8 Sensitive and classified information
- Download Policy 8 Sensitive and classified information [PDF 1.20MB]
- Download Policy 8 Sensitive and classified information [DOCX 993KB]
- Purpose
- Requirements
- Guidance
- Official information
- Sensitive and security classified information
- Caveats and accountable material
- Information management markers
- Minimum protections for sensitive and security classified information
- What to do in the case of an emergency, breach or security violation involving classified information
- Find out more
- Annexes
Purpose
This policy details how entities correctly assess the sensitivity or security classification of their information and adopt marking, handling, storage and disposal arrangements that guard against information compromise.
Information is a valuable resource. Protecting the confidentiality, integrity and availability of information is critical to business operations.
- Confidentiality of information refers to the limiting of access to information to authorised persons for approved purposes.
- Integrity of information refers to the assurance that information has been created, amended or deleted only by the intended authorised means and is correct and valid.
- Availability of information refers to allowing authorised persons to access information for authorised purposes at the time they need to do so.
A security classification (PROTECTED, SECRET and TOP SECRET) is only applied to information (or assets that hold information, such as laptops, USBs) if it requires protection because the impact of compromise of the information or asset would be high or above.
The requirements in this policy do not displace obligations imposed on entities through other policies, legislation or regulations, or by any other means.
Requirements
Core requirement
Each entity must:
- identify information holdings
- assess the sensitivity and security classification of information holdings
- implement operational controls for these information holdings proportional to their value, importance and sensitivity.
Supporting requirements
Supporting requirements help Australian Government entities maintain the confidentiality, integrity and availability of official information—including where the entity is the originator of information (the entity that initially generated or received the information).
# |
Supporting requirements |
|||||||||||||||||||||
Requirement 1. |
The originator must determine whether information being generated is official information (intended for use as an official record) and whether that information is sensitive or security classified. |
|||||||||||||||||||||
Requirement 2. |
|
|||||||||||||||||||||
Requirement 3. |
The originator must remain responsible for controlling the sanitisation, reclassification or declassification of the information. An entity must not remove or change information's classification without the originator's approval. |
|||||||||||||||||||||
Requirement 4. |
The originator must clearly identify sensitive and security classified information, including emails, using applicable protective markings by:
|
|||||||||||||||||||||
Requirement 5. |
Entities must apply the Australian Government Recordkeeping Metadata Standard to protectively mark information on systems that store, process or communicate sensitive or security classified information:
|
|||||||||||||||||||||
Requirement 6. |
|
|||||||||||||||||||||
Requirement 7. |
Entities must ensure sensitive and security classified information is stored securely in an appropriate security container for the approved zone in accordance with the minimum protection requirements set out in Annexes A to D. |
|||||||||||||||||||||
Requirement 8. |
Entities must ensure sensitive and security classified information is transferred and transmitted by means that deter and detect compromise and that meet the minimum protection requirements set out in Annexes A to D. |
|||||||||||||||||||||
Requirement 9. Disposal |
Entities must ensure sensitive and security classified information is disposed of securely in accordance with the minimum protection requirements set out in Annexes A to D. This includes ensuring sensitive and classified information is appropriately destroyed when it has passed minimum retention requirements or reaches authorised destruction dates. |
Guidance
Official information
Official information is all information created, sent or received as part of the work of the Australian Government. This information is an official record and it provides evidence of what an entity has done and why.
Official information can be collected, used, stored and transmitted in many forms including electronic, physical and verbal (eg conversations and presentations).
The National Archives of Australia Australian Government Information Management Standard notes that information is a valuable asset. It contributes to good government through supporting efficient business, informing decision-making, demonstrating government accountability and transparency, mitigating risks, adding economic value and protecting rights and entitlements.
It is a core requirement of this policy that entities implement operational controls to protect information holdings in proportion to their value, importance and sensitivity. Although this policy is focused on sensitive and security classified information, all official information requires an appropriate degree of protection as information (and assets holding information) are subject to both intentional and accidental threats. In addition, related processes, systems, networks and people have inherent vulnerabilities. A deliberate or accidental threat that compromises information security could have an adverse impact on government business.
The Attorney‑General's Department recommends entities apply theminimum protections outlined in Annex E for OFFICIAL information that is not assessed as being sensitive or security classified information.
Information compromise includes, but is not limited to:
- loss
- misuse
- interference
- unauthorised access
- unauthorised modification
- unauthorised disclosure.
Sensitive and security classified information
Requirement 1 mandates that the originator (the entity that initially generated the information, or received the information from outside the Australian Government) determine whether official information is sensitive or security classified information.
The Australian Government uses three security classifications: PROTECTED, SECRET and TOP SECRET. The relevant security classification is based on the likely damage resulting from compromise of the information's confidentiality.
Where compromise of the information's confidentiality would cause limited damage but does not warrant a security classification, that information is considered sensitive and is treated as OFFICIAL: Sensitive.
All other information from business operations and services requires a routine level of protection and is treated as OFFICIAL. Information that does not form part of official duty is treated as UNOFFICIAL.
OFFICIAL: Sensitive, OFFICIAL and UNOFFICIAL are not security classifications.
The below guidance also relates to assessing whether an asset (eg a laptop) holds security classified information, and as such is treated as a classified asset. Assets containing sensitive information may also need protection.
Proper use of security classifications
It is important that the management of information enables agencies to meet business, government and community needs and expectations—this involves balancing the need to protect information with the need to ensure appropriate access. Appropriately limiting the quantity, scope or timeframe of sensitive and security classified information:
- promotes an open and transparent democratic government
- provides for accountability in government policies and practices that may be subject to inappropriate or over-classification
- allows external oversight of government operations and programs
- promotes efficiency and economy in managing information across government.
Over-classification of information can result in:
- access to official information being unnecessarily limited or delayed
- onerous administration and procedural overheads that add to costs
- classifications being devalued or ignored by personnel and receiving parties.
It is not consistent with this policy to apply a security classification to information in order to:
- restrain competition
- hide violations of law, inefficiency, or administrative error to prevent embarrassment to an individual, organisation or entity
- prevent or delay the release of information that does not need protection.
Who assesses information sensitivity or security classification
The person responsible for generating or preparing information on behalf of an entity (or for actioning information produced outside the Australian Government) assesses whether the information is sensitive or needs to be security classified.
Only the originator can change the sensitivity or security classification applied to its information. If the application of a classification is considered inappropriate, the original classification decision can be queried with the originator.
When to assess information sensitivity or security classification
Assessing the sensitivity or security classification of information when it is first created, or received from outside the Australian Government, helps protect the information. The originator can also set a specific date or event for automatic declassification (for guidance on declassification, refer to Sanitising, reclassifying or declassifying information).
How to assess information sensitivity or security classification
Requirement 2 mandates that the originator assess the sensitivity or security classification of information by considering the potential impact on the national interest, government, organisations or individuals that could arise from compromise of the information's confidentiality.
The more valuable, important or sensitive the official information, the greater the impact on government business that would result from its compromise. By assessing the 'Business Impact Level' if confidentiality of the information is compromised, the originator can determine whether information requires a security classification, is sensitive or requires a routine level of protection.
The Business Impact Levels tool (see Table 1) provides examples of potential damage from compromise of information's confidentiality. The tool assists in the consistent classification of information and the assessment of impacts on government business.
The potential damage from compromise of information's confidentiality determines the classification of that information. A simple flow diagram is provided at Figure 1 to help assess whether information is sensitive or security classified, based on the potential damage from compromise of the information's confidentiality.
The Business Impact Levels tool can also be used for secondary assessments of the potential damage from compromise of the availability or integrity of information. While assessing the Business Impact Level of compromise of the information's availability or integrity does not affect whether the information is sensitive or security classified information, it may indicate that additional security measures (such as ICT, personnel or physical controls) could be warranted.
Guidance on minimum protections for handling information that is assessed and determined to be sensitive or security classified is provided at Minimum protections for sensitive and security classified information.
