8 Sensitive and classified information

Purpose
Requirements
- Core requirement
- Supporting requirements
Guidance
Find out more
Annexes

Purpose

This policy details how entities correctly classify their information and adopt handling arrangements that guard against information compromise (as defined in Table 1).

Information is a valuable resource. Protecting the confidentiality, integrity and availability of information is critical to business operations:

Confidentiality refers to the limiting of access to information to authorised persons for approved purposes.
Integrity of information refers to the assurance that information has been created, amended or deleted only by the intended authorised means and is correct and valid.
Availability of information refers to allowing authorised persons to access information for authorised purposes at the time they need to do so.

Requirements

Core requirement

Each entity must:

identify information asset holdings

assess the sensitivity and security classification of information asset holdings

implement operational controls for these assets proportional to their value, importance and sensitivity.

Supporting requirements

Supporting requirements help an originator (the Australian Government entity that initially generated the information) to maintain the confidentiality, integrity and availability of official information.

Supporting requirements for sensitive and classified information

Supporting requirements

Requirement 1.
Identifying information assets

The originator must determine whether information being generated is intended for use as an official record and whether that information is sensitive or security classified.

Requirement 2.
Assessing sensitive and security classified information

To decide which security classification to apply, the originator must:
1. assess the value, importance or sensitivity of official information by considering the potential damage to the national interest, organisations or individuals, that would arise if the information's confidentiality was compromised (refer to the following table)
2. set the security classification at the lowest reasonable level.
The originator must assess the information as OFFICIAL: Sensitive if:
1. a security classification does not apply
2. compromise of the information's confidentiality may result in limited damage to an individual, organisation or government generally.

Protective marking	Business impact level	Compromise of information confidentiality would be expected to cause:
UNOFFICIAL	No business impact	Not applicable. This information does not form part of official duty.
OFFICIAL	1 Low business impact	Not applicable. This is the majority of routine information created or processed by the public sector.
OFFICIAL: Sensitive	2 Low to medium business impact	Limited damage to an individual, organisation or government generally if compromised
PROTECTED	3 High business impact	Damage to the national interest, organisations or individuals.
SECRET	4 Extreme business impact	Serious damage to the national interest, organisations or individuals.
TOP SECRET	5 Catastrophic business impact	Exceptionally grave damage to the national interest, organisations or individuals.

Requirement 3.
Marking information

The originator must clearly identify sensitive and security classified information, including emails, using applicable protective markings by:

using text-based protective markings to mark sensitive and security classified information (and associated metadata), unless impractical for operational reasons
if text-based protective markings cannot be used, colour-based protective markings
if text or colour-based protective markings cannot be used (eg verbal information), entities must document a marking scheme and train personnel appropriately.

Requirement 4.
Declassification

The originator must remain responsible for controlling the sanitisation, reclassification or declassification of the information. An entity must not remove or change information's classification without the originator's approval.

Requirement 5.
Transfer

Entities must ensure sensitive and security classified information is transferred and transmitted by means that deter and detect compromise.

Requirement 6.
Storage

Entities must ensure sensitive and security classified information is stored securely in an appropriate security container for the approved zone.

Requirement 7.
Disposal

Entities must ensure sensitive and security classified information is disposed of securely. This includes ensuring sensitive and classified information is appropriately destroyed when it has passed minimum retention requirements or reaches authorised destruction dates.

Requirement 8.
Caveats and accountable material

Caveats must be marked as text and only appear in conjunction with a security classification.
Entities must ensure that accountable material:
1. has page and reference numbering
2. is handled in accordance with any special handling requirements imposed by the originator and caveat owner
3. has an auditable record of all incoming and outgoing material, transfer, copy or movements.

Guidance

Identifying official information

Official information is all information created, sent and received as part of work of the Australian Government. This information is an official record and it provides evidence of what an entity has done and why.

Official information can be collected, processed, stored and transmitted in many forms including electronic, physical and verbal (eg conversations and presentations).

