Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General's Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 11 June 2024. Before 11 June 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at or the PSPF hotline on 02 5127 9999.

Policy 8: Classification system

  • Information security
Publication date
Last updated


This policy details how to correctly assess the sensitivity or security classification of information. It also details marking, handling, storage and disposal arrangements to guard against information compromise.


To appropriately guard against information compromise, entities must consider:

  • confidentiality – who should be able to see the information and why
  • integrity – assurance that information is only being created, amended or deleted by the intended authorised means and is correct and valid
  • availability – ensuring authorised persons have access to information when and as needed.

The Australian Government uses 4 security classifications:

  • OFFICIAL: Sensitive

All other information from business operations and services is OFFICIAL.

The document's originator is responsible for applying the relevant sensitive or security classification. To do this they must assess the Business Impact Level (BIL) based on the likely damage if the information's confidentiality was compromised. The originator remains responsible for controlling the sanitisation, reclassification or declassification of that information.

Some information may need special protections in addition to those indicated by the sensitive marking or security classification. Caveats are used to indicate these additional special protections.

Some information requires the strictest control over its access and movement. The originator designates this as accountable material.

Information management markers are an optional way for entities to identify information that is subject to non-security related restrictions on access and use.

Entities must apply the Australian Government Recordkeeping Metadata Standard to protectively mark information on systems that store, process, or communicate sensitive or security classified information. Entities must ensure security classified information is stored, transferred, and disposed of appropriately.

Return to the Information security page