Professional Documents
Culture Documents
21 October 2014
Version 2.0
The details of the relevant licence conditions are available on the Creative Commons website as is
the full legal code for the CC BY 3.0 AU licence (www.creativecommons.org/licenses).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour website
(www.itsanhonour.gov.au).
Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Commercial and Administrative Law Branch
Attorney-Generals Department
35 National Cct
BARTON ACT 2600
Telephone: 02 6141 6666
copyright@ag.gov.au
Document details
Security classification
Unclassified
Publicly available
October 2017
Authority
Attorney-General
Author
Document status
Contents
Amendments ............................................................................................................................. ii
1.
2.
3.
4.
Legislation .......................................................................................................................... 6
Amendments
No.
Date
Location
Amendment
1.
2.
3.
ii
1.
The Australian Government is committed to effectively managing the protective security risks to
Government business and building increased trust, confidence and engagement with the Australian
people and our international partners.
The Government requires agency heads to have in place effective protective security arrangements
to ensure:
the safety of those employed to carry out the functions of government and those who are clients
of government
official resources and information the agency holds in trust, both from and for the public, and
those provided in confidence by other countries, agencies and organisations, are safeguarded.
To achieve this, agency heads are to apply the Protective Security Policy Framework and promote
protective security as part of their agencys culture. A progressive protective security culture that
engages with risk will foster innovation, leading to the increased productivity of Government
business.
The Australian Government, through my Department, will continue to develop and refine protective
security policy that promotes the most efficient and effective ways to secure the continued delivery
of Government business.
2.
2.1
Australias protective security policy is organised in a tiered, hierarchical structurethe
Protective Security Policy Framework (PSPF).
Use risk management principles and policies appropriate to agency functions and the security
threats faced in developing, implementing and maintaining:
Prepare, monitor and review their security plans to ensure they are complying with the
mandatory requirements.
Report annually to their portfolio Minister on the level of agency compliance with the PSPF.
Develop a culture of security through strong programs of security awareness and education to
ensure employees fully understand their security responsibilities.
Remain accountable for the efficient and secure performance of outsourced functions.
Personnel security. Agencies are to ensure the people they employ are suitable and meet high
standards of integrity, honesty and tolerance at and throughout the period of their engagement.
Where necessary, people are to be security cleared to the appropriate level.
Information security. Agencies are to ensure:
They appropriately safeguard all official information to ensure its confidentiality, integrity, and
availability by applying safeguards so that:
A safe working environment for their employees, contractors, clients and the public.
Protocols for the conduct of Government specific protective security activities to meet
the mandatory requirements.
2.5
These documents standardise protective security practices across Government to provide
assurance in asset sharing, support interagency business, and help meet international obligations.
3.
3.1
As a policy of the Australian Government, the following agencies 1 must apply the PSPF to the
extent that their enabling legislation allows:
Corporate Commonwealth entities and companies subject to the PGPA Act that have
received Ministerial direction to apply the general policies of the Australian
Government.
Other bodies established for a public purpose under a law of the Commonwealth and
other Australian Government agencies, that have received a notice from the relevant
Minister that the PSPF applies to them.
3.2
The Australian Government requires non-government organisations that access security
classified information to enter into a Deed of Agreement to apply the PSPF to that information.
3.3
The Commonwealth expects state and territory government agencies that hold or access
Commonwealth security classified information at CONFIDENTIAL and above to apply the PSPF to that
information.
In the PSPF, a reference to agency (or Australian Government agency) means an entity or body in the first
three categories referenced above. Reference to an agency head means the head or chief executive of an
agency.
4.
Legislation
4.1
Although the PSPF is not legally prescribed, it supports legislation relevant to protective
security and reflects the aims and objectives of the Australian Government.
4.2
Some agencies are responsible for collecting or processing official information for which
there are legislative security requirements. These requirements take precedence over the PSPF.
Where the relevant legislation mandates lower standards than the PSPF, agencies are encouraged to
meet the PSPFs higher standards.
4.3
As a valuable resource, information is only to be released in accordance with the policies,
legislative requirements and directives of Government, the Parliament and the courts. The
unauthorised disclosure of information held by the Australian Government is subject to the sanction
of criminal law.
4.4
The general legislative obligations applicable to all agencies are outlined at Appendix 2.
