive. No, this is OFFICIAL iinformation. For all classification levels, and OFFICIAL: Sensitive, information management markers - 'rights' to access the information may apply (refer Figure 1 Note 2). These include: - Privacy: Restrictions apply under the Privacy Act 1988 on the use and disclosure that may be made of personal information collected for business purposes and contained in records. - Legal privilege: Restrictions on use and disclosure of information covered by legal professional privilege. - Legislative secrecy: Restrictions on use and disclosure under legislative secrecy provisions. 

Figure 1 notes:

iRequirement 8 mandates that caveats only appear in conjunction with a security classification.

iiThe information management markers reflect the Australian Government Recordkeeping Metadata Standard's 'Rights' property. While categorising information content by non-security access restrictions is not mandated as a security requirement, the 'Rights' property provides a standard set of terms ensuring common understanding, consistency and interoperability across systems and government entities. For guidance, see the PSPF policy: Access to information.

 

Table 2 Business Impact Levels tool – Assessing damage to the national interest, organisations or individuals

 

How to handle sensitive and security classified inforation

Key operational controls to protect sensitive and security classified information include:

  1. identifying sensitive and security classified information:
    1. with a protective marking (see Identifying sensitive and security classified information with a protective marking)
    2. by creating an auditable record of all incoming and outgoing material, transfer, copy or movements for, at a minimum, TOP SECRET information and other accountable material (see Records of dissemination – audit, logs and Classified Document Register)
  2. limiting disclosure or access to sensitive and security information (see Limiting dissemination of sensitive and security classified information) to personnel with:
    1. a demonstrated need-to-know the content of the information
    2. an applicable security clearance
  3. transferring and transmitting information by means which deter and detect unauthorised access (see How to transmit or transfer sensitive and security classified information, or remove it from an entity facility)
  4. storing and using information securely (see How to use and store sensitive and security classified information)
  5. destroying and disposing of information by secure means (see How to dispose of sensitive and security classified information).

Back to top

Identifying sensitive and security classified information with a protective marking

Requirement 3 mandates that the originator must clearly identify sensitive and security classified information by using applicable protective markings. Applying classification markings to security classified information, or the OFFICIAL: Sensitive dissemination limiting marker to sensitive information, indicates that the information requires protection.

The OFFICIAL marker may be used to identify information that is an Australian Government record. Use of this marker is not mandatory. Similarly, the UNOFFICIAL marker may be used to identify information generated for personal or non-work related purposes.

Applying a protective marking to information, including to attachments, in an easily identifiable way for information users (visually) and for systems (such as an entity's email gateway) helps to control information.

  1. For emails, entities apply an internet message header extension. This helps with construction and parsing by email gateways and servers and allows for information handling based on the protective marking. Where an internet message header extension is not possible, protective markings are placed in the subject field of an email. When printed, an email is considered a physical document; as such a visual presentation of the protective marking (such as a separate line in the email) is important.
  2. For guidance on email protective markings, see Annex B.

Requirement 3 indicates text-based protective markings are the preferred method to identify sensitive and security classified information. This includes associated metadata. To achieve clearly identifiable protective markings, the Attorney-General's Department recommends:

  1. using capitals, bold text, large font and a distinctive colour (red preferred), for example PROTECTED
  2. placing markings at the centre top and bottom of each page.

The order of precedence or hierarchy for protective markings is:

  1. classification (or the OFFICIAL: Sensitive dissemination limiting marker)
  2. foreign government information markings (if any)
  3. caveats or other special handling instructions (if any) then
  4. (optional) information management markers (if any).

Separating markings by a double forward slash helps to clearly differentiate each marking.

Marking each paragraph or section may be useful, although is not required by this policy. The paragraph or section with the most valuable, important or sensitive information (highest classification) dictates the document's classification.

Back to top

Figure 2 Protectively marking physical (printed) information

In this example, paragraph 1 contains the most valuable, important and sensitive information in the document. The information in this paragraph dictates the document's' overall classification. The information in paragraph 1 could be expected to have a very high business impact causing serious damage to the national interest, organisations or individuals if it were compromised. The information in paragraph 1 is SECRET so the document's classification is also SECRET. Additionally, the information is legally privileged and intended for Australian eyes only (AUSTEO caveat). For guidance on (optional) information management markers, see the PSPF policy: Access to information. For guidance on caveats, see section C.4). A SECRET protective marking is conspicuously applied and an AUSTEO caveat marking is also applied. A double forward slash helps to clearly differentiate each marking. As this entity uses (optional) infomation management markers, the Legal privilege marking is also applied. Each paragraph or classified section of the document can also be marked separately. 

