A security classification (PROTECTED, SECRET and TOP SECRET) is only applied to information (or assets that hold information, such as laptops, USBs) if it requires protection because the impact of compromise of the information or asset would be high, extreme or catastrophic.
PROTECTED, SECRET and TOP SECRET are national security classifications and are subject to a memorandum of understanding between all states and the Australian Government.
Some NSW agencies will have their own PROTECTED, SECRET and TOP SECRET information. To assess which security classification to apply, a business impact levels (BIL) tool has been created as part of the Protective Security Policy Framework (PSPF) and should be considered when determining if information requires a security classification. The BIL tool can be found here.
Figure 9: Security classifications and BIL
NSW agencies should handle this information according to the Australian Government requirements, including having the appropriate security clearances. NSW agency staff who handle PROTECTED, SECRET and TOP SECRET information must be security vetted.
When disclosing security classified information or resources to a person or organisation outside of government, agencies must have in place an agreement or arrangement, such as a contract or deed, governing how the information is used and protected.
To reduce the risk of unauthorised disclosure, agencies must ensure access to sensitive and security classified information or resources is only provided to people with a need-to-know.
Table 3: Security clearances required for ongoing access to PROTECTED, SECRET and TOP SECRET information
Agencies must ensure that people requiring access to caveated information meet all clearance and suitability requirements imposed by the originator and caveat owner.
Labelling of security classified information
The originator must clearly label security classified information, including emails (and associated metadata), unless impractical for operational reasons. Text-based labels are the preferred method using capitals, bold text, large font and a distinctive colour (red preferred), for example PROTECTED.
The labels should be placed at the centre top and bottom of each page and if there is more than one label, for example a protective marking and a caveat, these need to be separated by a double forward slash (//). E.g., PROTECTED//NATIONAL CABINET.
The order for labelling is as follows:
- classification (or the dissemination limiting marker)
- foreign government information markings (if any)
- caveats or other special handling instructions (if any) then
- (optional) information management markers (IMM) (if any).
Paragraph grading indicators are useful where there is a need to identify the security classification of each individual paragraph or section, in addition to the document’s overall protective marking or classification. Use of paragraph grading indicators is optional.
If used, paragraph grading indicators should:
- appear in the same colour as the text within the document either in:
- brackets at the start or end of each paragraph, or
- the margin adjacent to the first letter of the paragraph.
- be written in full or abbreviated by the first letter/s of the markings, as follows:
- (UO) for UNOFFICIAL
- (O) for OFFICIAL
- (O:S) for OFFICIAL: Sensitive
- (P) for PROTECTED
- (S) for SECRET
- (TS) for TOP SECRET.
The paragraph or section with the most valuable, important or sensitive information (highest classification) dictates the document’s overall protective marking or classification.
Figure 10: Australian Government example of labelling physical (printed) information
If text-based protective markings cannot be used, use colour-based protective markings, or if text or colour-based protective markings cannot be used (e.g. verbal information), apply the agencies marking scheme for such scenarios. Agencies must document a marking scheme for this purpose and train personnel appropriately.
Colour-based markings use the RGB model, which refers to Red (R), Green (G) and Blue (B) colours that can be combined in various proportions to obtain any colour in the visible spectrum. Table 4 specifies the recommended RGB colour-based marking that applies to each security classification. There are no specific RGB colours for information labelled with a NSW DLM and OFFICIAL information, although a Yellow colour is recommended for DLMs.
Table 4: RGB cell colour for colour-based markings
Mapping from old security classifications to new security classifications
From October 2020, do not mark new information as CONFIDENTIAL. For new information that would previously have been marked CONFIDENTIAL, use the BIL tool, to determine the level of harm if information was compromised, and apply corresponding security classification marking under the current PSPF.
To handle existing information labelled as CONFIDENTIAL, please refer to the PSPF Annex F Table 3 Minimum protection and handling for CONFIDENTIAL information. The need-to-know principle applies to all CONFIDENTIAL information. Ongoing access to CONFIDENTIAL information requires a Negative Vetting 1 security clearance or above. Any temporary access must be supervised.
Figure 11: Previous and current Australian Government security classifications
I have information already labelled as CONFIDENTIAL do I need to re-label this information?
If this information is in use and the information was originally labelled by the agency, then it needs to be re-labelled. Refer to the BIL tool to determine if the impact of compromise is high, extreme or catastrophic. If the information is in use but came from another agency, then the originator of the information will need to change the label.
How do I manage information labelled as CONFIDENTIAL?
Access to CONFIDENTIAL information is need-to-know and needs a Negative Vetting 1 security clearance or above. The management of this information needs to be done in accordance with the PSPF CONFIDENTIAL minimum protection and handling guidelines.
I have information I would usually label as CONFIDENTIAL, what label do I need to apply now?
Use the BIL tool to determine which security classification to use.
The person who originally labelled the information CONFIDENTIAL no longer works here. Who should change the label?
The information custodian in your agency should reassess the information using the BIL tool to determine the new security classification.
Handling of security classified information
Agencies handling security classified information must refer to the PSPF handling guidelines:
- Minimum protections and handling of TOP SECRET information
- Minimum protections and handling of SECRET information
- Minimum protections and handling of PROTECTED information
NSW agencies must retain records and information in accordance with the State Records Act 1998 (NSW) and any other legal and accountability requirements. Agencies should refer to applicable Functional Retention and Disposal Authorities and General Retention and Disposal Authorities. See NSW State Archives and Records’ website for further information on retention and disposal authorities, and guidance on information/record retention, disposal, physical storage of paper records and archiving.
Guidelines on cyber security are available from the Australian Signals Directorate, Australian Cyber Security Centre.
How do I know if my system is able to store sensitive or security classified information?
Agency ICT systems can be certified for PROTECTED and OFFICIAL systems, SECRET or TOP SECRET systems. The determining authority for security assessment (assessor) is the Agency’s Security Advisor (ASA), and the certification authority is the Chief Security Officer (or delegated security advisor).
Agency ICT systems should be audited, and a security assessment completed to identify any potential deficiencies and considers the effectiveness of security protections. A certification certifies that the security measures have been implemented and are operating effectively. Further information can be found in the Australian Government Information Security Manual.
Last updated 14 Jun 2023