Examples of OFFICIAL: Sensitive information may include:
|
Table 1 Business Impact Levels tool – Assessing damage to the national interest, government, organisations or individuals
- Download Table 1 Business Impact Levels tool – Assessing damage to the national interest, organisations or individuals [PDF 432KB]
- Download Table 1 Business Impact Levels tool – Assessing damage to the national interest, organisations or individuals [DOCX 41KB]
Figure 1 Assessing whether information is sensitive or security classified
Sanitising, reclassifying or declassifying information
Requirement 3 mandates that the originator of the information remains responsible for controlling the sanitisation, reclassification or declassification of its information. No other entity may change the information's classification unless authorised to do so by the originator.
Information may require modification (sanitising) to allow its wider distribution and potential use. Information can be changed to reduce its sensitivity or classification by editing, disguising or altering information to protect intelligence, sources, methods, capabilities, analytical procedures or privileged information. Once sanitised, the information can be declassified or reclassified (see Table 2).
Term |
Definition |
Reclassification |
The administrative decision to change the security classification of information based on a reassessment of the potential impacts of its compromise. Reclassification may raise or lower the security classification of information. |
Declassification |
The administrative decision to reduce the security classification of information to OFFICIAL (an unclassified state) when it no longer requires security classification handling protections. |
The Attorney‑General's Department recommends entities establish procedures so that information is automatically declassified:
- if the originator set a specific date or event for declassification based on an assessment of the period in which the information might cause damage, when that date or event occurs.
- if the originator did not set a specific date or event for declassification, when the open access period under the Archives Act 1983 commences. For guidance on open access periods, see the National Archives of Australia website.
The Attorney‑General's Department also recommends entities establish procedures to encourage regular review of classified information for continuing sensitivity (ie if the compromise of the information would still cause damage) using the impact‑based classification assessment described in When to assess information sensitivity or security classification. For example, these reviews could be done after a project is completed or when a file is withdrawn from (or returned to) use. Information is declassified or reclassified to a lower classification when a reassessment of its Business Impact Level indicates it no longer meets the original Business Impact Level to which its classification applies.
Consistent with Requirement 4, information that has been reclassified or declassified must be clearly identified using an applicable protective marking to reflect the new assessment of the Business Impact Level—see Protective markings for sensitive and security classified information.
Historical security classifications
There are historical security classifications and other protective markings (eg CONFIDENTIAL classification) that no longer reflect Australian Government policy. For assistance in applying appropriate handling protections (and assessing damage to the national interest, organisations or individuals) to historical classifications, see Annex F.
Caveats and accountable material
Caveats are a warning that the information has special protections in addition to those indicated by the security classification (or in the case of the NATIONAL CABINET caveat, a security classification or the OFFICIAL: Sensitive marking).
The Australian Government Security Caveats Guidelines establishes four categories of caveats:
- codewords (sensitive compartment information)
- foreign government markings
- special handling instructions
- releasability caveats.
Table 3 describes caveats commonly used across government.
Caveats are not classifications and must appear with an appropriate security classification (or in the case of the NATIONAL CABINET caveat, a security classification or the OFFICIAL: Sensitive marking).
Accountable material is information that requires the strictest control over its access and movement. Accountable material includes:
- TOP SECRET security classified information
- some types of caveated information, being:
- all codeword information
- select special handling instruction caveats, particularly CABINET information at any security classification
- any classified information designated as accountable material by the originator.
What constitutes accountable material may vary from entity to entity and could include budget papers, tender documents and sensitive ministerial briefing documents.
Requirement 6 mandates that caveated information and accountable material be clearly marked and handled in accordance with the originator and the caveat holder's special handling requirements as established in the Australian Government Security Caveats Guidelines. These special caveat requirements apply in addition to the classification handling requirements. Additional information about handling caveats is available in the Sensitive Material Security Management Protocol and the Australian Government Security Caveats Guidelines on a need-to-know basis on GovTEAMS.
Requirement 3 requires the originator's approval to remove or change a security classification applied to information. To be consistent with Requirement 3, the prior agreement of the originating entity also needs to be obtained to remove a caveat.
Table 3 Caveat types
Information management markers
Information management markers are an optional way for entities to identify information that is subject to non‑security related restrictions on access and use. They are subset of the controlled list of terms for the 'Rights Type' property in the National Archives of Australia's Australian Government Recordkeeping Metadata Standard (AGRkMS).
Information management markers are not protective markers.
The information management markers are described in Table 4.
Whether to use an IMM | Which IMM to use | Notes |
If the information is subject to legal professional privilege |
Use the legal privilege IMM
|
Compromise of the confidentiality of information subject to legal professional privilege is likely to cause at least limited damage to the national interest, organisations or individuals. The Attorney‑General's Department recommends that the legal privilege IMM only be used with OFFICIAL: Sensitive or above. |
If the information is subject to one or more legislative secrecy provisions |
Use the legislative secrecy IMM
|
Compromise of the confidentiality of information subject to legislative secrecy provisions is likely to cause at least limited damage to the national interest, organisations or individuals and the damage may be defined in legislation. The Attorney‑General's Department recommends that the legislative secrecy IMM only be used with OFFICIAL: Sensitive or above. |
If the information is personal information as defined in the Privacy Act 1988 |
Use the personal privacy IMM
|
The Privacy Act requires entities to protect the personal information they hold from misuse, interference, loss, and from unauthorised access, modification or disclosure. The Act defines personal information as 'information or an opinion about an identified individual, or an individual who is reasonably identifiable'. The Privacy Act also defines 'sensitive information' which includes personal information about an individual's:
The Privacy Act generally affords a higher level of privacy protection to sensitive information than to other personal information. The Attorney‑General's Department recommends that the personal privacy IMM only be used with OFFICIAL: Sensitive or above. |
Minimum protections for sensitive and security classified information
In addition to the following guidance, Annexes A to D establish the key operational controls to protect sensitive and security classified information.
Consistent with PSPF Policy 2: Management structures and responsibilities Requirement 2, each entity is required to develop and use procedures to cover all elements of protective security, including protecting sensitive and security classified information.
The Attorney-General's Department recommends entity personnel consult with their own entity security team for advice on the application of protections for sensitive and security classified information. Entity-specific procedures may require personnel to implement the protections in particular ways or to apply a higher level of protection, in order to meet business needs or to address the entity's security risk environment.
Protective markings for sensitive and security classified information
Applying protective markings to security classified or sensitive information indicates that the information requires protection, and dictates the level of protection required. Protective markings help control and prevent compromise of information as they are an easily recognisable way for information users (visually) and systems (such as an entity's email gateway) to identify the level of protection the information requires.
Requirement 4 mandates that the originator clearly identify sensitive and security classified information by using applicable protective markings. Requirement 5 mandates that entities apply the Australian Government Recordkeeping Metadata Standard to protectively mark information on systems that store, process or communicate sensitive or security classified information.
The OFFICIAL marker may be used to identify information that is an Australian Government record that is not sensitive or security classified. Similarly, the UNOFFICIAL marker may be used to identify information generated for personal or non-work related purposes. Use of these markers is not mandatory.
Applying text-based protective markings
Requirement 4 indicates text-based protective markings are the preferred method to identify sensitive and security classified information. Figure 2 Protectively marking physical (printed) information provides an example of applying protective markings.
To achieve clearly identifiable protective markings, the Attorney-General's Department recommends:
- using capitals, bold text, large font and a distinctive colour (red preferred), for example OFFICIAL
- placing markings at the centre top and bottom of each page
- separating markings by a double forward slash to help clearly differentiate each marking.
The order of precedence or hierarchy for protective markings is:
- classification (or the OFFICIAL: Sensitive dissemination limiting marker)
- foreign government information markings (if any)
- caveats or other special handling instructions (if any) then
- (optional) information management markers (if any).
Paragraph grading indicators are useful where there is a need to identify the security classification of each individual paragraph or section, in addition to the document's overall protective marking or classification. Use of paragraph grading indicators is optional.
The Attorney‑General's Department recommends that, when used, paragraph grading indicators:
- appear in the same colour as the text within the document either in:
- brackets at the start or end of each paragraph, or
- the margin adjacent to the first letter of the paragraph.
- be written in full or abbreviated by the first letter/s of the markings, as follows:
- (UO) for UNOFFICIAL
- (O) for OFFICIAL
- (O:S) for OFFICIAL: Sensitive
- (P) for PROTECTED
- (S) for SECRET
- (TS) for TOP SECRET.