 

 

Figure 3 Protectively marking an email

This example email's content requires classification as PROTECTED. In addition, the email contains sensitive personal information; Privacy Act 1988 restrictions apply on the use and disclosure of this information. While not mandated by this policy, an information management marker (Personal privacy) can be used to identify these access restrictions. 

 

Back to top

Requirement 3 mandates that, if text-based protective markings cannot be used (eg on certain media or assets), colour-based protective markings are used.

 

Table 3 Minimum protective markings for sensitive and security classified information

 

 

Sensitive information

Security classified information

 

OFFICIAL

 

PROTECTED

SECRET

TOP SECRET

 

 

OFFICIAL: Sensitive

 

 

 

 

1 Low business impact

2 Low to medium business impact

3 High business impact

4 Extreme business impact

5 Catastrophic business impact

Identify information with text-based markings used unless impractical for operational reasons

Marking not required.

Text marking required:
OFFICIAL: Sensitive

Text marking required:
PROTECTED

Text marking required:
SECRET

Text marking required:
TOP SECRET

If text-based markings cannot be used, use colour-based markings

Marking not required.

Marking not required.

Blue colour marking required (if text marking cannot be used).

Salmon (pink) colour marking required (if text marking cannot be used).

Red colour marking required (if text marking cannot be used).

If text or colour-based markings cannot be used, document the entity marking scheme and train personnel appropriately

Marking not required.

Marking not required.

Marking required.

Marking required.

Marking required.

Identify information with reference markingsNote i

Not applicable. Reference marking not required.Note i

Not applicable. Reference marking not required.Note i

Not applicable. Reference marking not required.Note i

✓ Page numbering.Note i

✓ Page and reference numbering. Note i

Table 3 notes:

iMarking of accountable material also includes page and reference numbering

Back to top

Other markings, for example entity-specific markings, are not recognised by this policy. A standard set of markings ensures common understanding, consistency and interoperability across systems and government entities. Other markings may confuse users about appropriate handling protections.

Limiting dissemination of sensitive and security classified information

Need-to-know principle and dissemination/access restrictions

The vast majority of government information can be shared, where appropriate. The PSPF policy: Access to information states that:

Each entity must enable appropriate access to official information. This includes … ensuring that those who access sensitive or security classified information are appropriately security cleared and need to know that information.

Limiting access by staff and others (eg contractors) to information on a need-to-know basis guards against the risk of unauthorised access or misuse of information. The Attorney-General's Department recommends that entities consider staff access to OFFICIAL information on a need-to-know basis, although this is not a requirement of this policy.

Table 4 outlines the disclosure requirements of the PSPF policy: Access to information.

 

Table 4 Disclosure or access (for more information, see core requirement on access to information)Note i

 

 

Sensitive information

Security classified information

 

OFFICIAL

 

PROTECTED

SECRET

TOP SECRET

 

 

OFFICIAL: Sensitive

 

 

 

 

1 Low business impact

2 Low to medium business impact

3 High business impact

4 Extreme business impact

5 Catastrophic business impact

Only allow access for personnel with a demonstrated need-to-know

Not applicable. Need-to-know access restriction not required.

Need-to-know access restriction required.

Need-to-know access restriction required.

Need-to-know access restriction required.

Need-to-know access restriction required.

Only allow access for personnel with a valid personnel security clearance

Not applicable. Employment screening is sufficient, security clearance not required.

Not applicable. Employment screening is sufficient, security clearance not required.

Baseline (or above) security clearance required.

Negative Vetting 1 (or above) security clearance required.

Negative Vetting 2 (or above) security clearance required.

Table 4 notes:

iFor guidance on obtaining a personnel security clearance, see in the PSPF policy: Eligibility and suitability of personnel.

Back to top

Records of dissemination – audit, logs and Classified Document Register

An important protection is ensuring that dissemination of information is monitored and audited.

