Information is a valuable resource. Protecting its confidentiality and integrity is critical to business operations, helping to promote an open and transparent democratic government, and strengthening national security.
“Official information” refers to all information created, sent and received as part of work of the Australian Government, and all official information requires an appropriate degree of protection against information compromise.
“Information compromise” includes information loss, misuse, interference, unauthorised access, unauthorised modification or unauthorised disclosure.
On its website, the Australian Government Attorney-General´s Department details how government entities classify their information and guard against information compromise.
Information sensitivity and security classification process
The person responsible for generating or preparing information on behalf of an entity (or for actioning information produced outside the Australian Government) assesses whether the information is sensitive or needs to be security classified.
The entity that prepared the information and made the initial assessment is the originating entity, referred to as the originator. Only the originator can change the sensitivity or security classification applied to its information.
Key assessment criteria
The originator assesses the sensitivity or security classification of information by considering the potential impacts to national interest, organisations or individuals that could arise from compromise of the information’s confidentiality.
The more valuable, important or sensitive the official information, the greater the level of business impact that would result from its compromise.
The Business Impact Levels tool provides examples of potential damage from compromise of information’s confidentiality. The tool assists in the consistent classification of information and the assessment of impacts on government business. The potential damage from compromise of information’s confidentiality determines the classification of that information.
The Australian Government uses three security classifications based on the likely damage to the national interest, organisations or individuals resulting from compromise of the information’s confidentiality.
- PROTECTED – compromise of the information´s confidentiality would cause damage. An example is information that, if compromised, would seriously impede development or operation of major policies.
- SECRET – compromise of the information´s confidentiality would cause serious damage. An example is where compromised information could shut down or substantially disrupt significant national infrastructure.
- TOP SECRET – compromise of the information´s confidentiality would cause exceptionally grave damage. An example is where compromised information would provoke international conflict.
Where information compromise would have some limited damage but does not warrant a security classification, that information is considered OFFICIAL: Sensitive.
Other information from routine business operations and services is OFFICIAL, and information that does not form part of official duty is UNOFFICIAL.
How is sensitive and security classified information handled?
Key operational controls to protect sensitive and security classified information include:
- identifying sensitive and security classified information:
- with a protective marking
- by creating an auditable record of all incoming and outgoing material, transfer, copy or movements for, at a minimum, TOP SECRET information and other accountable material
- limiting disclosure or access to sensitive and security information to personnel with:
- a demonstrated need-to-know the content of the information
- an applicable security clearance
- transferring and transmitting information by means which deter and detect unauthorised access
- storing and using information securely
- destroying and disposing of information by secure means
Further detail about each of these controls is provided in the Attorney-General´s communication.