28.07.2010

Commonwealth information-handling manuals

14.6 Several policies that operate across the Australian Government apply to information handling. Of particular relevance are the PSM and the Australian Government Information and Communications Technology Security Manual (ACSI 33).

Australian Government Protective Security Manual

14.7 The PSM sets out guidelines and minimum standards in relation to protective security for Australian Government agencies and officers, and for contractors who perform services for or on behalf of the Australian Government.[1] Part C of the PSM deals with information security. That part provides agencies with guidance on the development of security policies that address awareness, responsibility, behaviour and deterrence to ensure official information is not compromised.

14.8 The ALRC considered Part C of the PSM in detail in its 2004 report, Keeping Secrets: The Protection of Classified and Security Sensitive Information (ALRC 98). In that report, the ALRC noted that Part C sets out the following information security principles:

    • the availability of information should be limited to those who need to use or access the information to do their work (the ‘need to know’ principle);

    • where the compromise of information could cause harm to the nation, the public interest, the government or other entities or individuals, agencies must consider giving the information a security classification;

    • once information has been identified as requiring security classification, a protective marking must be assigned to the information; and

    • once information has been security classified, agencies must observe the minimum procedural requirements for its use, storage, transmission and disposal.[2]

14.9 The PSM distinguishes between national security information and non-national security information. ‘National security information’ includes any official resource that records information about, or is associated with, Australia’s security, defence, international relations, or national interest. National security information may be given one of four security markings:

    • Restricted—if compromise of it could cause ‘limited damage’ to national security;

    • Confidential—if compromise of it could cause ‘damage’ to national security;

    • Secret—if compromise of it could cause ‘serious damage’ to national security;

    • Top Secret—if compromise of it could cause ‘exceptionally grave damage’ to national security.[3]

14.10 ‘Non-national security information’includesany official resource that threatens the interests of important groups or individuals other than the nation. Non-national security information may be given one of three security markings:

    • X-in-Confidence—if compromise of it could cause ‘limited damage’ to the Commonwealth, the Government, commercial entities or members of the public;

    • Protected—if compromise of it could cause ‘damage’ to the Commonwealth, the Government, commercial entities or members of the public;

    • Highly Protected—if compromise of it could cause ‘serious damage’ to the Commonwealth, the Government, commercial entities or members of the public.[4]

14.11 Security classified information may only be accessed and handled by persons who have obtained a sufficient security clearance. The clearance process aims to identify whether there is anything in an individual’s behaviour or history that indicates that he or she would be a security risk.[5]

14.12 The Australian Government’s stated policy is to keep security classified information to the necessary minimum.[6] However, in a 1999 report on the operation of the classification system for protecting sensitive information, the Australian National Audit Office (ANAO) noted that all audited agencies incorrectly classified files, with over-classification being the most common occurrence.[7]

14.13 Ongoing concerns about the classification system were also raised in a number of submissions to this Inquiry.[8] Civil Liberties Australia (CLA) suggested that, in classifying information, the default position should be ‘totally free access’:

CLA advocates a system of levels of classification related to purpose (as outlined above), and not to pejorative words such a ‘Secret’ and ‘Top Secret’. These are myth-based categories stemming from world wars in the past century, or even earlier. The entire notion of information has changed since then, as has the speed of delivery, the power of search, the contraction of the tyranny of distance and the explosion of education and general knowledge.[9]

14.14 The Australian Press Council submitted that there should be rules that strictly define the parameters of what should be kept secret to stop the over-classification of material. These should include a provision making it an offence to withhold information from the public for an improper purpose.[10]

14.15 In ALRC 98, the ALRC made a number of recommendations with regard to the PSM and the classification of Commonwealth information, including that:

    • the PSM should be amended to provide further and more explicit guidance on the different classification levels, how to make classification decisions and when such decisions require review by a more senior officer;[11]

    • Australian Government agencies should ensure that all staff required to make classification decisions are well trained in classification policy and procedure;[12] and

    • the mandatory minimum standards in the PSM should include express statements that information should only be classified when there is a clear and justifiable need to do so; the decision to classify should be based on the criteria set out in the PSM; and information should not be classified for extraneous reasons, such as to conceal breaches of the law or to prevent embarrassment to a person, organisation or agency.[13]

14.16 The ALRC further recommended that the PSM (with any sensitive protective security information removed) should be placed in the public domain[14]—as is the case in most comparable jurisdictions, such as the United States, Canada and New Zealand.[15]