The paragraph or section with the most valuable, important or sensitive information (highest classification) dictates the document's overall protective marking or classification.
Figure 2 Protectively marking physical (printed) information
Applying protective markings if text-based markings cannot be used
If text-based markings cannot be used (eg on certain media or assets), Requirement 4 mandates that colour‑based markings must be used. Annexes A to E identify the recommended colours to use for a colour-based marking system.
Colour-based markings use the RGB model, which refers to Red (R), Green (G) and Blue (B) colours that can be combined in various proportions to obtain any colour in the visible spectrum. Table 5 specifies the recommended RGB colour-based marking that applies to each security classification. There are no specific RGB colours for OFFICIAL: Sensitive and OFFICIAL information, although a Yellow colour is recommended for OFFICIAL: Sensitive.
Security classification | Colour-based marking | RGB cell colour |
PROTECTED |
Blue |
R 79, G 129, B 189 |
SECRET |
Pink/Salmon |
R 229, G 184, B 183 |
TOP SECRET |
Red |
R 255, G 0, B 0 |
If both text-based and colour-based markings cannot be used (eg for verbal information), entities must use a scheme to identify sensitive and classified information. Requirement 4 mandates that the scheme must be documented and that entities must train personnel appropriately. For example, a scheme could include an entity policy for meetings that may include discussion of classified information—that participants identify at the commencement of the meeting the level of sensitive or security classified information to be discussed.
Other markings, for example entity-specific markings, are not recognised by this policy. A standard set of markings ensures common understanding, consistency and interoperability across systems and government entities. Other markings may confuse users about appropriate handling protections.
Applying protective markings through metadata
Metadata is a term used for 'data about data'. On ICT systems, text-based protective markings are supplemented by the use of metadata to describe, among other things, key security characteristics of information.
For electronic records management systems, the National Archives of Australia produces the Australian Government Recordkeeping Metadata Standard (AGRkMS) to provide standardised metadata terms and definitions for consistency across government. The minimum metadata set is a practical application of the standard that identifies the metadata properties essential for agency management and use of business information. Requirement 5 mandates that entities apply the AGRkMS metadata properties.
From an information security perspective, there are three metadata properties of importance:
- security classification property—identifies the security classification of the information and is used to identify information that is restricted to users with appropriate security clearance permissions. Requirement 5 mandates application of this property for all classified information
- b. security caveat property—can (with the exception of the NATIONAL CABINET caveat) only be used with the security classification property. The NATIONAL CABINET caveat can be applied with either a security classification or the OFFICIAL: Sensitive marking. This property identifies that the information requires additional special handling and that only people cleared and briefed to see it may have access. Requirement 5 mandates application of this property for caveat information.
- rights property—optional property to identify non-security related restrictions on the use or access to records. The National Archives of Australia has established a subset of rights property terms for common usage as information management markers to categorise information.
For emails, the preferred approach is for entities to apply protective markings to the internet message header extension, in accordance with the Email Protective Marking Standard at Annex G. This helps with construction and parsing by email gateways and servers, and allows for information handling based on the protective marking. Where an internet message header extension is not possible, protective markings are placed in the subject field of an email. See Figure 3 for an example of a protectively marked email.
Figure 3 Protectively marking an email
When printed, an email is considered a physical document, as such, a visual presentation of the protective marking (such as a separate line in the email) is important.
Limiting disclosure and access to sensitive and security classified information
The vast majority of official information can be shared, where appropriate. The PSPF Policy 9: Access to information states that:
Each entity must enable appropriate access to official information. This includes … ensuring that those who access sensitive or security classified information are appropriately security cleared and need to know that information.
Limiting by need-to-know principle
PSPF Policy 9: Access to information establishes that the need‑to‑know principle applies for all access to sensitive and security classified information. Limiting access by staff and others (eg contractors) to information on a need-to-know basis guards against the risk of unauthorised access or misuse of information. Personnel are not entitled to access information merely because it would be convenient for them to know or because of their status, position, rank or level of authorised access.
The Attorney-General's Department recommends that entities consider staff access to OFFICIAL information on a need-to-know basis, although this is not a requirement of the PSPF.
Limiting by security clearance level
PSPF Policy 9: Access to information establishes the level of security clearance required to access sensitive and security classified information. This requirement is restated in Annexes A to D.
For further guidance on obtaining personnel security clearances see PSPF Policy 12: Eligibility and suitability of personnel.
Keeping records of disclosure and access
Monitoring and auditing the dissemination of information plays an important role in information protection.
For highly classified or caveated information (such as TOP SECRET information or accountable material), it is critical to maintain an auditable register (such as a Classified Document Register) of all incoming and outgoing information and material, transfers or copying, along with regular spot check audits. Personnel can conduct spot check audits by sighting documents listed in the register and documenting the process (eg counter-signing the register).
The Attorney-General's Department recommends that entities:
- keep an audit log or register for documents at other classification levels (particularly for SECRET information), or registered information received from other entities
- develop procedures for regular spot checks to ensure accountable material (including TOP SECRET information) is accounted for and being handled, used and stored appropriately. For example, do a spot check of 5 per cent of TOP SECRET files per month, with 100 per cent of TOP SECRET files checked within a two-year period
- use receipts for transfer of all security classified information. Receipts can be used to identify the date and time of dispatch, the dispatching officer's name and a unique identifying number. Additionally, receipts can be used as a mechanism to control the incoming transfer of information (eg a two‑part receipt placed in the inner envelope with the information means the addressee can keep one portion and sign and return the other to the sender).
There may be other legislative requirements for record keeping. For example, under the Privacy (Australian Government Agencies – Governance) APP Code 2017, a Privacy Officer is required to maintain a record of an entity's personal information holdings and a register of privacy impact assessments.
Markings such as page and reference numbering can be used to identify and track classified information. There may be other reasons to use reference markings, for example Requirement 6 mandates the use of page and reference numbering for all accountable material, even if it is not sensitive or classified.
Using sensitive and security classified information
It is a core requirement of this policy that entities 'implement operational controls for their information holdings, proportional to their value, importance and sensitivity'. Consistent with this requirement, PSPF Policy 15: Physical security for entity resources, mandates that:
Each entity must implement physical security measures that minimise or remove the risk of…information and physical asset resources being made inoperable or inaccessible, or being accessed, used or removed without appropriate authorisation.
When sensitive and security classified information is being 'used'—able to be read, viewed, heard or comprehended—it may be at higher risk of compromise. Different physical environments pose different risks for information compromise.
Entities can minimise risk through the application of operational controls, complementing the physical security measures required under PSPF Policy 15. The Attorney‑General's Department recommends entities establish procedures that facilitate personnel maintaining good security practices while using sensitive and security classified information, including:
- maintaining awareness of their environment, including who will or could access, use or remove information for which the officer is responsible and whether they could be exposed to information they are not authorised to access
- exercising judgement to assess environmental suitability
- taking appropriate steps to minimise the risk of an unauthorised person accessing, using or removing the information
- employing appropriate physical handling of information, for example when carrying or when the information is not in active use.
Annexes A to D establish the physical security zones where different levels of sensitive and security classified information can be used.
Using information when working away from the office
Working away from the office is all work undertaken by personnel away from entity facilities, including using mobile computing and communications and by teleworkers. PSPF Policy 15: Physical security for entity resources recommends that when personnel are working away from the office:
…entities consider the security risks of the environments in which their personnel operate, the type of information that will be used and how that information will be accessed.
Use: Information is in use if it can be read, viewed, heard or comprehended by a person. Entity facility: An entity facility means the physical security zones of an Australian agency or department, and includes Australian Government embassies, high commissions and consulates Teleworkers: personnel with remote ICT access in a fixed location. Regular ongoing home-based work: is where an arrangement exists between an individual and their agency/manager for them to work from home on an ongoing basis. Any other work done at home is occasional home-based work. |
The Attorney‑General's Department's recommendations for maintaining good security practices when using sensitive and security classified information in an entity facility (Using sensitive and security classified information) are also relevant where sensitive and security classified information is used when working away from the office.
