JavaScript is required

2. Information security

Security classified information is material that, due the damage it could cause the Victorian or other Australian Government if released, has a security classification applied to it.

2.1 Identifying information that needs to be classified

Information that requires some form of protection and special handling identification requires a protective marking or security classification. The marking indicates that the:

  • information has been identified as sensitive or security classified
  • level of protective procedures that are to be provided during the use, storage, transmission, transfer and disposal of the information.

2.2 Assessing the value of the information to the organisation

In order to appropriately classify information, the organisation first needs to assess what the damage or risk would be if their information was compromised.

Assessment of damage affecting the national interest, organisation or individuals can be made by using the Business Impact Level (BIL) assessment tool in the PSPF. The tool assists in the consistent classification of information and the assessment of impacts on government business.

It can be found on the Protective Security Policy Framework

PSPF business impact levels.

Table 3 – Classifying information based on the damage it could cause through unauthorised disclosure
Consequence of disclosure Classification level

Compromise of the information's confidentiality could cause damage to the national interest, organisations or individuals

PROTECTED
SECRET
Compromise of the information's confidentiality could cause exceptionally grave damage to the national interest, organisations or individuals TOP SECRET

The Office of the Victorian Information Commissioner (OVIC) has a BIL tool for the classification of state interests that may be used however, implementing physical, information or personnel security measures should always follow the standards of the PSPF.

Once the BILs have been determined, personnel and physical storage requirement for the information will become clear.

If you need assistance in determining your BILs please contact the Manager, Protective Security at DPC.

2.3 Protective markings and security classifications

The Australian Government uses the following protective markings to classify its information:

  • PROTECTED
  • SECRET
  • TOP SECRET.

Other markings of UNOFFICIAL and OFFICIAL can also be used however they are not security classifications. OFFICAL information can also carry a dissemination limiting marker of OFFICIAL: Sensitive or information management markers indicating ‘rights’ to access the information:

  • OFFICIAL: Legal Privilege
  • OFFICIAL: Legislative Secrecy
  • OFFICIAL: Personal privacy.

Information marked OFFICIAL doesn’t require special access, handling or storage protections. However, all OFFICIAL information is an asset and should be treated in proportion to its value, importance and sensitivity.

Information marked PROTECTED, SECRET and TOP SECRET restricts access to personnel holding a valid security clearance and requires special handling and storage arrangements which are dealt with throughout this guide.

Security classified material generated by the Commonwealth or other jurisdiction must be handled according to the requirements of the originating jurisdiction. If in doubt, the handling and storage requirements described in the PSPF should be applied.

Some Victorian departments use the same or similar protective markings as the Commonwealth, however different handling arrangements may apply. Staff need to be mindful about sharing material generated locally with other jurisdictions, where security classifications or handling requirements may differ.

2.4 Caveats and accountable material

Caveats are warnings that the information has special protections in addition to the security classification.

There are four broad types of caveats:

  • sensitive compartment information (codewords)
  • foreign government markings
  • special handling instructions
  • releasability caveats.

The three Releasability caveats – Australian Eyes Only (AUSTEO), Australian Government Access Only (AGAO) and Releasable to (REL) – limit access to information based on citizenship plus an official need to know and the holding of an appropriate security clearance.

If a caveat includes the letters REL followed by country names, for example REL UK, NZ, it means the information is also 'RELEASEABLE’ to appropriately cleared United Kingdom and New Zealand personnel only (in addition to Australian personnel).

2.5 Applying protective markers to information

Security classifications and caveats are to be clearly identified by the originator of the information. For hard- copy material, it is preferable that text be in capitals, bold, large font and a distinctive colour (red is preferred). Markings are recommended at the centre top and bottom of each page.

Any security classified information being verbally shared requires disclosure of the classification and confirmation that the audience has the appropriate security clearance and the need to know.

Where paragraphs in a document are individually classified the document as a whole is to be classified according to the highest classified paragraph.

Information can only be declassified by the generator of the material. Information (such as a paragraph or section) taken or copied from a security classified document must retain its originating classification and is not recommended without the authorisation of the document owner.

2.6 Emailing classified information

Classified material may only be transmitted on a system classified to the security level of the information being transmitted.