For highly classified information (such as TOP SECRET information or accountable material), it is critical to maintain an auditable register (such as a Classified Document Register) of all incoming and outgoing material, transfers or copying (along with regular spot checks).

The Attorney‑General's Department recommends that entities keep an audit log or register for documents at other classification levels (particularly the SECRET classification), or registered information received from other entities.

 

Table 5 Audits and registers

 

 

Sensitive information

Security classified information

 

OFFICIAL

 

PROTECTED

SECRET

TOP SECRET

 

 

OFFICIAL: Sensitive

 

 

 

 

1 Low business impact

2 Low to medium business impact

3 High business impact

4 Extreme business impact

5 Catastrophic business impact

Keep a record of incoming and outgoing material, transfers or copying

Not applicable. An auditable register is not required.Note i, Note ii

✓ An auditable register is required.

Conduct audits of Classified Document Register

Not applicable. An auditable register is not required.Note i, Note ii

✓ Spot check audits required.

Personnel conducting spot check audits to sight documents and acknowledge this in writing.

Table 5 notes:

iIf the information is accountable material, minimum protections include audits and registers (even if the information's sensitivity or classification would not require this).

iiThere may be other legislative requirements for record keeping. For example, under the Privacy (Australian Government Agencies – Governance) APP Code 2017 a Privacy Officer is required to maintain a record of an entity's personal information holdings and a register of privacy impact assessments.

Back to top

Sanitising, declassifying or reclassifying information

Information may require modification (sanitising) to allow its wider distribution and potential use. Information can be changed to reduce its sensitivity or classification by editing, disguising or altering information to permit dissemination while protecting intelligence, sources, methods, capabilities, analytical procedures or privileged information. Once sanitised, the information can be declassified or reclassified (see Table 6).

 

Table 6 Declassifying or reclassifying information

Term

Definition

Declassification

Declassification is a process where information is reduced to OFFICIAL (an unclassified state) when it no longer requires security classification handling protections.

Reclassification

Reclassification is the administrative decision to change the security classification of information based on a reassessment of the potential impacts of its compromise.

Enabling wide use of government information provides substantial benefits, but there are risks involved. These risks vary with the nature of the information and the environment and purpose of the use. Where the adverse consequences of increased information access are considered high, the availability and access to the information will benefit from careful management.

 

Case study: Example of information declassification for increased sharing

The Productivity Commission Data Availability and Use report indicates that a wide range of government data can be shared. The availability and usefulness of data delivers benefits to the community, engenders community trust and confidence in how data is managed and used and preserves commercial incentives to collect, maintain and add value to data.

For example, there is potential for data relating to health service provider costs and performance, as well as de-identified linked data about health service recipients, that can be used for effective and targeted service interventions and improved health outcomes.

Identifying characteristics that appear predictive during data analysis analysis can provide valuable insights into the effectiveness of various policies and interventions, allowing new services to emerge in response to community demand.

By de-identifying the health service recipients' data or redacting sensitive personal details, the information is no longer considered to be OFFICIAL: Sensitive (as it does not include sensitive information under the Privacy Act or other measures of harm) and can be shared.

Back to top

Requirement 4 mandates that the originator of the material remains responsible for controlling the sanitisation, reclassification or declassification of its material. No other entity may change the material's classification unless authorised to do so by the originator.

A declassification process includes:

  1. identifying if a specific date or event for automatic declassification has occurred:
    1. At initial classification, the originator sets a specific date or event for declassification based on an assessment of the period the information might cause damage.
    2. If the originator cannot decide on a specific date or event for declassification, declassification will align with the Archives Act 1983 open access period. For guidance, see the National Archives of Australia.
  2. regularly reviewing the classified information for continuing sensitivity (ie if the compromise of the information would still cause damage). These reviews can be done in line with the harm-based classification assessment described in Assessing whether information is sensitive or security classified:
    1. after a project is completed
    2. when a file is withdrawn from (or returned to) use.
  3. declassifying or reclassifying information to a lower classification when it no longer meets the harm-based classification tests described in Assessing whether information is sensitive or security classified.4

How to transmit or transfer sensitive and security classified information, or remove it from an entity facility

Information is at increased risk when it is in transit (eg sent across the internet, through a private network or between physical locations). Risk is heightened when information is transmitted outside of a controlled environment (eg when an entity does not have control over the entire transmission network). The Attorney‑General's Department recommends assessing risks of information transmission. Where an entity transfers or transmits sensitive or security classified information, Requirement 5 mandates using means that deter and detect compromise.