Business requirements may mean personnel need to use or store sensitive or security classified information in:
- other entities' facilities (eg to attend a meeting)
- alternative office spaces (eg another entity's facility, state or territory government facilities, allied secure and accredited facilities)
- private homes (eg for regular ongoing home‑based work or occasional home-based work)
- public spaces (eg public transport, cafés, restaurants, hotels and transit lounges) within Australia
- facilities overseas (eg to attend a meeting with foreign country officials).
In some situations, for practical reasons personnel may need to hold the information for a period of time before reaching the location in which they will use the information—for example, taking information home the night before an early meeting or early travel to another city within Australia.
The officer who removes sensitive or security classified information from a security zone is the responsible officer. The responsible officer has custody of the information and is responsible for handling the information in accordance with the minimum protections for the classification. Annexes A to D establish the minimum protections for using sensitive and security classified information outside the entity's facility, including outlining information that may not be taken out of entity facilities.
Where the responsible officer:
- needs to store sensitive and security classified information outside an entity facility, the guidance at Storing sensitive and security classified information applies
- needs to carry sensitive and security classified information from one location, to use at a second location (for example, from their entity facility to use at home or to attend a meeting in another entity's facility), the guidance at Carrying sensitive and security classified information applies
- needs to transfer sensitive and security classified information to another individual, the guidance at Transferring and transmitting sensitive and security classified information applies.
Using information on mobile computing and communications
Mobile computing and communications encompasses work using computing and communications devices such as laptops, notebooks, tablets, smart mobile phones and personal digital assistants. Given their portable nature, these mobile devices provide a platform for entity mobility by enabling personnel to use, store and communicate sensitive and classified information away from the traditional desktop environment.
The Attorney‑General's Department's recommendations for maintaining good security practices when using sensitive and security classified information in an entity facility (Using sensitive and security classified information) are also relevant where sensitive and security classified information is being used via a mobile device, whether within or outside an entity facility. Similarly, the guidance at Storing sensitive and security classified information applies.
Annexes A to D establish the minimum protections for accessing, storing or communicating sensitive and security classified information on mobile devices.
The Attorney‑General's Department recommends entities ensure that use of privately-owned mobile devices do not present an unacceptable security risk.
For more detailed guidance on using mobile devices, including granting access to government information or systems by personal (or privately-owned) mobile devices, see the Australian Government Information Security Manual.
Using information on official travel outside Australia
Special care is necessary when sensitive or security classified information (physical or held on a mobile device) is removed from entity facilities for use outside Australia.
The Attorney‑General's Department recommends entities establish entity procedures to:
- consider country-specific advice
- if required, consult with the Department of Foreign Affairs and Trade (DFAT) for practical advice, including on the availability of transfer and storage options using resources available through Australian Government embassies, high commissions and consulates, and
- authorise officers to travel with sensitive and security classified information.
Annexes A to D establish the minimum protections for travelling with sensitive and security classified information outside Australia.
Storing sensitive and security classified information
When sensitive and security classified information is unattended (ie it is not under the immediate control or in the physical presence of the person responsible for it), Requirement 7 mandates entities ensure the information is stored securely in an appropriate security container for the approved zone. Securely storing sensitive and security classified official information protects the information from compromise.
Requirement 7 also applies to mobile devices holding sensitive and security classified information. These items may also need protections as a valuable asset (see PSPF Policy 15: Physical security for entity resources). The Attorney‑General's Department recommends that mobile devices be stored in a secured state, where encryption is active when the device is not in use. The Australian Government Information Security Manual includes guidelines on encryption for mobile devices.
A mobile device is in a secured state if appropriate encryption is active when the device is not in active use. The Australian Government Information Security Manual includes guidelines on encryption for mobile devices. In all other circumstances–when the device is in use or is deemed to be in use because encryption is not active or does not meet the standard prescribed in the ISM–the device is in an unsecured state. |
The National Archives of Australia Australian Government Information Management Standard requires that entities store information securely and preserve it in a usable condition for as long as required for business needs and community access. In accordance with the Information Management Standard, a secure and suitable storage environment is one that prevents unauthorised access, duplication, alteration, removal and destruction.
Ways to minimise duplication or alteration of information include:
- reproducing sensitive or security classified information only when necessary
- immediately destroying spare or spoilt copies (such destruction is defined as 'normal administrative practice' in the Archives Act 1983 and does not need specific permission from the National Archives of Australia). For guidance on destroying sensitive and security classified information, see Destroying sensitive and security classified information.
Annexes A to D establish the minimum protections for storing sensitive and security classified information and mobile devices holding information. For guidance on physical security zones, see the PSPF Policy 16: Entity facilities.
Clear desk, session and screen locking procedures
The Attorney‑General's Department recommends entities establish clear desk, session and screen locking procedures. These procedures are an additional way to protect information when unattended. These procedures promote awareness of the requirements to protect information from compromise and assist entity personnel to secure all files, documents (electronic as well as paper), sensitive and classified material (including portable and attractive items, for example iPads, mobile phones, memory sticks, PDAs etc) and other official information in their custody.
The Attorney‑General's Department recommends entities' procedures prompt personnel to ensure that:
- no sensitive or security classified information is left unattended on a desk (ie it is stored appropriately)
- ICT equipment (computers and media devices) is locked when not in use
- electronic media and devices containing classified or sensitive information are secured
- all portable and attractive items are secured
- keys to classified storage devices are secured
- keys are not left in doors and drawers (at the end of the day or for an extended period of time).
For further information on applying session and screen locking procedures, see the Australian Government Information Security Manual.
Carrying sensitive and security classified information
It is important to implement effective protections when carrying sensitive and security classified information from one location to use in another location, including to attend meetings inside entity facilities, outside and between entity facilities. Higher levels of protection are required if sensitive or security classified information is carried through a less secure zone (eg carrying SECRET material through a Zone 1 or carrying TOP SECRET information through a Zone 1 or Zone 2) or outside the entity in public spaces.
Annexes A to D outline the minimum protections for carrying each level of sensitive and security classified information, including for carrying outside entity facilities and between entity facilities.
ASIO‑T4 and the Security Construction and Equipment Committee (SCEC) provide advice on security equipment for protecting classified information while carrying it. This includes advice on SCEC-endorsed tamper evident seals and packaging, as well as guidance on selecting briefcases suitable for the carriage of security classified information. The advice is available on the Protective Security Policy GovTEAMS community.
For guidance on transferring information to another person or entity, see Transferring and transmitting sensitive and security classified information.
Transferring and transmitting sensitive and security classified information
Requirement 8 mandates that entities ensure sensitive and security classified information is transferred and transmitted by means that deter and detect compromise.
Examples of transferring information include:
- handing information to a person within an office environment (ie within entity facilities)
- sending information through the entity's internal mail to a person who works in the same building
- sending information through the entity's internal mail to a person who works in a different building
- handing or sending information to a person in another entity
- giving a person a secure approved USB or other storage device that holds the information.
Examples of transmitting information include:
- emailing information to a person within the entity or in a different entity
- verbally communicating information to a person within the entity or another entity (eg by telephone or videoconference).
To ensure sensitive and security classified information is only transferred or transmitted to people with a need‑to‑know, entities are encouraged to identify information recipients by:
- a specific position, appointment or named individual
- where physical information is being transferred:
- a full location address (eg not a post office box for physical delivery, as this may be unattended)
- an alternative individual or appointment where relevant (eg for TOP SECRET information).
- where information is being electronically transmitted, an email address exclusive to those individuals with a need‑to‑know (eg not a mailbox with unrestricted access).
Transferring physical sensitive and security classified information
When transferring physical sensitive and security classified information, the Attorney‑General's Department recommends adopting security measures to:
- obscure that the information is sensitive or security classified
- deter and detect unauthorised access to the information.
The security measures required to protect sensitive and security classified information and caveated information and material during physical transfer depend on the sensitivity or security classification level of the information, where the information is going from and to, and the transfer method used.
Annexes A to D establish the minimum protections to transfer each level of sensitive and security classified information. Where transfer is between physical locations:
- a tamper-evident double barrier is used to protect security classified information. The most common method to achieve this is 'double‑enveloping'
- a secure transfer method is used, such as by entity safe hand or safe hand by an endorsed courier.