The National Archives of Australia Australian Government Information Management Standard notes that business information is a valuable asset. It contributes to good government through supporting efficient business, informing decision-making, demonstrating government accountability and transparency, mitigating risks, adding economic value and protecting rights and entitlements.

All official information requires an appropriate degree of protection as information and assets are subject to intentional and accidental threats. In addition, related processes, systems, networks and people have inherent vulnerabilities. A deliberate or accidental threat that compromises information security could adversely impact on government business.

**Table 1 Information compromise**
Definition of information compromise
Information compromise includes, but is not limited to: loss misuse interference unauthorised access unauthorised modification unauthorised disclosure.

How to assess information sensitivity or security classification

Who assesses information sensitivity or security classification

The person responsible for generating or preparing information on behalf of an entity (or for actioning information produced outside the Australian Government) assesses whether the information is sensitive or needs to be security classified. The Australian Government entity that prepared the information and made the initial sensitivity or security classification assessment is the originating entity, referred to as the originator.

Only the originator can change the sensitivity or security classification applied to its information. Classifications considered as inappropriate can be queried with the originator.

When to assess information sensitivity or security classification

Assessing the sensitivity or security classification of information when it is created helps protect the information. Limiting the quantity, scope, or timeframe of classified information is desirable (eg by setting a specific date or event for automatic declassification).¹ Appropriately limiting classification of information:

promotes an open and transparent democratic government
provides for accountability in government policies and practices that may be subject to inappropriate or over-classification
allows external oversight of government operations and programs
promotes efficiency and economy in managing information across government.

Over-classification can result in:

access to official information being unnecessarily limited or delayed
onerous administration and procedural overheads that add to costs
classifications being devalued or ignored by personnel and receiving parties.

Assessing whether information is sensitive or security classified

Requirement 2 mandates that the originator assesses the sensitivity or security classification of information by considering the potential impacts to national interest, organisations or individuals that could arise from compromise of the information's confidentiality.

The more valuable, important or sensitive the official information, the greater the level of business impact that would result from its compromise.

The Australian Government uses three security classifications (PROTECTED, SECRET and TOP SECRET) based on the likely damage resulting from compromise of the information's confidentiality.
Where information compromise would have some limited damage but does not warrant a security classification, that information is considered OFFICIAL: Sensitive.²
Other information from routine business operations and services is OFFICIAL, and information that does not form part of official duty is UNOFFICIAL.

It is not consistent with this policy to apply a security classification to information where it:

restrains competition
hides violations of law, inefficiency, or administrative error to prevent embarrassment to an individual, organisation or entity
prevents or delays the release of information that does not need protection in the national interest.

The Business Impact Levels tool (see Table 2) provides examples of potential damage from compromise of information's confidentiality. The tool assists in the consistent classification of information and the assessment of impacts on government business. The tool can also be used for secondary assessments of the potential damage from compromise of the availability or integrity of information.

The potential damage from compromise of information's confidentiality determines the classification of that information. If compromise of availability or integrity of information (described numerically, eg 1 Low business impact) has a higher impact than confidentiality compromise, additional security measures (such as ICT, personnel or physical controls) may be warranted.

Figure 1 Assessing whether information is sensitive or security classified³

Figure 1 notes:

ⁱRequirement 8 mandates that caveats only appear in conjunction with a security classification.

ⁱⁱThe information management markers reflect the Australian Government Recordkeeping Metadata Standard's 'Rights' property. While categorising information content by non-security access restrictions is not mandated as a security requirement, the 'Rights' property provides a standard set of terms ensuring common understanding, consistency and interoperability across systems and government entities. For guidance, see the PSPF policy: Access to information.

Table 2 Business Impact Levels tool – Assessing damage to the national interest, organisations or individuals

How to handle sensitive and security classified inforation

Key operational controls to protect sensitive and security classified information include:

identifying sensitive and security classified information:
1. with a protective marking (see Identifying sensitive and security classified information with a protective marking)
2. by creating an auditable record of all incoming and outgoing material, transfer, copy or movements for, at a minimum, TOP SECRET information and other accountable material (see Records of dissemination – audit, logs and Classified Document Register)
limiting disclosure or access to sensitive and security information (see Limiting dissemination of sensitive and security classified information) to personnel with:
1. a demonstrated need-to-know the content of the information
2. an applicable security clearance
transferring and transmitting information by means which deter and detect unauthorised access (see How to transmit or transfer sensitive and security classified information, or remove it from an entity facility)
storing and using information securely (see How to use and store sensitive and security classified information)
destroying and disposing of information by secure means (see How to dispose of sensitive and security classified information).