To ensure sensitive and security classified information is only transmitted or transferred to people with a need-to-know (see Table 4), entities are encouraged to identify information recipients by:

  1. a specific position, appointment or named individual
  2. a full location address (eg not a post office box for physical delivery as this may be unattended)
  3. an alternative individual or appointment where relevant (eg for TOP SECRET information).

The Attorney‑General's Department recommends obscuring the information's sensitivity or classification and using a tamper evident seal to deter and detect unauthorised access of sensitive and security classified information. Ways to achieve this include using:

  1. appropriate encryption methods5 when transferring information over a public network or through unsecured spaces
  2. double envelopes for physical information by placing security classified information and accountable material in two sealed envelopes:
    1. The inner envelope is used to give evidence of tampering, for example by sealing with a Security Construction and Equipment Committee (SCEC)-approved tamper evident seal so that any tampering is detected. The Attorney‑General's Department recommends marking the classification conspicuously on the inner envelope (eg at the top, bottom, front and back of the envelope).
    2. The outer envelope gives protection to the inner envelope. The Attorney‑General's Department recommends avoiding displaying any protective classification markings on the outer envelope.
  3. single-use envelopes approved by SCEC for:
    1. an inner envelope
    2. single opaque envelopes in place of a double envelope
    3. an outer envelope used to enclose a number of inner envelopes where initial delivery will be to a registry or similar
  4. a single paper envelope in conjunction with a security briefcase (refer to the SCEC-Security Equipment Guide on Briefcases for the carriage of security classified information) or approved multi-use satchels, pouches or transit bags (see the SCEC-approved security equipment evaluated product list).

Devices such as laptops, mobile phones and USBs can be used to transfer and transmit information. The requirement to deter and detect information compromise applies to sensitive and security classified information transferred on such devices. Ways to achieve this include password protection and remote wiping capabilities. For guidance see the PSPF policy: Robust ICT systems.

Ways to control the transmission and transfer of information include:

  1. use of receipts:
    1. Receipts identify the date and time of dispatch, the dispatching officer's name and a unique identifying number. The Attorney‑General's Department recommends using receipts for transmission or transfer of all classified information.
    2. Recording, or having a receipt system to document, every handover is another control mechanism (eg a two-part receipt placed in the inner envelope with the information means the addressee can keep one portion and sign and return the other to the sender).
  2. safe hand:
    1. Safe hand means information is dispatched to the addressee in the care of an authorised person or succession of authorised people who are responsible for its carriage and safekeeping.
    2. Sending information via safe hand establishes an audit trail that provides confirmation that the addressee received the information and helps to ensure the item is transferred in an authorised and secure facility or vehicle. To deter and detect any information tampering, at each handover, a receipt is obtained showing (at a minimum) the identification number, the time and date of the handover, and the name and signature of the recipient.
    3. Sending information via safe hand requires:
      1. a unique identification number; generally, this will be a receipt number
      2. that information be in a security briefcase (see the SCEC-Security Equipment Guide on Briefcases for the carriage of security classified information) or an approved mailbag (for information, see the SCEC-approved security equipment evaluated product list
      3. that information never be left unattended (except when placed in the cargo compartment of an aircraft).
  3. carriage by SCEC-endorsed commercial courier:
    1. A number of commercial courier services have been endorsed by SCEC. Contact ASIO-T4 by email t4ps@t4.gov.au or see the ASIO-T4 Protective security circular (PSC) 172 (available on a need-to-know basis on Govdex) for advice on SCEC-endorsed commercial couriers.
    2. Commercial couriers can be useful in transferring valuable material such as pharmaceuticals and money (note SCEC-endorsed couriers are not assessed for the transfer of these items). Special arrangements, such as armed escorts, may be necessary in certain circumstances.
    3. Special handling requirements may apply to caveated information. This may preclude the use of a commercial courier when using certain caveats. For guidance on caveats, see Caveats and accountable material section.