14.17 The PSM has been revised since the publication of ALRC 98 and, contrary to the ALRC’s recommendation, the entire document was given a security classification. In a submission to this Inquiry, Liberty Victoria commented that the classification of the PSM ‘is an ironic example of over classification; one which illustrates the absurdity of creating a system, which is inaccessible by either its intended or potential users’.[16]

14.18 Questions have been raised about the potential for PSM requirements to inhibit effective information sharing. For example, in its audit of the 2008–09 financial statements of Australian Government agencies, the ANAO observed instances where the Australian Taxation Office (ATO) was not complying with requirements of the PSM with respect to the classification, storage and distribution of protected information.[17] In an article in the Australian Financial Review, the ATO defended its practices on the basis that the residual risk ‘represents the best possible trade-off between the community benefits, costs and risks of any alternative approach’, for example, by allowing the ATO to communicate with taxpayers through unencrypted emails where there was no other alternative.[18]

ALRC’s views

14.19 Shortcomings in the drafting or application of the PSM have the potential to detract from many of the recommendations for reform set out in this Report. For example, the over-classification of information, or a failure to declassify information, could prevent information sharing for the purpose of whole of government initiatives.[19] Unwarranted security classifications may also mean that information is not made publicly available where this could appropriately be done, thereby detracting from the principle of open government.

14.20 The ALRC affirms its support for the recommendations in ALRC 98 in relation to the PSM.[20] In particular, the ALRC remains of the view that the PSM (with any sensitive protective security information removed) should be made publicly available.[21]

Australian Government Information Security Manual

14.21 ACSI 33, issued by the Defence Signals Directorate, complements the PSM by assisting Australian Government agencies to achieve sound information and communications technology (ICT) security.[22] ACSI 33 sets out baseline requirements for ICT security, along with a framework for governance of ICT security within Australian Government agencies. In meeting these standards, agencies are directed to the principles for information security established by the Organisation for Economic Co-operation and Development including, for example, that:

    • participants should be aware of the need for security of information systems and networks and what they can do to enhance security;

    • participants should act in a timely and co-operative manner to prevent, detect and respond to security incidents;

    • the security of information systems and networks should be compatible with essential values of a democratic society;

    • participants should incorporate security as an essential element of information systems and networks; and

    • participants should adopt a comprehensive approach to security management.[23]

14.22 These standards and principles will operate alongside specific information-handling policies adopted in particular Australian Government agencies, considered below.

[1] Australian Government Attorney-General’s Department, Australian Government Protective Security Manual (PSM) [Summary] (2006) <www.ag.gov.au> at 30 November 2009.

[2] Australian Law Reform Commission, Keeping Secrets: The Protection of Classified and Security Sensitive Information, ALRC 98 (2004) Ch 4. ‘Minimal procedural requirements’ include, eg, taking precautions to ensure that only people with a demonstrated need to know and the appropriate security clearance gain access to security classified information; and providing a document registration system to identify all security classified information held by the agency.

[3] Ibid, [2.9].

[4] Ibid, [2.12].

[5] Ibid.

[6] Ibid, [2.10].

[7] Australian National Audit Office, Operation of the Classification System for Protecting Sensitive Information, Audit Report 7 (1999), [2.84].

[8] See, eg, Whistleblowers Australia, Submission SR 40, 10 March 2009; Liberty Victoria, Submission SR 19, 18 February 2009; Australian Press Council, Submission SR 16, 18 February 2009.

[9] Civil Liberties Australia, Submission SR 47, 27 July 2009.

[10] Australian Press Council, Submission SR 62, 12 August 2009.

[11]Australian Law Reform Commission, Keeping Secrets: The Protection of Classified and Security Sensitive Information, ALRC 98 (2004), Rec 4–3.

[12]Ibid, Rec 4–4.

[13]Ibid, Rec 4–5.

[14] Ibid, Rec 4–1. At the time of ALRC 98, the PSM did not have a security classification but was not publicly available.

[15] Ibid, [4.17].

[16] Liberty Victoria, Submission SR 19, 18 February 2009. See also Australian Press Council, Submission SR 16, 18 February 2009, which also called for the PSM to be declassified and made publicly available.

[17] Australian National Audit Office, Interim Phase of the Audit of Financial (2009), [4.428].

[18] F Anderson, ‘Taxpayer Data at Risk: Audit’, Australian Financial Review, 15 July 2009, 3.

[19] Whole of government is discussed in Ch 2.

[20] Australian Law Reform Commission, Keeping Secrets: The Protection of Classified and Security Sensitive Information, ALRC 98 (2004), Ch 4.

[21] Ibid, Rec 4–1.

[22] Australian Government Defence Signals Directorate, Australian Government Information Security Manual (ACSI 33) (2009).

[23] Ibid.