Identifying sensitive and security classified information with a protective marking

Requirement 3 mandates that the originator must clearly identify sensitive and security classified information by using applicable protective markings. Applying classification markings to security classified information, or the OFFICIAL: Sensitive dissemination limiting marker to sensitive information, indicates that the information requires protection.

The OFFICIAL marker may be used to identify information that is an Australian Government record. Use of this marker is not mandatory. Similarly, the UNOFFICIAL marker may be used to identify information generated for personal or non-work related purposes.

Applying a protective marking to information, including to attachments, in an easily identifiable way for information users (visually) and for systems (such as an entity's email gateway) helps to control information.

For emails, entities apply an internet message header extension. This helps with construction and parsing by email gateways and servers and allows for information handling based on the protective marking. Where an internet message header extension is not possible, protective markings are placed in the subject field of an email. When printed, an email is considered a physical document; as such a visual presentation of the protective marking (such as a separate line in the email) is important.
For guidance on email protective markings, see Annex B.

Requirement 3 indicates text-based protective markings are the preferred method to identify sensitive and security classified information. This includes associated metadata. To achieve clearly identifiable protective markings, the Attorney-General's Department recommends:

using capitals, bold text, large font and a distinctive colour (red preferred), for example PROTECTED
placing markings at the centre top and bottom of each page.

The order of precedence or hierarchy for protective markings is:

classification (or the OFFICIAL: Sensitive dissemination limiting marker)
foreign government information markings (if any)
caveats or other special handling instructions (if any) then
(optional) information management markers (if any).

Separating markings by a double forward slash helps to clearly differentiate each marking.

Marking each paragraph or section may be useful, although is not required by this policy. The paragraph or section with the most valuable, important or sensitive information (highest classification) dictates the document's classification.

Figure 2 Protectively marking physical (printed) information

Figure 3 Protectively marking an email

Requirement 3 mandates that, if text-based protective markings cannot be used (eg on certain media or assets), colour-based protective markings are used.

Table 3 Minimum protective markings for sensitive and security classified information

Other markings, for example entity-specific markings, are not recognised by this policy. A standard set of markings ensures common understanding, consistency and interoperability across systems and government entities. Other markings may confuse users about appropriate handling protections.

Limiting dissemination of sensitive and security classified information

Need-to-know principle and dissemination/access restrictions

The vast majority of government information can be shared, where appropriate. The PSPF policy: Access to information states that:

Each entity must enable appropriate access to official information. This includes … ensuring that those who access sensitive or security classified information are appropriately security cleared and need to know that information.

Limiting access by staff and others (eg contractors) to information on a need-to-know basis guards against the risk of unauthorised access or misuse of information. The Attorney-General's Department recommends that entities consider staff access to OFFICIAL information on a need-to-know basis, although this is not a requirement of this policy.

PSPF policy: Access to information establishes the following disclosure requirements for sensitive and classified information:

For Official: Sensitive information and all classified information, only allow access for personnel with a demonstrated need-to-know
For all classified information only allow access for personnel with a valid personnel security clearance:
1. A Baseline security clearance or above for ongoing access to PROTECTED information
2. A Negative Vetting 1 security clearance or above for ongoing access to SECRET information
3. A Negative Vetting 2 security clearance or above for TOP SECRET information

For guidance on obtaining a personnel security clearance, see PSPF policy: Eligibility and suitability of personnel.

Records of dissemination – audit, logs and Classified Document Register

An important protection is ensuring that dissemination of information is monitored and audited.