Transmission or transfer of official, but not sensitive, information is on a common sense basis; the PSPF does not impose transmission or transfer requirements for this information. However, entities are encouraged to ensure that information is transferred or transmitted by means which deter and detect compromise.

Table 7 sets out specific transmission and transfer protections for sensitive and classified information.

Table 7 Minimum protections for information transmission and transfer

Back to top

How to use and store sensitive and security classified information

The Australian Government Information Management Standard requires that entities store information securely and preserve it in a usable condition for as long as required for business needs and community access. In accordance with the Information Management Standard, a secure and suitable storage environment is one that prevents unauthorised access, duplication, alteration, removal and destruction.

Ways that minimise duplication or alteration of information include:

  1. reproducing sensitive or security classified information only when necessary
  2. immediately destroying spare or spoilt copies (destruction is defined as 'normal administrative practice' in terms of the Archives Act and does not need specific permission from the National Archives of Australia). For guidance on destroying sensitive and security classified information, see Destroying sensitive and security classified information.

Securely storing sensitive and security classified official information protects the information from compromise. Requirement 6 mandates entities ensure sensitive and security classified information is stored securely in an appropriate security container for the approved zone. For guidance on physical security zones, see the PSPF policy: Entity facilities.

Minimum use and storage protections are set out in Table 8.

Table 8 Minimum use and storage protections for security classified information

Back to top

How to dispose of sensitive and security classified information

Not all information and records are kept forever. Information is managed for as long as it has business value; some information will have long-term historical and social value. Requirement 7 mandates that entities dispose of sensitive and security classified information in a secure manner. The careless disposal of classified or sensitive information is a serious source of leakage of information and can undermine public confidence in the Australian Government.

Under the Archives Act information disposal includes:

  1. its destruction
  2. the transfer of its custody or ownership or
  3. damage or alteration.6

Information disposal includes the physical destruction of paper records; destruction of electronic records including deleting emails, documents or other data from business systems; the transfer of records to another entity as the result of machinery of government changes; and transfer to the National Archives of Australia.

Under Section 24 of the Archives Act information disposal can only take place when it is:

  1. approved by the National Archives of Australian
  2. required by another law or
  3. part of normal administrative practices that the National Archives or Australia does not disapprove.

For guidance, see the National Archives of Australia website, Disposing of information.

Back to top

Destroying sensitive and security classified information

A variety of methods can be used for secure destruction of information in physical form.

Requirement 7 mandates that information is disposed of securely. This policy does not impose minimum security requirements for how destruction of OFFICIAL or OFFICIAL: Sensitive information is to occur.

ASIO-T4 approves specifications for equipment used to destroy security classified information. Commonly used destruction methods include:

  1. pulping
  2. burning
  3. pulverising using hammermills
  4. disintegrating by cutting and reducing the waste particle size
  5. shredding using crosscut shredders (strip shredders are not approved for destruction of security classified information).

Methods for destroying digital information include:

  1. digital file shredding
  2. degaussing by demagnetising magnetic media to erase recorded data
  3. physical destruction of storage media through pulverisation, incineration or shredding (the ISM provides guidance on sanitisation and destruction of ICT equipment and storage media)
  4. reformatting, if it can be guaranteed that the process cannot be reversed.

Commercial providers may be used to destroy classified information. The Attorney‑General's Department recommends that entities review the appropriateness of a commercial provider's collection process, transport, facility, procedures and approved equipment when considering external destruction services. These considerations can be made against ASIO-T4 Criteria – agency-assessed and approved destruction service. Appropriate procedures include:

  1. ensuring classified information is attended at all times and the vehicle and storage areas are appropriately secured
  2. ensuring that destruction is performed immediately after the material has arrived at the premises
  3. ensuring that destruction of classified information is witnessed by an entity representative
  4. ensuring destruction service staff have a security clearance to the highest level of security classified information being transported and destroyed, or appropriately security cleared entity staff escort and witness the destruction.

A number of commercial providers hold National Association for Information Destruction AAA certification for destruction service (with endorsements as specified in PSC 167 External destruction of security classified information). These commercial providers are able to destroy security classified information.

The Attorney‑General's Department recommends information classified TOP SECRET or accountable material be destroyed within entity premises; the originating entity may request notification of destruction. The originator of some accountable material may apply special handling conditions that prevent information destruction being contracted out.

