AGRkMS and security classification of information

In 2018 the Australian Government's Protective Security Policy Framework was reviewed and changed to simplify the security classification of information. These changes included consolidating Dissemination Limiting Markers (DLMs) into a single marking of 'Official: Sensitive'. This DLM replaces:

For Official Use Only (FOUO)
Sensitive
Sensitive: Legal
Sensitive: Personal

The 'Sensitive: Cabinet' DLM has been replaced by a CABINET caveat.

These changes are being grandfathered (PDF 273KB) through to October 2020.

Under the review, a need to continue to further categorise the subject matter of sensitive information was identified. In response the Attorney-General's Department and the National Archives agreed to use terms from the Rights property of the National Archives' Australian Government Recordkeeping Metadata Standard (AGRkMS) for this purpose. These terms describe the content of the information rather than the degree of harm which could result from its unintended release. The use of these terms with official or security classified information is optional.

To support this work, the National Archives revised and extended the available terms from the Rights Type Scheme in the AGRkMS. Changes include the addition of four new terms:

Commercial
Cultural
Legal Privilege
Legislative secrecy

The former term 'Privacy' has been updated to 'Personal Privacy'.

As a result of the changes to the Protective Security Policy Framework, the National Archives will also be updating properties in its metadata standards, relevant to security classification. Further information will be published as it's available.

Information Management Markers

Three terms from the Rights property of the AGRKMS have been designated as information management markers. These are expected to be used most commonly by agencies, particularly for email correspondence. They largely replace the functionality of the Dissemination Limiting Markers removed from the Protective Security Policy Framework. The terms are:

Legal privilege
Legislative secrecy
Personal privacy

Full list of AGRkMS Rights terms

The updated Rights Type Scheme is provided below. The three terms designated as Information management markers are listed in bold text.

Term	Definition
Archival Access	A determination made under relevant archival legislation as to whether business information is (fully or partially) available for public access.
Authorised Public Access	A determination made by an organisation that business information is open to public access, either from the time of its creation or from any time after that.
Commercial	Restrictions on access to, or use of, business information that could compromise an agency's or another party's commercial interests.
Copyright	Restrictions, under the Copyright Act 1968, on the copying or further promulgation of business information.
Cultural	Restrictions on access to, or use of, business information which could breach cultural sensitivities.
Disclaimer	A caution regarding the accuracy or completeness of information contained in business information.
Embargo	Time or future event based restriction when business information can be released. For example, information embargoed until after the Budget has been released.
FOI	A determination made under the Freedom of Information (FOI) Act 1982 as to whether business information is available for public release.
Intellectual Property	Restrictions on use of the intellectual content of business information.
Legal Privilege	Restrictions on access to, or use of, information covered by legal professional privilege
Legislative secrecy	Restrictions on access to, or use of, information covered by legislative secrecy provisions.
Personal Privacy	*Restrictions, under the Privacy Act 1988, on access to, or use of, personal information collected for business purposes.* The Privacy Act defines personal information as 'information or an opinion about an identified individual, or an individual who is reasonable identifiable'. 'Sensitive information' under the Act includes personal information about an individual's: racial or ethnic origin political opinions membership of a political organisation religious beliefs or affiliations philosophical beliefs membership of a professional or trade organisation or trade union sexual orientation or practices criminal record health or genetic information. It also includes certain defined biometric information.
Use Permission	A permission assigned to business information that allows or restricts access by particular agents or groups of agents.

More information

Protective Security Policy Framework – details on security classifications for Australian Government information.

INFOSEC 8 Sensitive and classified information (PDF 1.53MB) clarifies how information management markers can be used to categorise information content. Demonstrates how to identify information, including email, with protective markings and optional information management markers. Relevant sections include C.2.3, C.3.1. and Annex B.

INFOSEC 9 Access to information (PDF 494KB ) Requirement 5 requires agencies to apply the Security Classification, Security Caveat and Dissemination Limiting Marker properties from the Australian Government Recordkeeping Metadata Standard (AGRkMS) when managing access to information systems holding sensitive or security classified information.

Under this requirement agencies may, optionally, add terms from the Rights property of the AGRKMS to categorise information content. This requirement is further explained in section C.5.1.