It may also be appropriate or required for entities to follow record‑keeping procedures when transferring sensitive and security classified information, such as use of receipts.
The PSPF does not impose requirements for the transfer of OFFICIAL information (as opposed to OFFICIAL: Sensitive information). The Attorney‑General's Department recommends entities ensure that OFFICIAL information is transferred by means which deter and detect compromise (see Annex E).
'Double enveloping' consists of:
The inner 'envelope' can consist of:
The Attorney-General's Department recommends marking the classification conspicuously on the inner envelope (eg at the top and bottom of the front and back of the envelope). The outer 'envelope' is some form of sealed opaque covering. It could be a regular mail envelope, a SCEC-approved single-use outer envelope, security briefcase, satchel, pouch or transit bag. It may display information identifying the recipient and any receipt or reference numbers, if required. The Attorney-General's Department recommends avoiding displaying any details on the outer envelope (such as protective markings) that indicate that the information is sensitive or security classified information. |
'Safe hand' means information is dispatched to the addressee in the care of an authorised person or succession of authorised people who are responsible for its carriage and safekeeping. The authorised person could be the responsible officer who removes the information from the entity facility. An authorised person could also be an endorsed courier. 'Entity safe handing' is where all of the authorised persons in the chain are officers of the entity dispatching the information. Sending information via safe hand establishes an audit trail that provides confirmation that the addressee received the information and helps to ensure the item is transferred in an authorised and secure facility or vehicle. To deter and detect any information tampering, at each handover, a receipt is obtained showing (at a minimum) the identification number, the time and date of the handover, and the name and signature of the recipient. Sending information via safe hand requires:
Safe hand via an endorsed courier Using an endorsed courier provides a level of assurance for the confidentiality of information being transferred, where it is not possible to use entity personnel to carry the information. This method of transfer is not suitable for protecting valuable or attractive assets such as pharmaceuticals or money. Special arrangements, such as armed escorts may be necessary in certain circumstances. A number of commercial courier companies have been endorsed by SCEC to provide safe hand courier services. Contact ASIO-T4 by email t4ps@t4.gov.au or see the ASIO-T4 Protective security circular (PSC) 172 (available on a need-to-know basis on GovTEAMS) for advice on SCEC-endorsed safe hand courier services. Special handling requirements may apply to caveated information. This may preclude the use of a commercial safe hand courier when using certain caveats. For guidance on caveats, see Caveats and accountable material. |
Using devices to transfer or transmit sensitive and security classified information
Devices that are able to store and communicate information, such as laptops, notebooks, tablets, smart mobile phones, personal digital assistants and USBs, can be used to both transfer and transmit information. Ways to deter and detect information compromise and unauthorised access when devices are used include password protection, encrypting information at rest and remote wiping capabilities.
Where devices cannot be protected by these means, the Attorney‑General's Department recommends entities apply the protections used for physical information (see Transferring physical sensitive and security classified information).
Where a device is being used to transfer sensitive and security classified information to another entity—ie the device will be retained by the receiving entity—it may be appropriate for entities to consider additional controls such as receipts (see Keeping records of disclosure and access). For guidance on protecting information on ICT systems, see PSPF Policy 11: Robust ICT systems.
Transferring sensitive or security classified information outside Australia
Special care is necessary when transferring sensitive or security classified information (physical or held on a storage device) outside Australia.
Annexes A to D establish the minimum protections for transferring sensitive and security classified information outside Australia, including outlining information that may not be transferred outside Australia.
The Attorney‑General's Department recommends entities:
- consider country-specific advice
- check with the Department of Foreign Affairs and Trade (DFAT) about the most appropriate method to transfer sensitive and security classified information outside Australia
- establish entity procedures if overseas transfers form a routine part of their business.
Electronically transmitting sensitive and security classified information
Entities electronically transmit information when it is sent or communicated over the internet, through a secure network infrastructure (ie official, PROTECTED, SECRET or TOP SECRET networks) or over public network infrastructure and unsecured spaces. Examples of electronical transmission include using email, facsimile, instant messaging services, GovTEAMS, telephone and videoconference.
Information is at increased risk when electronically transmitted, particularly when information is transmitted outside of a controlled environment (eg when an entity does not have control over the entire transmission network).
Encryption can be used to assist in protecting information from compromise where insufficient physical security is provided for the protection of information communicated over network infrastructure.
Where the electronic transmission involves verbal communication (such as telephone or videoconference), the Attorney‑General's Department's recommendations for maintaining good security practices when using sensitive and security classified information are relevant (Using sensitive and security classified information).
Table 6 outlines the minimum protections to deter and detect compromise when transmitting information electronically. For detailed guidance on protecting transmissions over networks, including information on cryptography, see the Australian Government Information Security Manual.
Classification/marking |
Minimum protections |
TOP SECRET (and SECRET Codeword) |
|
SECRET |
|
PROTECTED |
|
OFFICIAL: Sensitive |
Communicate information over OFFICIAL networks (or networks of higher classification). Encrypt OFFICIAL: Sensitive information transferred over public network infrastructure, or through unsecured spaces (including Zone 1 security areas), unless the residual security risk of not doing so has been recognised and accepted by the entity. An entity may wish to consider other security measures or mitigating protections already in place, such as:
Australian Privacy Principle 11 imposes additional obligations regarding the transmission of 'personal information' (as defined under the Privacy Act 1988); the Office of the Australian Information Commissioner's Guide to Securing Personal Information provides guidance on the reasonable steps that entities may be required to take under the Privacy Act to protect the personal information they hold, including when such information is being transferred or transmitted. |
OFFICIAL |
|
While encryption of OFFICIAL information (as opposed to OFFICIAL: Sensitive information) is not a mandated requirement, entities are required to implement operational controls for all information holdings proportional to their value, importance and sensitivity. The Attorney‑General's Department recommends entities ensure that OFFICIAL information is transmitted by electronic means which deter and detect compromise, including use of encryption to assist in protecting OFFICIAL information.
Disposing of sensitive and security classified information
Not all information and records are kept forever. Information is managed for as long as it has business value; some information will have long-term historical and social value. Requirement 9 mandates that entities dispose of sensitive and security classified information in a secure manner. The careless disposal of classified or sensitive information is a serious source of leakage of information and can undermine public confidence in the Australian Government.
The National Archives of Australia's Information Management Standard Principle 6 states:
Keep business information for as long as required after which time it should be accountably destroyed or transferred.
Assess business information against current records authorities to determine which information can be destroyed or transferred.
Confirm that there is no need to keep business information beyond the authorised retention period. Examples of needs to keep business information longer include:
- anticipated requests for access
- likely legal action
- a significant increase in public interest in the topic
- a disposal freeze issued by the Archives for business information on that issue or event.
Under the Archives Act information disposal includes:
- its destruction
- the transfer of its custody or ownership, or
- damage or alteration.
Section 26 of the Archives Act prohibits altering records that are over 15 years old without authorisation from the National Archives.
Information disposal includes the: physical destruction of paper records; destruction of electronic records including deleting emails, documents or other data from business systems; transfer of records to another entity as the result of machinery of government changes; and transfer to the National Archives of Australia.
Under Section 24 of the Archives Act, information disposal can only take place when it is:
- approved by the National Archives of Australia
- required by another law, or
- part of normal administrative practices that the National Archives of Australia does not disapprove.
For guidance, see the National Archives of Australia website, Dispose of information.
Destroying sensitive and security classified information
A variety of methods can be used for the secure destruction of information in physical form.
ASIO-T4 approves specifications for equipment used to destroy security classified information. Commonly used destruction methods include:
- pulping
- burning
- pulverising using hammermills
- disintegrating by cutting and reducing the waste particle size
- shredding using crosscut shredders (strip shredders are not approved for destruction of security classified information).
The Australian Government Information Security Manual provides guidance on sanitisation and destruction of ICT equipment and storage media. Methods for destroying digital information include:
- digital file shredding
- degaussing by demagnetising magnetic media to erase recorded data
- physical destruction of storage media through pulverisation, incineration or shredding
- reformatting, if it can be guaranteed that the process cannot be reversed.