Table 9 summarises minimum handling protections for disposal of physical sensitive and security classified information. Table 10 summarises minimum protections for disposal of ICT media and equipment.

Back to top

 

Table 9 Minimum handling protections for disposal of sensitive and security classified information

 

 

Sensitive information

Security classified information

 

OFFICIALNote i

 

PROTECTED

SECRET

TOP SECRET

 

 

OFFICIAL:SensitiveNote i

 

 

 

 

1 Low business impact

2 Low to medium business impact

3 High business impact

4 Extreme business impact

5 Catastrophic business impact

Destruction of physical information

Use entity-assessed and approved (or National Association for Information Destruction AAA certified) destruction service with specific endorsement and approved equipment and systems

Not applicable. While Requirement 7 mandates that information is disposed of securely, this policy does not impose security requirements for how destruction of OFFICIAL or OFFICIAL: Sensitive information is to occur.

✓ Destroy information by pulping, burning, pulverisation, disintegration, or shredding (Class B cross shredder).

✓ Destroy information by pulping, burning, pulverisation, disintegration, or shredding (Class A cross shredder).

✓ Destroy information by pulping, burning, pulverisation, disintegration, or shredding (Class A cross shredder).

Destroyed under supervision of two officers cleared to the appropriate level who are to supervise the removal of the material to the point of destruction, ensure destruction is complete, and sign a destruction certificate

Not applicable. While Requirement 7 mandates that information is disposed of securely, this policy does not impose security requirements for how destruction of OFFICIAL or OFFICIAL: Sensitive information is to occur.

✓ Supervise and certify destruction of information if it is accountable material.

✓ Supervise and certify destruction of information if it is accountable material.

✓ Supervise and certify destruction of information.

Destroyed as soon as possible after it has reached the minimum retention period set by the National Archives of Australia, and is no longer required for operational purposes

Not applicable. While Requirement 7 mandates that information is disposed of securely, this policy does not impose security requirements for how destruction of OFFICIAL or OFFICIAL: Sensitive information is to occur

Not applicable.

Not applicable.

✓ Destroy information as soon as possible.

Table 9 notes:

iThis policy does not impose security requirements for destruction of OFFICIAL and OFFICIAL: Sensitive information. However there may be other legislative requirements. For example, Australian Privacy Principle 11.2 imposes obligations on the destruction and de-identification of personal information under the Privacy Act.

Back to top

 

Table 10 Minimum handling protections for disposal of ICT media and equipment

 

 

Sensitive information

Security classified information

 

OFFICIALNote i

 

PROTECTED

SECRET

TOP SECRET

 

 

OFFICIAL:SensitiveNote i

 

 

 

 

1 Low business impact

2 Low to medium business impact

3 High business impact

4 Extreme business impact

5 Catastrophic business impact

Destruction of ICT media and equipment

Undergo media sanitisation or destruction in accordance with ISM

Not applicable. While Requirement 7 mandates that information is disposed of securely, this policy does not impose security requirements for how destruction of OFFICIAL or OFFICIAL: Sensitive information is to occur.

✓ Sanitise or destroy ICT media and equipment.

✓ Sanitise or destroy ICT media and equipment.

✓P Sanitise or destroy ICT media and equipment.

Destroyed as soon as possible after it has reached the minimum retention period set by the National Archives of Australia, and is no longer required for operational purposes

Not applicable. While Requirement 7 mandates that information is disposed of securely, this policy does not impose security requirements for how destruction of OFFICIAL or OFFICIAL: Sensitive information is to occur.

Not applicable.

Not applicable.

✓ Destroy information as soon as possible.

Table 10 notes:

iThis policy does not impose security requirements for destruction of OFFICIAL and OFFICIAL: Sensitive information. However there may be other legislative requirements. For example, Australian Privacy Principle 11.2 imposes obligations on the destruction and de-identification of personal information under the Privacy Act.

Back to top

Caveats and accountable material

Certain information may have a caveat in addition to a security classification. The caveat is a warning that the information has special protections in addition to those indicated by the security classification. Table 11 details caveats commonly used across government. There are four broad types of caveats:

  1. sensitive compartment information (codewords)
  2. foreign government markings
  3. special handling instructions
  4. releasability caveats.