GOV-1
GOV-2
GOV-3
Agencies must ensure that the agency security adviser (ASA) and information
technology security adviser (ITSA) have detailed knowledge of agency-specific
protective security policy, protocols and mandatory protective security
requirements in order to fulfil their protective security responsibilities.
GOV-4
Agencies must prepare a security plan to manage their security risks. The
security plan must be updated or revised every two years or sooner where
changes in risks and the agencys operating environment dictate.
GOV-5
Agencies must develop their own set of protective security policies and
procedures to meet their specific business needs.
GOV-6
A1-1
GOV-7
GOV-8
GOV- 9
10
GOV-10
11
GOV-11
12
GOV-12
Agencies must ensure the contracted service provider complies with the
requirements of this policy and any protective security protocols.
13
GOV-13
Personnel security
14
PERSEC 1
Agencies must ensure that their personnel who access Australian Government
resources (people, information and assets):
15
PERSEC 2
Agencies must have policies and procedures to assess and manage the ongoing
suitability for employment of their personnel.
16
PERSEC 3
Agencies must identify, record and review positions that require a security
clearance and the level of clearance required.
17
PERSEC 4
18
PERSEC 5
gain agreement from the clearance applicant to meet the conditions of the
waiver
19
PERSEC 6
Agencies, other than authorised vetting agencies, must use the Australian
Government Security Vetting Agency (AGSVA) to conduct initial vetting and
reviews.
20
PERSEC 7
A1-3
21
PERSEC 8
Agencies and vetting agencies must share information that may impact on an
individuals ongoing suitability to hold an Australian Government security
clearance.
22
PERSEC 9
Agencies must have separation policies and procedures for departing clearance
holders, which includes a requirement to:
Information security
23
INFOSEC 1 Agency heads must provide clear direction on information security through the
development and implementation of an agency information security policy, and
address agency information security requirements as part of the agency
security plan.
24
INFOSEC 2 Each agency must establish a framework to provide direction and coordinated
management of information security. Frameworks must be appropriate to the
level of security risks to the agencys information environment.
25
INFOSEC 3 Agencies must implement policies and procedures for the security classification
and protective control of information assets (in electronic and paper-based
formats), which match their value, importance and sensitivity.
26
INFOSEC 4 Agencies must document and implement operational procedures and measures
to ensure information, ICT systems and network tasks are managed securely
and consistently, in accordance with the level of required security. This includes
implementing the mandatory Strategies to Mitigate Targeted Cyber Intrusions
as detailed in the Australian Government Information Security Manual.
27
INFOSEC 5 Agencies must have in place control measures based on business owner
requirements and assessed/accepted risks for controlling access to all
information, ICT systems, networks (including remote access), infrastructures
and applications. Agency access control rules must be consistent with agency
business requirements and information classification as well as legal
obligations.
28
INFOSEC 6 Agencies must have in place security measures during all stages of ICT system
development, as well as when new ICT systems are implemented into the
operational environment. Such measures must match the assessed security risk
of the information holdings contained within, or passing across, ICT networks,
infrastructures and applications.
29
INFOSEC 7 Agencies must ensure that agency information security measures for all
information processes, ICT systems and infrastructure adhere to any legislative
or regulatory obligations under which the agency operates.
A1-4
Physical security
30
PHYSEC 1
Agency heads must provide clear direction on physical security through the
development and implementation of an agency physical security policy, and
address agency physical security requirements as part of the agency security
plan.
31
PHYSEC 2
32
PHYSEC 3
Agencies must ensure they fully integrate protective security early in the
process of planning, selecting, designing and modifying their facilities.
33
PHYSEC 4
Agencies must ensure that any proposed physical security measure or activity
does not breach relevant employer occupational health and safety obligations.
34
PHYSEC 5
Agencies must show a duty of care for the physical safety of those members of
the public interacting directly with the Australian Government. Where an
agencys function involves providing services, the agency must ensure that
clients can transact with the Australian Government with confidence about
their physical wellbeing.
35
PHYSEC 6
36
PHYSEC 7
A1-5
Appendix 2Legislation
Laws applicable to agencies may include, but are not limited to, the following legislative instruments.