Commercial providers may be used to destroy security classified information. The Attorney‑General's Department recommends that entities review the appropriateness of a commercial provider's collection process, transport, facility, procedures and approved equipment when considering external destruction services. These considerations can be made against ASIO-T4 Criteria – agency-assessed and approved destruction service (available on a need-to-know basis on GovTEAMS. Appropriate procedures include ensuring:
- classified information is attended at all times and the vehicle and storage areas are appropriately secured
- that destruction is performed immediately after the material has arrived at the premises
- that destruction of classified information is witnessed by an entity representative
- destruction service staff have a security clearance to the highest level of security classified information being transported and destroyed, or appropriately security cleared entity staff escort and witness the destruction.
A number of commercial providers hold National Association for Information Destruction AAA certification for destruction service (with endorsements as specified in PSC 167 External destruction of security classified information (available on a need-to-know basis on GovTEAMS). These commercial providers are able to destroy security classified information.
The Attorney-General's Department recommends information classified TOP SECRET or accountable material be destroyed within entity premises; the originating entity may request notification of destruction. The originator of some accountable material may apply special handling conditions that prevent information destruction being contracted out.
While Requirement 9 mandates that sensitive and security classified information is disposed of securely, this policy does not impose security requirements for how destruction of OFFICIAL: Sensitive information is to occur and Requirement 9 does not apply to OFFICIAL information. The Attorney‑General's Department recommends entities establish procedures for the secure disposal of OFFICIAL and OFFICIAL: Sensitive information.
There may be other legislative requirements that apply to the disposal of information. For example, Australian Privacy Principle 11.2 imposes obligations on the destruction and de-identification of personal information under the Privacy Act.
What to do in the case of an emergency, breach or security violation involving classified information
Exceptional situations or emergencies may arise that prevent application of this policy. The PSPF Policy 5: Reporting on security requires entities to report details about exceptional circumstances that affect an entities ability to fully implement this policy and indicate the measures taken to mitigate or otherwise manage identified security risks. The PSPF Policy 5: Reporting on security also mandates that affected entities are advised of any unmitigated security risks.
Any compromise of any classified information is considered a security incident. The PSPF Policy 2: Management structures and responsibilities requires entities to investigate, respond to and report on security incidents.
In line with this, the Attorney-General's Department recommends entities report:
- any compromise of classified information to the information's originator as soon as practicable
- matters relating to national security (such as compromise of SECRET or TOP SECRET information) to the Director-General, Australian Security Intelligence Organisation.
Find out more
Other legislation and policies that may be relevant to the handling of official government information include the:
- Archives Act and supporting Commonwealth records management policies such as:
- National Archives of Australia Information Management Standard
- National Archives of Australia Digital Continuity 2020 policy
- Australian Government Information Security Manual
- Privacy Act and the Office of the Australian Information Commissioner Guides and APP guidelines.
Annex A - Minimum protections and handling requirements for TOP SECRET information
BIL 5 |
TOP SECRET—exceptionally grave damage to the national interest, organisations or individuals |
Protective marking |
Apply text-based protective marking TOP SECRET to documents (including emails). It is recommended that text markings be in capitals, bold text, large fonts and distinctive colours (red preferred) and located at the centre top and centre bottom of each page. If text-based markings cannot be used, use colour-based markings. For TOP SECRET a red colour is recommended. If text or colour-based protective markings cannot be used, apply the entity's marking scheme for such scenarios. If marking paragraphs, it is recommended that TOP SECRET is written in full or abbreviated to (TS) and placed either in brackets at the start or end of the paragraph or in the margin adjacent to the first letter of the paragraph. |
Access |
The need-to-know principle applies to all TOP SECRET information. Ongoing access to TOP SECRET information requires a Negative Vetting 2 security clearance or above. Any temporary access must only be provided to personnel with at least a Negative Vetting 1 security clearance and must be must be supervised. |
Use |
TOP SECRET information can only be used in Zones 3-5. Outside entity facilities (including at home) |
Storage |
Do not leave TOP SECRET information, or a mobile device that processes, stores or communicates TOP SECRET information, unattended. Store securely when unattended. When storing TOP SECRET information, or a mobile device that processes, stores or communicates TOP SECRET information:
|
Carry |
When carrying physical TOP SECRET information always retain it in personal custody
Mobile devices that that process, store or communicate TOP SECRET information require explicit approval by the Australian Signals Directorate (ASD). When carrying an approved TOP SECRET mobile device always retain it in personal custody
|
Transfer |
When transferring physical TOP SECRET information
Any transfer requires a receipt. |
Transmit | When transmitting electronically, communicate information over TOP SECRET secure networks. Use ASD's High Assurance Cryptographic Equipment to encrypt TOP SECRET information for any communication that is not over a TOP SECRET network. |
Official travel |
TOP SECRET information and mobile devices that process, store or communicate TOP SECRET information must not be stored or used outside appropriate entity facilities.
Do not leave TOP SECRET information unattended. Do not store while travelling (eg in a hotel room). If storage required, store in an Australian entity facility. Travelling domestically with a mobile device that processes, stores or communicates TOP SECRET information is not recommended, consider alternative options to access information at destination. If required:
Do not leave device unattended. Do not store device while travelling (eg in a hotel room). If storage required, store in an Australian entity facility. Travel outside Australia If access to TOP SECRET information or mobile device provided at overseas destination:
Do not leave TOP SECRET information unattended. Do not store while travelling (eg in a hotel room). If storage required, store in an Australian entity facility. |
Disposal | Dispose of TOP SECRET information using a Class A shredder – supervise and document destruction |
Annex B - Minimum protections and handling requirements for SECRET information
BIL 4 |
SECRET—serious damage to the national interest, organisations or individuals |
Protective marking |
Apply text-based protective marking SECRET to documents (including emails). It is recommended that text markings be in capitals, bold text, large fonts and distinctive colours (red preferred) and located at the centre top and centre bottom of each page. If text-based markings cannot be used, use colour-based markings. For SECRET a salmon pink colour is recommended. If text or colour-based protective markings cannot be used, apply the entity's marking scheme for such scenarios. If marking paragraphs, it is recommended that SECRET is written in full or abbreviated to (S) and placed either in brackets at the start or end of the paragraph or in the margin adjacent to the first letter of the paragraph. |
Access |
The need-to-know principle applies to all SECRET information. Ongoing access to SECRET information requires a Negative Vetting 1 security clearance or above. Any temporary access must be supervised. |
Use |
SECRET information and mobile devices that process, store or communicate SECRET information can be used in security Zones 2-5. Outside entity facilities (including at home)
Do not use SECRET information and mobile device that processes, stores or communicates SECRET information anywhere else outside entity facilities (for example private sector offices, café). |
Storage |
Do not leave SECRET information or a mobile device that processes, stores or communicates SECRET information unattended. Store securely when unattended. When storing physical SECRET information:
When storing a mobile device that processes, stores or communicates SECRET information:
|
Carry |
When carrying physical SECRET information always retain it in personal custody
When carrying a mobile device that processes, stores or communicates SECRET information always retain it in personal custody
|
Transfer |
When transferring SECRET information:
Any transfer requires a receipt. |
Transmit |
When transmitting electronically, communicate over SECRET secure networks (or networks of higher classification). Use ASD's High Assurance Cryptographic Equipment to encrypt SECRET information for any communication that is not over a SECRET network (or network of higher classification). |
Official travel |
Travel in Australia
Do not leave SECRET information unattended. Do not store while travelling (eg in a hotel room). If storage required, store in an Australian entity facility. Travel outside Australia
If access to SECRET information or mobile device provided at destination:
Do not leave SECRET information unattended. Do not store while travelling (eg in a hotel room). If storage required, store in an Australian entity facility. |
Disposal |
Dispose of SECRET information using a Class A shredder. |
Annex C - Minimum protections and handling requirements for PROTECTED information
BIL 3 |
PROTECTED—damage to the national interest, organisations or individuals |
Protective marking |
