A set of minimum handling requirements for sensitive information applies to DLMs. Each NSW DLM describes a different category of information sensitivity and each refers to different NSW Government legislation. The legislation drives the purpose of the information collection, how this information should be managed and who can and cannot access this information.
Whether intentional or unintentional, unauthorised disclosure of OFFICIAL: Sensitive information can have serious consequences. All agency staff are employed under a code of conduct which imposes obligations of confidentiality.
Minimum handling requirements for NSW DLMs
All sensitive information is important, and a set of minimum handling requirements are set out below:
Can I email sensitive information?
Although each agency has its own email policies which apply to emails sent internally, to other agencies and externally, best practices are outlined below.
Emails should be labelled to show that the information contained within the email, or attachments to emails, contain sensitive information. Some NSW agencies have implemented cloud-based enterprise productivity solutions, which have the capability to select sensitivity and security classification in the subject line, header and footer of emails as well as other programs such as word processing or spreadsheet applications.
Emailing sensitive information between agencies may be permitted. Many agencies have memoranda of understanding (MOUs) in place to make sure that information can be shared in a safe way. Increasingly, interagency applications are being used to transfer information more securely, as user access to information can be controlled and monitored. The risk of accidental forwarding of information is also reduced. If you are emailing between agencies, please check your own agencies policies. MOUs do not negate legislative requirements. Check relevant legislation before sending or sharing information to make sure there are no secrecy or dissemination limiting clauses.
Secure information management systems such as eCabinet, used by the Department of Premier and Cabinet will have their own rules about emailing documents from these systems.
Emailing sensitive information is not generally recommended and encryption is recommended if transferred over public network or though unsecured spaces, unless the residual security risk of not doing so has been recognised and accepted by the agency.
A more secure method of transferring sensitive information is via a secure file transfer facility or a secure system that is recommended by your agency. Sensitive information received via email should not be stored in the email system or on local drives. Email communication can pose a higher risk of information compromise because of the ease of on-sharing the information and unauthorised access to email systems.
Can I print sensitive information?
Sensitive information should generally not be printed unless unavoidable or systems are in place to protect the confidentiality of the information.
Secure information management systems will have their own guidelines. For example, the eCabinet system records which documents are printed and these are required to be returned to the NSW Department of Premier and Cabinet, before being marked off and destroyed.
How do I destroy sensitive information?
Agencies must retain records and information in accordance with the State Records Act 1998 (NSW) and any other legal and accountability requirements. Agencies should refer to applicable Functional Retention and Disposal Authorities and General Retention and Disposal Authorities for further information on the retention and disposal of records and information. See NSW State Archives and Records’ destruction of records for advice on the secure and confidential destruction of sensitive records and information. For advice on transferring records required for the State Archives collection, see transferring records guidance. Agencies should contact their internal records management staff or NSW State Archives and Records at govrec@records.nsw.gov.au if they have any queries about the retention and disposal of records and information.
All NSW agencies must ensure that records relating to child sexual abuse that has occurred or is alleged to have occurred be retained for at least 45 years as per the Royal Commission into institutional responses to child sexual abuse (2017) Volume 8, Recordkeeping and information sharing.
How do I handle compiled information?
A compilation of information (referred to in the PSPF as aggregated data) may be assessed as requiring a higher security classification where the compilation is significantly more valuable than its individual components. This is because the collated information reveals new and more sensitive information or intelligence than would be apparent from the main source records and would cause greater damage than individual documents. When viewed separately, the components of the information compilation retain their individual classifications.
Agencies will need to manage and retain compiled data in accordance with the State Records Act 1998 (NSW) and any other legal and accountability requirements.
How do I handle automated transfer of sensitive data?
All access to sensitive data is on a need-to-know basis. If access has been granted, sensitive data which can be transferred automatically for example via integration software program, direct system links or applications, must to be labelled so that the users of the information understand the sensitivity and do not accidently compromise the confidentiality of this information.
Last updated 16 Dec 2020