Accountable material is information that requires the strictest control over its access and movement. Accountable material includes:

  1. TOP SECRET security classified information
  2. some types of caveated information, being:
    1. all codeword information
    2. select special handling instruction caveats, particularly CABINET material at any security classification
    3. any classified information designated as accountable material by the originator.

What constitutes accountable material may vary from entity to entity and could include budget papers, tender documents and sensitive ministerial briefing documents.

Requirement 8 states that caveated material must be clearly marked and handled in accordance with the originator and the caveat holder's special handling requirements. Caveats are not classifications and must appear with an appropriate security classification.

Requirement 4 requires the originator's approval to remove or change a security classification applied to information. To be consistent with Requirement 4 the prior agreement of the originating entity also needs to be obtained to remove a caveat.

Classification handling requirements apply in addition to any special caveat requirements. Additional information about handling caveats is available in the Sensitive Material Security Management Protocol and Security Caveats Guideline on a need-to-know basis on Govdex.

Back to top

 

Table 11 Caveats

Caveat types

What kinds of information does this type of caveat cover

What special handling requirements does this caveat impose

Sensitive compartmented information (codewords)

A codeword indicates that the information is of sufficient sensitivity that it requires protection in addition to that offered by a security classification.

Each codeword identifies a special need-to-know compartment. A compartment is a mechanism for restricting access to information by defined individuals who have been 'briefed' on the particular sensitivities of that information and any special rules that may apply.

The codeword is chosen so that its ordinary meaning is unrelated to the subject of the information.

Use of codewords is primarily within the national security community.

It may be necessary to take precautions beyond those indicated by the security classification to protect the information. These will be specified by the entity that owns the information, for instance those with a need to access the information will be given a special briefing first.

Foreign government markings

Foreign government markings are applied to material created by Australian agencies from foreign source information.

The PSPF policy: Security governance for international sharing requires that, where an international agreement or international arrangement is in place, entities must safeguard sensitive or security classified foreign entity information or assets in accordance with the provisions set out in the agreement or arrangement.

Foreign government marking caveats require protection at least equivalent to that required by the foreign government providing the source material.

Special handling instructions

Special handling instructions indicate particular precautions for information handling.

Use of special handling instructions is primarily within the national security community. Some special handling instructions are used more broadly across government, as follows:

 
  1. EXCLUSIVE FOR (named person)
    The EXCLUSIVE FOR caveat identifies material intended for access by a named recipient only.

Access to EXCLUSIVE FOR material is limited to a named person, position title or designation.
  1. CABINET
    The CABINET caveat identifies any material that:
    1. is prepared for the purpose of informing the Cabinet
    2. reveals the decision and/or deliberations of the Cabinet
    3. is prepared by departments to brief their ministers on matters proposed for Cabinet consideration
    4. has been created for the purpose of informing a proposal to be considered by the Cabinet.

The Cabinet Handbook specifies handling requirements for Cabinet documents. This includes applying a security classification of at least PROTECTED to all Cabinet documents and associated records.

Releasability caveats

Releasability caveats limit access to information based on citizenship.
There are three releasability caveats used across government:

 
  1. Australian Eyes Only (AUSTEO)
    The AUSTEO caveat indicates only Australian citizens can assess the information. Additional citzenships do not preclude access.

Information marked AUSTEO is only passed to, or accessed by, Australian citizens.

While a person who has dual Australian citzenship may be given AUSTEO-marked information, in no circumstance may the Australian citizenship requirement be waived.Note ii
  1. Australian Government Access Only (AGAO)
    2. In limited circumstances, AGAO is used by the:
    1. Australian Signals Directorate (ASD)
    2. Australian Security Intelligence Organisation (ASIO)
    3. Australian Secret Intelligence Service (ASIS)
    4. Department of Defence
    5. Office of National Assessments (ONA).

ASD, ASIO, ASIS, the Department of Defence and ONA may pass information marked with the AGAO caveat to appropriately cleared representatives of Five Eyes foreign governments on exchange or long-term posting or attachment to the Australian Government.
For other entities, AGAO material is handled as if it were marked AUSTEO.

  1. Releaseable to (REL)
    2. The Releasable To (REL) caveat identifies information that has been released or is releasable to the indicated foreign countries only.