For accountable material, including TOP SECRET information and certain caveat material, requirement 8 mandates that entities maintain an auditable register (such as a Classified Document Register) of all incoming and outgoing material, transfers or copying. An auditable register is one that is subject to both a regular ongoing program of audit, as well as periodic spot checks. To conduct a spot check, personnel need to sight the documents (or a selection of documents) listed in the register and acknowledge this in writing.

The Attorney‑General's Department recommends that entities keep an audit log or register for documents at other classification levels (particularly the SECRET classification), or registered information received from other entities.

There may be other legislative requirements for record keeping. For example, under the Privacy (Australian Government Agencies – Governance) APP Code 2017 a Privacy Officer is required to maintain a record of an entity's personal information holdings and a register of privacy impact assessments.

Sanitising, declassifying or reclassifying information

Information may require modification (sanitising) to allow its wider distribution and potential use. Information can be changed to reduce its sensitivity or classification by editing, disguising or altering information to permit dissemination while protecting intelligence, sources, methods, capabilities, analytical procedures or privileged information. Once sanitised, the information can be declassified or reclassified (see Table 6).

**Table 6 Declassifying or reclassifying information**
Term	Definition
Declassification	Declassification is a process where information is reduced to OFFICIAL (an unclassified state) when it no longer requires security classification handling protections.
Reclassification	Reclassification is the administrative decision to change the security classification of information based on a reassessment of the potential impacts of its compromise.

Enabling wide use of government information provides substantial benefits, but there are risks involved. These risks vary with the nature of the information and the environment and purpose of the use. Where the adverse consequences of increased information access are considered high, the availability and access to the information will benefit from careful management.

**Case study: Example of information declassification for increased sharing**
The Productivity Commission Data Availability and Use report indicates that a wide range of government data can be shared. The availability and usefulness of data delivers benefits to the community, engenders community trust and confidence in how data is managed and used and preserves commercial incentives to collect, maintain and add value to data. For example, there is potential for data relating to health service provider costs and performance, as well as de-identified linked data about health service recipients, that can be used for effective and targeted service interventions and improved health outcomes. Identifying characteristics that appear predictive during data analysis analysis can provide valuable insights into the effectiveness of various policies and interventions, allowing new services to emerge in response to community demand. By de-identifying the health service recipients' data or redacting sensitive personal details, the information is no longer considered to be OFFICIAL: Sensitive (as it does not include sensitive information under the Privacy Act or other measures of harm) and can be shared.

Requirement 4 mandates that the originator of the material remains responsible for controlling the sanitisation, reclassification or declassification of its material. No other entity may change the material's classification unless authorised to do so by the originator.

A declassification process includes:

identifying if a specific date or event for automatic declassification has occurred:
1. At initial classification, the originator sets a specific date or event for declassification based on an assessment of the period the information might cause damage.
2. If the originator cannot decide on a specific date or event for declassification, declassification will align with the Archives Act 1983 open access period. For guidance, see the National Archives of Australia.
regularly reviewing the classified information for continuing sensitivity (ie if the compromise of the information would still cause damage). These reviews can be done in line with the harm-based classification assessment described in Assessing whether information is sensitive or security classified:
1. after a project is completed
2. when a file is withdrawn from (or returned to) use.
declassifying or reclassifying information to a lower classification when it no longer meets the harm-based classification tests described in Assessing whether information is sensitive or security classified.⁴

How to transmit or transfer sensitive and security classified information, or remove it from an entity facility

Information is at increased risk when it is in transit (eg sent across the internet, through a private network or between physical locations). Risk is heightened when information is transmitted outside of a controlled environment (eg when an entity does not have control over the entire transmission network). The Attorney‑General's Department recommends assessing risks of information transmission. Where an entity transfers or transmits sensitive or security classified information, Requirement 5 mandates using means that deter and detect compromise.

To ensure sensitive and security classified information is only transmitted or transferred to people with a need-to-know (see Table 4), entities are encouraged to identify information recipients by:

a specific position, appointment or named individual
a full location address (eg not a post office box for physical delivery as this may be unattended)
an alternative individual or appointment where relevant (eg for TOP SECRET information).