Apply text-based protective marking PROTECTED to documents (including emails). It is recommended that text markings be in capitals, bold text, large fonts and distinctive colours (red preferred) and located at the centre top and centre bottom of each page. If text-based markings cannot be used, use colour-based markings. For PROTECTED a blue colour is recommended. If text or colour-based protective markings cannot be used, apply the entity's marking scheme for such scenarios. If marking paragraphs, it is recommended that PROTECTED is written in full or abbreviated to (P) and placed either in brackets at the start or end of the paragraph or in the margin adjacent to the first letter of the paragraph. |
Access |
The need-to-know principle applies to all PROTECTED information. Ongoing access to PROTECTED information requires a Baseline security clearance or above. Any temporary access must be supervised. |
Use |
PROTECTED information and mobile devices that process, store or communicate PROTECTED information can be used in Zones 1-5. Outside entity facilities (including at home)
|
Storage |
Do not leave physical PROTECTED information unattended, store securely when unattended. Mobile devices that process, store or communicate PROTECTED information can be left unattended if in a secured state, subject to entity clear desk policy. When storing physical PROTECTED information:
When storing a mobile device that processes, stores or communicates PROTECTED information
|
Carry |
When carrying physical PROTECTED information always retain it in personal custody
When carrying a mobile device that processes, stores or communicates PROTECTED information
|
Transfer |
When transferring PROTECTED information
Any transfer requires a receipt. |
Transmit |
When transmitting electronically communicate information over PROTECTED networks (or networks of higher classification). Encrypt PROTECTED information for any communication that is not over a PROTECTED network (or network of higher classification). |
Official travel |
Travel in Australia When travelling with PROTECTED information or a mobile device that processes, stores or communicates PROTECTED information:
Leaving PROTECTED information, or a mobile device that processes, stores or communicates PROTECTED information, unattended while travelling is not recommended. For brief absences from a hotel room, apply entity procedures and exercise judgement to assess environmental risk. Travel outside Australia
Do not leave PROTECTED information or device unattended. Do not store while travelling (eg in a hotel room). If storage required, store in an Australian entity facility. |
Disposal |
Dispose of PROTECTED information using a Class B shredder. |
Annex D - Minimum protections and handling requirements for OFFICIAL: Sensitive information
BIL 2 |
OFFICIAL: Sensitive—limited damage to an individual, organisation or government |
Protective marking |
Apply text-based protective marking OFFICIAL: Sensitive to documents (including emails). It is recommended that text markings be in capitals, bold text, large fonts and distinctive colours (red preferred) and located at the centre top and centre bottom of each page. If text-based markings cannot be used, use colour-based markings. For OFFICIAL: Sensitive a yellow colour is recommended. If text or colour-based protective markings cannot be used, apply the entity's marking scheme for such scenarios. If marking paragraphs, it is recommended that OFFICIAL: Sensitive is written in full or abbreviated to (O:S) and placed either in brackets at the start or end of the paragraph or in the margin adjacent to the first letter of the paragraph. |
Access |
The need-to-know principle applies to all OFFICIAL: Sensitive information. There are no security clearance requirements for access to OFFICIAL: Sensitive information. |
Use |
OFFICIAL: Sensitive information and mobile devices that process, store or communicate OFFICIAL: Sensitive information can be used in Zones 1-5. Outside entity facilities (including at home)
|
Storage |
OFFICIAL: Sensitive information can be left unattended for short periods subject to entity clear desk policy. Mobile devices that process, store or communicate OFFICIAL: Sensitive information can be left unattended if in a secured state. When storing physical OFFICIAL: Sensitive information
When storing a mobile device that processes, stores or communicates OFFICIAL: Sensitive information
|
Carry |
When carrying physical OFFICIAL: Sensitive information
When carrying a mobile device that processes, stores or communicates OFFICIAL: Sensitive information
|
Transfer |
When transferring OFFICIAL: Sensitive information
|
Transmit |
When transmitting electronically communicate information over OFFICIAL networks (or networks of higher classification). Encrypt OFFICIAL: Sensitive information transferred over public network infrastructure, or through unsecured spaces (including Zone 1 security areas), unless the residual security risk of not doing so has been recognised and accepted by the entity. |
Official travel |
Travel in Australia If required to leave OFFICIAL: Sensitive information or device unattended while travelling, apply entity procedures and exercise judgement to assess environmental risk. Travel outside Australia If required to leave OFFICIAL: Sensitive information or device unattended, apply entity procedures and consider country-specific travel advice. |
Disposal |
Apply entity procedures for disposal. |
Annex E. Minimum protections and handling requirements for OFFICIAL information
BIL 1 |
OFFICIAL—no or insignificant damage |
Protective marking |
There is no requirement to apply text-based markings to OFFICIAL information. If using text-based markings, apply text-based protective marking OFFICIAL to documents (including emails). It is recommended that text markings be in capitals, bold text, large fonts and distinctive colours (red preferred) and located at the centre top and centre bottom of each page. There is no requirement for colour-based marking for OFFICIAL information. If marking paragraphs, it is recommended OFFICIAL is written in full or abbreviated to (O) and placed either in brackets at the start or end of the paragraph or in margin adjacent to the first letter of the paragraph. |
Access |
The need-to-know principle is recommended for OFFICIAL information. There are no security clearance requirements for access to OFFICIAL information. |
Use |
OFFICIAL information and mobile devices that process, store or communicate OFFICIAL information, can be used in Zones 1-5 and outside entity facilities. |
Storage |
OFFICIAL information and mobile devices that process, store or communicate OFFICIAL information can be left unattended, subject to entity clear desk policy. It is recommended that mobile devices are in a secured state if left unattended. Apply entity procedures for all storage of OFFICIAL information (ie inside entity facilities and outside entity facilities, including at home. Storage in a lockable container is recommended in Zone 1 and outside entity facilities. |
Carry |
Apply entity procedures when carrying OFFICIAL information. |
Transfer |
Apply entity procedures for transfer by hand, using internal mail, external mail or courier. For transfers outside entity facilities, it is recommended that information be placed in an opaque envelope or folder and sealed to minimise risk of unauthorised access. |
Transmit |
It is recommended that any information communicated over public network infrastructure is encrypted. |
Official travel |
OFFICIAL information can be taken on domestic and overseas travel. When outside entity facilities, apply entity procedures and consider environmental risk. |
Disposal |
Apply entity procedures for disposal. |
Annex F. Historical classifications and markings
Historical classification or sensitivity marking |
Key dates |
Current level equivalency and handling |
CONFIDENTIAL classification |
PSPF recognition of the CONFIDENTIAL classification discontinued on 1 October 2018. The classification is being grandfathered through to October 2020. |
None established. Consider the harm and apply corresponding security classification marking. Historical handling protections remain. See Annex F Table 2 and Table 3 for Protection and handling of CONFIDENTIAL information |
For Official Use Only (FOUO) dissemination limiting marker (DLM) |
FOUO DLM replaced on 1 October 2018. Recognition of the FOUO DLM ceases on 1 October 2020. |
FOUO is equivalent to the current OFFICIAL: Sensitive level. Handling of FOUO information is as per PSPF requirements for OFFICIAL: Sensitive information. |
Sensitive DLM |
Sensitive: Cabinet DLM replaced on 1 October 2018. Recognition of the Sensitive: Cabinet DLM ceases on 1 October 2020. |
The Sensitive: Cabinet DLM is equivalent to the current CABINET caveat. Handling of Sensitive: Cabinet information is as per:
|
Sensitive: Legal DLM |
Sensitive: Legal DLM replaced on 1 October 2018. Recognition of the Sensitive: Legal DLM ceases on 1 October 2020. |
Unless otherwise classified, Sensitive: Legal is equivalent to the current OFFICIAL: Sensitive level. The (optional) Legal privilege information management marker may be applied. Handling of Sensitive: Legal information is:
|
Sensitive: Personal DLM |
Sensitive: Personal DLM replaced on 1 October 2018. Recognition of the Sensitive: Personal DLM ceases on 1 October 2020. |
Unless otherwise classified, Sensitive: Personal is equivalent to the current OFFICIAL: Sensitive level. The (optional) Personal privacy information management marker may be applied. Handling of Sensitive: Personal information is:
|
HIGHLY PROTECTED classification |
Recognition of the HIGHLY PROTECTED classification ceased on 1 August 2012. |
HIGHLY PROTECTED is equivalent to the current SECRET classification. Handling of HIGHLY PROTECTED information is as per PSPF requirements for SECRET information. |
RESTRICTED classification |
Recognition of the RESTRICTED classification ceased on 1 August 2012. |
RESTRICTED is equivalent to the current OFFICIAL: Sensitive level. Handling of RESTRICTED information is as per PSPF requirements for OFFICIAL: Sensitive information. |
X-IN-CONFIDENCE classification |
Recognition of the X- IN- CONFIDENCE classification ceased on 1 August 2012. |
X-in-confidence is equivalent to the current OFFICIAL: Sensitive level. Handling of X-in-confidence information is as per PSPF requirements for OFFICIAL: Sensitive information. |
Protection and handling of CONFIDENTIAL information
The historical classification CONFIDENTIAL does not have an equivalent level of classification under the current PSPF. Information that was classified as CONFIDENTIAL before October 2020 has a business impact level of very high. This means that the compromise of CONFIDENTIAL information's confidentiality would be expected to cause significant damage to the national interest, organisations or individuals. Annex F Table 2 provides the sub-impact categories for this business impact level.