Department email and document storage systems are generally not security rated. Likewise, third party providers such as consultants or IT providers do not generally have certified physical, information or personnel security measures in place to store or handle security classified information.

To email PROTECTED or SECRET information, partly or wholly generated by the Commonwealth, a protected and secure network must be used.

If you need to send or receive Commonwealth security classified material at PROTECTED or SECRET, please contact CSEMB.

Victoria Police and some Commonwealth agencies based in Victoria also have secure network capability.

Information carrying a security classification of SECRET, whether generated at the State or Commonwealth level must never be transmitted using an unrated, unsecured network.

Victorian government generated PROTECTED and SECRET Cabinet-In-Confidence material has specific transmission arrangements in place. For more information, please contact the Cabinet Office at DPC.

2.7 Sharing classified information

PROTECTED or SECRET classified documents may be passed, uncovered, by hand, within a discrete office environment, provided the person passing or receiving the information holds the appropriate clearance and has an official need to access the information. Table 4 provides an overview of distribution methods for security classified information.

Table 4 – The method of distribution required for security classified information
Originator Classification of material Distribution
State department or agency or material classified using the Victorian Protective Data Security Framework (VPDSF) PROTECTED Internal – via email (assess each transmission on its own merits) and in line with local transmission policies
State department or agency or material classified using the Victorian Protective Data Security Framework (VPDSF) SECRET or TOP SECRET

External – in person* or by certified courier and appropriately packaged and handled

Commonwealth department or agency or material classified using the PSPF PROTECTED, SECRET or TOP SECRET

Internal and external – by hand delivery* or by certified courier and appropriately packaged and handled

* SHOULD hold appropriate security clearance to access the material and, if required, be able to securely print, store and dispose of the material.

** MUST hold appropriate security clearance to access the material and, if required, be able to securely print, store and dispose of the material.

As the standard for distributing state generated material is less than for Commonwealth generated material and where there is any risk of damage, it is strongly recommended that the Commonwealth distribution requirements are adopted. They are described more fully in the PSPF.

Information must always be protected from being viewed or accessed by unauthorised personnel. It should be kept covered and always stored in accordance with clear desk policies and in an appropriate security container.

2.8 Sharing information with third party providers

The ability of third-party providers to appropriately protect information should be carefully considered when sharing security classified information with them.

2.9 Recording the movement of classified material

The creation, movement and destruction of hard copy documents, classified SECRET, SHOULD be recorded in a classified document register (CDR). Documents at higher security classifications MUST be recorded in a CDR.

DPC strongly recommends recording the creation, movement and destruction of all security classified hard copy documents as good security practice. Material declared by the originator as an accountable document (e.g. where multiple copies need to be marked as copy X of Y) MUST be recorded individually in the CDR and dealt with the same as SECRET material.

Accountable material is particularly sensitive information requiring strict access and movement control. The CDR registers the title, date, classification, copy numbers and distribution of a document. It also records the destruction of a document.

Hard copy security classified material must be stored according to the standards in the PSPF including secure storage containers and appropriate physical security zones.

2.10 Disposal of classified information

To reduce the risk of security classified material being accessed by unauthorised personnel, information should only be kept for as long as it has business value. When disposing of security classified and sensitive information it must be done in accordance with the requirements in the PSPF.

Information classified SECRET or TOP SECRET must be disposed of using a Class A Shredder and, for TOP SECRET information, the shredding needs to be supervised and the destruction documented in the CDR. Information marked PROTECTED must be disposed of using, at minimum, a Class B shredder.

Classified waste bags and bins are not security containers and should not to be used to dispose of classified information above the level of FOR OFFICIAL USE ONLY/OFFICIAL.

Departments or agencies who do not have the appropriate destruction equipment may contact the Protective Security Team at DPC to arrange for the information to be shredded.

Departments or agencies may have local arrangements in place for destroying Cabinet PROTECTED or CABINET-IN-CONFIDENCE documents.

The PSPF provides detailed guidance on the destruction of sensitive and security classified information which must be followed for any Commonwealth generated material or state generated material containing Commonwealth security classified information.

Class A shredder

Updated