The Attorney‑General's Department recommends obscuring the information's sensitivity or classification and using a tamper evident seal to deter and detect unauthorised access of sensitive and security classified information. Ways to achieve this include using:

appropriate encryption methods⁵ when transferring information over a public network or through unsecured spaces
double envelopes for physical information by placing security classified information and accountable material in two sealed envelopes:
1. The inner envelope is used to give evidence of tampering, for example by sealing with a Security Construction and Equipment Committee (SCEC)-approved tamper evident seal so that any tampering is detected. The Attorney‑General's Department recommends marking the classification conspicuously on the inner envelope (eg at the top, bottom, front and back of the envelope).
2. The outer envelope gives protection to the inner envelope. The Attorney‑General's Department recommends avoiding displaying any protective classification markings on the outer envelope.
single-use envelopes approved by SCEC for:
1. an inner envelope
2. single opaque envelopes in place of a double envelope
3. an outer envelope used to enclose a number of inner envelopes where initial delivery will be to a registry or similar
a single paper envelope in conjunction with a security briefcase (refer to the SCEC-Security Equipment Guide on Briefcases for the carriage of security classified information) or approved multi-use satchels, pouches or transit bags (see the SCEC-approved security equipment evaluated product list).

Devices such as laptops, mobile phones and USBs can be used to transfer and transmit information. The requirement to deter and detect information compromise applies to sensitive and security classified information transferred on such devices. Ways to achieve this include password protection and remote wiping capabilities. For guidance see the PSPF policy: Robust ICT systems.

Ways to control the transmission and transfer of information include:

use of receipts:
1. Receipts identify the date and time of dispatch, the dispatching officer's name and a unique identifying number. The Attorney‑General's Department recommends using receipts for transmission or transfer of all classified information.
2. Recording, or having a receipt system to document, every handover is another control mechanism (eg a two-part receipt placed in the inner envelope with the information means the addressee can keep one portion and sign and return the other to the sender).
safe hand:
1. Safe hand means information is dispatched to the addressee in the care of an authorised person or succession of authorised people who are responsible for its carriage and safekeeping.
2. Sending information via safe hand establishes an audit trail that provides confirmation that the addressee received the information and helps to ensure the item is transferred in an authorised and secure facility or vehicle. To deter and detect any information tampering, at each handover, a receipt is obtained showing (at a minimum) the identification number, the time and date of the handover, and the name and signature of the recipient.
3. Sending information via safe hand requires:
  1. a unique identification number; generally, this will be a receipt number
  2. that information be in a security briefcase (see the SCEC-Security Equipment Guide on Briefcases for the carriage of security classified information) or an approved mailbag (for information, see the SCEC-approved security equipment evaluated product list
  3. that information never be left unattended (except when placed in the cargo compartment of an aircraft).
carriage by SCEC-endorsed commercial courier:
1. A number of commercial courier services have been endorsed by SCEC. Contact ASIO-T4 by email t4ps@t4.gov.au or see the ASIO-T4 Protective security circular (PSC) 172 (available on a need-to-know basis on Govdex) for advice on SCEC-endorsed commercial couriers.
2. Commercial couriers can be useful in transferring valuable material such as pharmaceuticals and money (note SCEC-endorsed couriers are not assessed for the transfer of these items). Special arrangements, such as armed escorts, may be necessary in certain circumstances.
3. Special handling requirements may apply to caveated information. This may preclude the use of a commercial courier when using certain caveats. For guidance on caveats, see Caveats and accountable material section.

Transmission or transfer of official, but not sensitive, information is on a common sense basis; the PSPF does not impose transmission or transfer requirements for this information. However, entities are encouraged to ensure that information is transferred or transmitted by means which deter and detect compromise.

Table 7 sets out specific transmission and transfer protections for sensitive and classified information.

Table 7 Minimum protections for information transmission and transfer

How to use and store sensitive and security classified information

The Australian Government Information Management Standard requires that entities store information securely and preserve it in a usable condition for as long as required for business needs and community access. In accordance with the Information Management Standard, a secure and suitable storage environment is one that prevents unauthorised access, duplication, alteration, removal and destruction.