Sub-impact categories |
Significant damage is: |
Impacts on national security |
|
Impacts on entity operations |
|
Australian financial and economic impacts |
|
Impacts on government policies |
|
Impacts on personal safety |
|
Impacts on crime prevention |
|
Impacts on defence operations |
|
Impacts on intelligence operations |
|
Impacts on national infrastructure |
|
The following information describes the minimum protections and handling for legacy CONFIDENTIAL information.
BIL 3.5 |
CONFIDENTIAL—significant damage to the national interest, organisations or individuals |
Protective marking |
Maintain text-based protective marking CONFIDENTIAL to documents (including emails). If text-based markings were not used, maintain colour-based markings. For CONFIDENTIAL a green colour was used historically. If text or colour-based protective markings cannot be used, apply the entity's marking scheme for such scenarios. From October 2020, do not mark new information as CONFIDENTIAL. For new information that would previously have been marked CONFIDENTIAL, consider the harm and apply corresponding security classification marking under the current PSPF. |
Access |
The need-to-know principle applies to all CONFIDENTIAL information. Ongoing access to CONFIDENTIAL information requires a Negative Vetting 1 security clearance or above. Any temporary access must be supervised. |
Use |
CONFIDENTIAL information and mobile devices that process, store or communicate CONFIDENTIAL information can be used in security Zones 1-5. Outside entity facilities (including at home) CONFIDENTIAL information and mobile device that processes, stores or communicates CONFIDENTIAL information:
|
Storage |
Do not leave CONFIDENTIAL information or a mobile device that processes, stores or communicates CONFIDENTIAL information unattended, store securely when unattended. When storing physical CONFIDENTIAL information
When storing a mobile device that processes, stores or communicates CONFIDENTIAL information
|
Carry |
When carrying physical CONFIDENTIAL information
When carrying a mobile device that processes, stores or communicates CONFIDENTIAL information
|
Transfer |
When transferring CONFIDENTIAL information
Any transfer requires a receipt. |
Transmit |
When transmitting electronically communicate over SECRET secure networks (or networks of higher classification). Use ASD's High Assurance Cryptographic Equipment to encrypt CONFIDENTIAL information for any communication that is not over a SECRET network (or network of higher classification). |
Official travel |
Travel in Australia When travelling with physical CONFIDENTIAL information:
When travelling with a mobile device that processes, stores or communicates CONFIDENTIAL information:
Travel outside Australia Not recommended to travel overseas with physical CONFIDENTIAL information. If required, follow entity procedures, and if required, consult DFAT. Do not travel overseas with a mobile device that processes, stores or communicates CONFIDENTIAL information. If required, see DFAT advice on options to access information at destination. |
Disposal |
Dispose of CONFIDENTIAL information using a Class A shredder or entity-assessed and approved or NAID AAA certified destruction service with specific endorsement and approved equipment and systems. |
Annex G. Email protective marking standard
The Email protective marking standard provides guidance for applying protective markings (and, where relevant, information management markers) on emails exchanged in and between Australian Government entities.
- Annex G – Email protective marking standard [PDF 363KB]
- Annex G – Email protective marking standard [DOCX 560KB]
Annex H. Sample case studies
The following case studies are examples that entities may wish to draw on or adapt in establishing their procedures and operational controls. These are examples of application of the policy only, and the Attorney‑General's Department recommends that entities consider whether the examples provided meet entity-specific requirements and are suitable for use in conjunction with existing entity procedures.
Entity personnel should not rely on these examples for advice on how to apply the PSPF—consult a security advisor in your entity to ensure you are applying the PSPF in accordance with your entity's security plan and procedures.
The Productivity Commission Data Availability and Use report indicates that a wide range of government data can be shared. The availability and usefulness of data delivers benefits to the community, engenders community trust and confidence in how data is managed and used and preserves commercial incentives to collect, maintain and add value to data. For example, there is potential for data about health service provider costs and performance, as well as de-identified linked data about health service recipients, that can be used for effective and targeted service interventions and improved health outcomes. Identifying characteristics that appear predictive during data analysis can provide valuable insights into the effectiveness of various policies and interventions, allowing new services to emerge in response to community demand. By de-identifying the health service recipients' data or redacting sensitive personal details, the information is no longer considered to be OFFICIAL: Sensitive (as it does not include sensitive information under the Privacy Act or other measures of harm) and can be shared. If desirable, the protection markings for OFFICIAL can be applied to the information. |
An officer with NV2 clearance wants to read a TOP SECRET document in a Zone 3 within the entity. In accordance with the minimum protections outlined in Annexure A, the officer assesses their surroundings to judge whether the people and equipment within their proximity are likely to compromise the officer's ability to protect the information from unauthorised access. The officer notes that several of the people around them are contractors without security clearances. The officer judges that there is a high probability that an unauthorised person may see the material and decides the information could be more easily secured from unauthorised viewing by moving to a nearby meeting room within the Zone 3 to read the material. Before moving to the meeting room, the officer puts the material in a folder with TOP SECRET indicated on the front. |
An officer is attending an early morning meeting tomorrow in another government building in the same city in Australia. The officer requires access to a PROTECTED document for use at the meeting. Given the meeting starts at 6:30am close to where the officer lives, the officer's manager has given approval for them to take the material home overnight providing the officer: (i) confirms the external meeting will take place in a meeting room that is a security zone (ii) secures the information from unauthorised access by using double-enveloping (in a sealed envelope inside a security briefcase) (iii) does not open or use the information until the officer is in the secure meeting room, and (iv) keeps the information in their personal custody/physical presence (ie keeps the secured information in the same room with them, including while asleep). While the officer is at home, they remember a dinner engagement at the local restaurant. The officer judges that taking the security briefcase with them would draw attention and determines the information would be safer left at home. The officer stores the security briefcase in a lockable cabinet and heads to dinner. As soon as the officer returns home, they retrieve the briefcase, open it to confirm the information is still sealed within, and then keep the briefcase with them until returning to their entity's facility after the meeting. |
An officer with a NV2 security clearance needs to remove a TOP SECRET document from the entity facility to attend an external meeting. The officer knows that this practice is not recommended but the meeting organisers have advised they are unable to make the material available to attendees and requested they bring a copy with them. The officer takes the following steps to ensure the protection of the information: (i) confirms the external meeting will take place in a government meeting room that is at lease a Zone 3 (ii) seeks their manager's written approval to remove the material, and keeps a record of the approval (iii) records the information is being removed with manager approval in the team's Classified Document Register (iv) secures the information from unauthorised access by enclosing the TOP SECRET information in a tamper evident envelope, and placing it in a security satchel (v) ensures the material remains unopened until the officer is in the Zone 3 meeting room. When the meeting concludes, the officer secures the TOP SECRET information in a tamper evident envelope and places it in the security satchel, where it remains unopened until the officer is back in a Zone 3 or higher of the entity facility. Once back in the office, the officer updates the Classified Document Register to confirm the material has been returned to the entity facility. |