Nationalities are identified using three letter country codes from International Standard ISO 3166-1:2013 Codes for the representation of names of countries and their subdivisions – Alpha 3 codes.

For example, REL AUS/CAN/GBR/NZL/USA means that the information may be passed to citizens of Australia, Canada, United Kingdom, New Zealand and the United States of America only.

The caveat is an exclusive marking that disqualifies a third-party national seconded or embedded in a foreign government entity from accessing the information.

Table 11 notes:

This policy does not impose security requirements for destruction of OFFICIAL and OFFICIAL: Sensitive information. However there may be other legislative requirements. For example, Australian Privacy Principle 11.2 imposes obligations on the destruction and de-identification of personal information under the Privacy Act.

iiTo facilitate information sharing if needed for business purposes, the originator can (on a case-by-case basis) reconsider application of the AUSTEO caveat to its information and, if warranted, reclassify that information (for instance, to the carry the REL caveat). For guidance on reclassifying information, see Sanitising, declassifying or reclassifying information.

Back to top

What to do in the case of an emergency, breach or security violation involving classified information assets

Exceptional situations or emergencies may arise that prevent application of this policy. The PSPF policy: Reporting on security requires entities to report details on measures taken to mitigate or otherwise manage identified security risks.

The PSPF policy: Reporting on security also mandates that affected entities are advised of any unmitigated security risks. In line with this, the Attorney‑General's Department recommends entities report:

  1. any compromise of classified information to the information's originator as soon as practicable
  2. matters relating to national security (such as compromise of SECRET or TOP SECRET information) to the Director-General, Australian Security Intelligence Organisation.

Any compromise of any classified information is considered a security incident. The PSPF policy: Management structure and responsibilities requires entities to investigate, respond to and report on security incidents.

Find out more

Other legislation and policies that may be relevant to the handling of official government information include:

  1. the Archives Act and supporting Commonwealth records management policies such as:
    1. National Archives of Australia Information Management Standard
    2. National Archives of Australia Digital Continuity 2020 policy
  2. Australian Signals Directorate's Information Security Manual
  3. the Office of the Australian Information Commissioner for the Privacy Act, Guides and APP guidelines.

Back to top

Annex A. Historical classifications and sensitivity markings

There are a number of historical security classifications and other protective markings no longer reflected in Australian Government policy.

  1. In some cases, equivalencies have been established with current sensitive or classified information levels, though re-marking of existing information is not necessary.
  2. In others, classifications are being 'grandfathered' for a set time period, with historical handling protections to remain.

  Annex A Table 1 Historical classifications and sensitivity markings

Annex A Table 2 Handling CONFIDENTIAL classified information

Annex B. Email Protective Marking Standard for the Australian Government

Email Protective Marking Standard for the Australian Government

 

Back to top

1For guidance on declassification, refer to section Sanitising, declassifying or reclassifying information.

2Examples of OFFICIAL: Sensitive information may include:

  1. official information governed by legislation that restricts or prohibits its disclosure, imposes certain use and handling requirements, or restricts dissemination (such as information subject to legal professional privilege or some types of 'personal information', including 'sensitive information' under section 6 of the Privacy Act 1988 that may cause limited harm to an individual if disclosed or compromised). Where compromise of personal information, including sensitive information (under the Privacy Act) would lead to damage, serious damage or exceptionally grave damage, this information warrants classification. For example, financial details and tax file numbers, which are not sensitive information for the purposes of the Privacy Act, but the compromise of which may still lead to limited damage to individuals.
  2. commercial or economic data that, if compromised, would undermine an Australian organisation or company
  3. information that, if compromised, would impede development of government policies.

3There are historical security classifications and other protective markings (eg CONFIDENTIAL classification) that no longer reflect Australian Government policy. For assistance in applying appropriate handling protections (and assessing damage to the national interest, organisations or individuals) to historical classifications, see Annex A.

4,For information on assurance processes related to sanitisation and administrative decisions regarding the release and disposal of information, equipment or waste see the Information Security Manual.

5For information on cryptography, see the Information Security Manual.

6Section 26 of the Archives Act prohibits altering records that are over 15 years old without authorisation from the National Archives.

​​

<<< Security governance for international sharing

Access to information >>>
​​​​​​​​​​​​​​​​​​​​