Ways that minimise duplication or alteration of information include:

reproducing sensitive or security classified information only when necessary
immediately destroying spare or spoilt copies (destruction is defined as 'normal administrative practice' in terms of the Archives Act and does not need specific permission from the National Archives of Australia). For guidance on destroying sensitive and security classified information, see Destroying sensitive and security classified information.

Securely storing sensitive and security classified official information protects the information from compromise. Requirement 6 mandates entities ensure sensitive and security classified information is stored securely in an appropriate security container for the approved zone. For guidance on physical security zones, see the PSPF policy: Entity facilities.

Minimum use and storage protections are set out in Table 8.

Table 8 Minimum use and storage protections for security classified information

How to dispose of sensitive and security classified information

Not all information and records are kept forever. Information is managed for as long as it has business value; some information will have long-term historical and social value. Requirement 7 mandates that entities dispose of sensitive and security classified information in a secure manner. The careless disposal of classified or sensitive information is a serious source of leakage of information and can undermine public confidence in the Australian Government.

Under the Archives Act information disposal includes:

its destruction
the transfer of its custody or ownership or
damage or alteration.⁶

Information disposal includes the physical destruction of paper records; destruction of electronic records including deleting emails, documents or other data from business systems; the transfer of records to another entity as the result of machinery of government changes; and transfer to the National Archives of Australia.

Under Section 24 of the Archives Act information disposal can only take place when it is:

approved by the National Archives of Australian
required by another law or
part of normal administrative practices that the National Archives or Australia does not disapprove.

For guidance, see the National Archives of Australia website, Disposing of information.

Destroying sensitive and security classified information

A variety of methods can be used for secure destruction of information in physical form.

Requirement 7 mandates that information is disposed of securely. This policy does not impose minimum security requirements for how destruction of OFFICIAL or OFFICIAL: Sensitive information is to occur.

ASIO-T4 approves specifications for equipment used to destroy security classified information. Commonly used destruction methods include:

pulping
burning
pulverising using hammermills
disintegrating by cutting and reducing the waste particle size
shredding using crosscut shredders (strip shredders are not approved for destruction of security classified information).

Methods for destroying digital information include:

digital file shredding
degaussing by demagnetising magnetic media to erase recorded data
physical destruction of storage media through pulverisation, incineration or shredding (the ISM provides guidance on sanitisation and destruction of ICT equipment and storage media)
reformatting, if it can be guaranteed that the process cannot be reversed.

Commercial providers may be used to destroy classified information. The Attorney‑General's Department recommends that entities review the appropriateness of a commercial provider's collection process, transport, facility, procedures and approved equipment when considering external destruction services. These considerations can be made against ASIO-T4 Criteria – agency-assessed and approved destruction service. Appropriate procedures include:

ensuring classified information is attended at all times and the vehicle and storage areas are appropriately secured
ensuring that destruction is performed immediately after the material has arrived at the premises
ensuring that destruction of classified information is witnessed by an entity representative
ensuring destruction service staff have a security clearance to the highest level of security classified information being transported and destroyed, or appropriately security cleared entity staff escort and witness the destruction.

A number of commercial providers hold National Association for Information Destruction AAA certification for destruction service (with endorsements as specified in PSC 167 External destruction of security classified information). These commercial providers are able to destroy security classified information.

The Attorney‑General's Department recommends information classified TOP SECRET or accountable material be destroyed within entity premises; the originating entity may request notification of destruction. The originator of some accountable material may apply special handling conditions that prevent information destruction being contracted out.

Table 9 summarises minimum handling protections for disposal of physical sensitive and security classified information. Table 10 summarises minimum protections for disposal of ICT media and equipment.

Table 9 Minimum handling protections for disposal of sensitive and security classified information

Table 10 Minimum handling protections for disposal of ICT media and equipment

Caveats and accountable material

Certain information may have a caveat in addition to a security classification. The caveat is a warning that the information has special protections in addition to those indicated by the security classification. Table 11 details caveats commonly used across government. There are four broad types of caveats:

sensitive compartment information (codewords)
foreign government markings
special handling instructions
releasability caveats.

