The NSW Government sector receives, uses and manages information and data on behalf of the NSW public, other agencies, states and territories and the Australian Government. This information is important and often sensitive. It is important that this information is labelled correctly so that the users of it within NSW Government know how to manage it in an appropriate, secure and careful way that is consistent with the Australian Government, and other states and territories.
Throughout this document, we use 'information' to denote 'information and data'. 'Australian Government' is used to refer to the Commonwealth of Australia.
The NSW Government Information Classification, Labelling and Handling Guidelines (Guidelines) align with the Australian Government’s Protective Security Policy Framework (PSPF) 2018, focusing on; Policy 8 Sensitive and security classified information and the Email Protective Marking Standard. Policy 9 Access to information, Policy 15 Physical security for entity resources and Policy 11 Robust ICT systems have also informed these Guidelines.
Aligning the Guidelines with the PSPF will enable information to be more readily shared among NSW Government agencies and the Australian Government.
The Guidelines detail how the NSW Government sector can correctly assess the sensitivity or security classification of their information and adopt labelling, handling, storage and disposal arrangements to protect information.
The Guidelines have been developed to enable agencies;
- to understand how to assess NSW Government information and data to determine if:
- the information is OFFICIAL or UNOFFICIAL
- the information is sensitive and the reason for the sensitivity
- a security classification must be applied.
- to understand the labelling of information and data received from the Australian Government and how to handle this information in accordance with the label.
- Once the security classification or sensitivity of the information has been assessed, these Guidelines describe how the information should be labelled, handled and disseminated.
These Guidelines apply to the NSW Government sector, which includes all Public Service Agencies (for a full definition, see the Government Sector Employment Act 2013). The term ‘Agency’ is used in these Guidelines to refer to all NSW Government sector agencies.
The Guidelines are intended for use by agency staff in roles that involve:
- receiving, creating or editing information
- developing systems to collect, manage and store information (e.g. developers)
- administering information and controlling user access
- protecting information from misuse or access by unauthorised users.
The Guidelines are recommended for adoption in State Owned Corporations, as well as local councils and universities.
The Guidelines apply to the classification, labelling and handling of sensitive and security classified information in any format, including records in physical and digital format, data sets and digital records.
NSW is a signatory to the Memorandum of Understanding (MOU) between States/Territories and the Australian Government for the Protection of National Security Information. The MOU outlines that national security information must be treated in a manner consistent with the minimum requirements set out in the PSPF.
In line with the MOU, NSW agencies should refer to the relevant requirements in the PSPF for classifying and handling security classified information under the PSPF, i.e. PROTECTED, SECRET and TOP SECRET – particularly in relation to information affecting national security.
The MOU also provides the framework for
- A nationally consistent approach to the protection of national security information, including the management of national security clearances; and
- All jurisdictions to put in place policies and arrangements appropriate to their circumstances for the protection of national security information.
This MOU is not legally binding and is a statement of mutual intent and understanding.
The Guidelines do not affect or alter existing legal and regulatory requirements under Australian Government or NSW Government legislation, including under the Government Information (Public Access) Act 2009 (NSW) (GIPA Act), the Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA), the Health Records and Information Privacy Act 2002 (NSW) (HRIPA) and the State Records Act 1998 (NSW). Existing privacy principles applicable under NSW Government and/or Commonwealth legislation continue to apply to the handling of information.
Where an agency engages a contractor or third-party provider, the agency is responsible for ensuring the contractor or third-party provider complies with the Guidelines.
These Guidelines supersede the NSW Government Information Classification, Labelling and Handling Guidelines (2020).
This document supersedes the 2020 NSW Government Information Classification, Labelling and Handling Guidelines. It incorporates the Australian Government’s PSPF, first published in 2018 including updates until 24 September 2020.
These Guidelines are aimed at helping agencies understand how to correctly assess the sensitivity or security classifications of information they hold, how to label this information and how to manage this information according to the label.
The Guidelines align with the PSPF. Existing Dissemination Limiting Markers (DLMs) have been continued from the 2015 Guidelines at the request of NSW agencies, with minor variations.
Compromise, either deliberate or accidental, of sensitive or security classified information could result in harm to an individual, organisation or government. Applying labels (protective markings) to sensitive or security classified information indicates that the information requires protecting and dictates the level of care needed. Protective markings are an easily recognisable way for information users and systems to identify the level of protection the information requires.
The key aspects of the Guidelines are as follows:
- UNOFFICIAL information is not work related.
- OFFICIAL information is related to the agency’s business but does not have security or sensitivity issues. This information does not need to be labelled but agencies may choose to do so. This information is still important to government and may still need security measures to protect the integrity and availability of this material.
- Sensitive information, if compromised, may cause limited damage to individuals, organisations or government. The Australian government uses one DLM (OFFICIAL: Sensitive). NSW uses six DLMs to describe the type of sensitivity of the information.
1. OFFICIAL: Sensitive – NSW Cabinet
2. OFFICIAL: Sensitive – Legal
3. OFFICIAL: Sensitive – Law enforcement
4. OFFICIAL: Sensitive – Health information
5. OFFICIAL: Sensitive – Personal
6. OFFICIAL: Sensitive – NSW Government.
- NATIONAL CABINET has been created as a caveat to maintain the confidentiality of National Cabinet documents. It can be used with both a DLM of OFFICIAL: Sensitive and with security classifications.
- DLMs can also be used with security classifications.
- There are three security classifications under the PSPF:
1. PROTECTED
2. SECRET
3. TOP SECRET.
- A set of minimum handling guidelines have been created for sensitive information for NSW.
- A separate set of handling guidelines for security classified information from the PSPF have been included.
- Information is assessed using the business impact levels tool.
Agency-specific policies and procedures for classification, labelling and handling should identify:
- who is responsible for information classification and labelling
- who is responsible for the policies and procedures governing the alteration of protective markings
- what information requires classification, labelling and handling
- who would be using the protectively marked information
- any unique procedures for handling that information and complying with legislation
- how to communicate the requirements and responsibilities for handling protectively marked information within and external to the agency
- if the agency can handle security classified information on digital systems
- when individuals should consult with their security team for advice on the application of protections for sensitive and security classified information. Agencies may need to implement the protections in particular ways or to apply a higher level of protection, in order to meet business needs or to address the entity’s security risk environment.
Agencies must determine specific events or dates for de-classification based on the duration of the information’s sensitivity, and regularly review the level of protective marking applied to information. This must be done in accordance with an agency’s internal policy and procedures.
In developing internal policies and procedures, agencies must apply principles of good information security practices:
- information should be open by default but protected where required (in accordance with the NSW Government Open Data Policy)
- sensitive information should only be released to organisations and individuals who demonstrate a need-to-know
- information is to be stored and processed away from public access
- information can only be removed from an agency for an identified need
- disposal of information is by secure means
- information transmission and transfer are by means which deter unauthorised access.
Internal agency procedures should outline any standard processes for protectively marked material, including:
- creation and storage
- dissemination and use
- archiving and disposal.
Last updated 12 Jul 2024