Public Governance, Performance and Accountability Act 2013
The Public Governance, Performance and Accountability Act 2013 (Cth) (PGPA Act) replaced the
Financial Management and Accountability Act 1997 (Cth) (FMA Act) and the Commonwealth
Authorities and Companies Act 1997 (Cth) (CAC Act) on 1 July 2014. The PGPA Act operates on four
principles:
a uniform set of duties should apply to all resources handled by Commonwealth entities
The PGPA Act is consistent with the PSPF in that it obligates authorised authorities (agency heads) to
manage the risks within their entity (agency) while providing assurance.
Crimes Act 1914(Cth)
The Crimes Act 1914 (Cth) (Crimes Act) contains provisions relating to the protection of prescribed
official information and sets out the penalties for the unauthorised disclosure of that information.
Section 70 of the Crimes Act makes it an offence for a Commonwealth officer, or a former
Commonwealth officer, to disclose any fact or document which comes to his or her knowledge, or
into his or her possession, by virtue of being a Commonwealth officer that he or she is, or was at the
time of ceasing to be a Commonwealth officer, bound not to disclose.
Commonwealth officers are also bound by provisions dealing with the protection of official secrets.
Section 79 of the Crimes Act makes it an offence to communicate or receive official secrets in certain
circumstances. This includes where a person is entrusted with information by a Commonwealth
officer and the person has a duty to treat the information as secret.
Criminal Code Act 1995(Cth)
Section 91.1 of the Criminal Code Act 1995 (Cth) makes it an offence to engage in conduct that
amounts to espionage. Such conduct includes communicating or making information available
without authority for delivery to another country or foreign organisation.
Defence Act 1903 (Cth)
The Defence Act 1903 (Cth) contains similar provisions to the Crimes Act for preserving the secrecy of
information relating to any defence works relevant to the defence of the Commonwealth.
Australian Security Intelligence Organisation Act 1979 (Cth) and Intelligence Services Act 2001 (Cth)
Commonwealth officers are also subject to offences for unauthorised handling of specific types of
information. For example, subsection 18(2) of the Australian Security Intelligence Organisation Act
1979 (Cth) makes it an offence to communicate information received from Australian Security
Intelligence Organisation in various circumstances. Sections 39 and 40 of the Intelligence Services Act
A2-1
2001 (Cth) also prohibit communication of information prepared by the Australian Secret Intelligence
Service or the Australian Signals Directorate.
Public Service Act 1999 (Cth)
Section 13 of the Public Service Act 1999(Cth) sets out the Australian Public Service Code of Conduct.
Public Service Regulation 2.1, made under that Code, broadly provides that an APS employee must
not disclose material where:
There are some exceptions to this requirement where, for example, the disclosure was authorised by
the agency head, or where the disclosure is made in the course of the employees duties.
Further information about regulation 2.1, and the Code of Conduct, is available from the Ethics
Advisory Service on (02) 6202 3737.
Freedom of Information Act 1982 (Cth) and Privacy Act 1988(Cth)
Disclosure of official information should only occur if that disclosure is authorised. Authorisation may
be granted under the express authority of an agency head, subject to the provisions of the Freedom
of Information Act 1982 (Cth) (the FOI Act) and the Privacy Act 1988 (Cth) (the Privacy Act).
The general principle underlying the FOI Act is that government documents should be made available
to the general public except where a document is exempt from the operation of the Act, subject to
an exemption under division 2 of Part IV of the FOI Act, or subject to a conditional exemption under
division 3 of Part IV and disclosure would be contrary to the public interest. The broad aim of the FOI
Act is to provide a mechanism for individuals to check and seek to correct information held on
government files (if necessary), enhance the transparency and accountability of government, ensure
the community can participate in the democratic processes, and facilitate the wide availability of
government information.
The Privacy Act sets out the Australian Privacy Principles (APPs), which provide legislative standards
on how Australian Government agencies and certain private sector activities (for example, consumer
credit reporting) handle personal informationie, information or opinions that can identify a living
person. The APPs relate to the collection, storage, security, access, use and disclosure of personal
information, and provide individuals with a right of access to, and correction of, personal information
about themselves. The APPs also set out various exceptions to their application, which can be viewed
in Schedule 1 of the Privacy Act.
Work Health and Safety Act 2011 (Cth)
While most of the legislation relevant to protective security is concerned with the protection of
official information, an employer may also need to implement protective security measures to
ensure it meets its duty of care obligations under the Work Health and Safety Act 2011(Cth).
A2-2