Accountable material is information that requires the strictest control over its access and movement. Accountable material includes:

TOP SECRET security classified information
some types of caveated information, being:
1. all codeword information
2. select special handling instruction caveats, particularly CABINET material at any security classification
3. any classified information designated as accountable material by the originator.

What constitutes accountable material may vary from entity to entity and could include budget papers, tender documents and sensitive ministerial briefing documents.

Requirement 8 states that caveated material must be clearly marked and handled in accordance with the originator and the caveat holder's special handling requirements. Caveats are not classifications and must appear with an appropriate security classification.

Requirement 4 requires the originator's approval to remove or change a security classification applied to information. To be consistent with Requirement 4 the prior agreement of the originating entity also needs to be obtained to remove a caveat.

Classification handling requirements apply in addition to any special caveat requirements. Additional information about handling caveats is available in the Sensitive Material Security Management Protocol and Security Caveats Guideline on a need-to-know basis on Govdex.

Table 11 Caveats

What to do in the case of an emergency, breach or security violation involving classified information assets

Exceptional situations or emergencies may arise that prevent application of this policy. The PSPF policy: Reporting on security requires entities to report details on measures taken to mitigate or otherwise manage identified security risks.

The PSPF policy: Reporting on security also mandates that affected entities are advised of any unmitigated security risks. In line with this, the Attorney‑General's Department recommends entities report:

any compromise of classified information to the information's originator as soon as practicable
matters relating to national security (such as compromise of SECRET or TOP SECRET information) to the Director-General, Australian Security Intelligence Organisation.

Any compromise of any classified information is considered a security incident. The PSPF policy: Management structure and responsibilities requires entities to investigate, respond to and report on security incidents.

Find out more

Other legislation and policies that may be relevant to the handling of official government information include:

the Archives Act and supporting Commonwealth records management policies such as:
1. National Archives of Australia Information Management Standard
2. National Archives of Australia Digital Continuity 2020 policy
Australian Signals Directorate's Information Security Manual
the Office of the Australian Information Commissioner for the Privacy Act, Guides and APP guidelines.

Annex A. Historical classifications and sensitivity markings

There are a number of historical security classifications and other protective markings no longer reflected in Australian Government policy.

In some cases, equivalencies have been established with current sensitive or classified information levels, though re-marking of existing information is not necessary.
In others, classifications are being 'grandfathered' for a set time period, with historical handling protections to remain.

Annex A Table 1 Historical classifications and sensitivity markings

Annex A Table 2 Handling CONFIDENTIAL classified information

Annex B. Email Protective Marking Standard for the Australian Government

Email Protective Marking Standard for the Australian Government

¹For guidance on declassification, refer to section Sanitising, declassifying or reclassifying information.

²Examples of OFFICIAL: Sensitive information may include:

official information governed by legislation that restricts or prohibits its disclosure, imposes certain use and handling requirements, or restricts dissemination (such as information subject to legal professional privilege or some types of 'personal information', including 'sensitive information' under section 6 of the Privacy Act 1988 that may cause limited harm to an individual if disclosed or compromised). Where compromise of personal information, including sensitive information (under the Privacy Act) would lead to damage, serious damage or exceptionally grave damage, this information warrants classification. For example, financial details and tax file numbers, which are not sensitive information for the purposes of the Privacy Act, but the compromise of which may still lead to limited damage to individuals.
commercial or economic data that, if compromised, would undermine an Australian organisation or company
information that, if compromised, would impede development of government policies.

³There are historical security classifications and other protective markings (eg CONFIDENTIAL classification) that no longer reflect Australian Government policy. For assistance in applying appropriate handling protections (and assessing damage to the national interest, organisations or individuals) to historical classifications, see Annex A.

^4,For information on assurance processes related to sanitisation and administrative decisions regarding the release and disposal of information, equipment or waste see the Information Security Manual.

⁵For information on cryptography, see the Information Security Manual.

⁶Section 26 of the Archives Act prohibits altering records that are over 15 years old without authorisation from the National Archives.