Handling Cabinet-in-confidence and security-classified information in Australia
Cabinet documents and security-classified information in Australia are governed by the Protective Security Policy Framework (PSPF), the ACSC Information Security Manual, and Cabinet Handbook conventions. This guide sets out 10 obligations covering classification, markings, storage, transmission, access, destruction, and the special rules that apply to National Cabinet documents under the National Cabinet framework.
Coverage
Commonwealth agencies and staff subject to the PSPF. State and territory agencies participating in National Cabinet or handling Commonwealth-classified material. Contractors, consultants, and DISP members provided with classified information. Parliamentarians and staff under the Ministerial Standards and relevant Parliamentary guidelines.
Legal basis
Protective Security Policy Framework (PSPF Policy 8 — Sensitive and Classified Information); ACSC Information Security Manual; Cabinet Handbook (current edition); Archives Act 1983 (Cth); Criminal Code Act 1995 (Cth) ss 70.1-70.8 (unauthorised disclosure offences); Freedom of Information Act 1982 (Cth) Part IV exemptions.
The obligations
Assign classifications using the current PSPF classification system
The PSPF classifications are OFFICIAL, OFFICIAL: Sensitive, PROTECTED, SECRET, and TOP SECRET. Apply the Business Impact Level tool and classify at the lowest level that adequately protects the information.
Apply information management markers
Information management markers (e.g. Cabinet, Legal Privilege, Personal Privacy, Legislative Secrecy) may be applied in addition to classifications. Markers drive specific handling rules and access controls.
Apply Cabinet Handbook handling conventions
Cabinet and National Cabinet documents — memoranda, decisions, submissions, briefs — are generally classified at least PROTECTED with a Cabinet marker. The Cabinet Handbook sets distribution, retention, and access rules.
Mark documents clearly and consistently
Markings must appear on each page (header and footer) and on the cover. Email subject lines, document metadata, and portable media must also carry classification markings.
Store classified information to the required Zone and container specifications
Storage containers and Secure Areas must meet the Zone rating for the classification level. TOP SECRET requires Zone 5 with accreditation. Portable media must be stored in accredited containers when not in use.
Transmit classified information only via approved channels
Approved transmission channels vary by classification. TOP SECRET requires sealed and double-enveloped courier or accredited TOP SECRET systems. OFFICIAL: Sensitive may be transmitted via TLS-encrypted email.
Grant access only on a need-to-know basis
Access to classified information requires a current security clearance at or above the information level and a need-to-know. Need-to-know is determined by task — not seniority — and must be documented for TOP SECRET.
Destroy classified information using approved methods
Destroy classified information using Class A shredders (for PROTECTED and above) or ASIO-T4 approved methods. Witnessed destruction may be required. Incineration and degaussing are used for specific media types.
Report security incidents involving classified information
Suspected or confirmed compromise of classified information must be reported to the agency security officer immediately, and to ASIO, the Attorney-General's Department, and (for Cabinet information) the Department of the Prime Minister and Cabinet as required.
Align handling with FOI and Archives Act obligations
Classification does not displace Freedom of Information and Archives obligations. Classified records must still be managed as Commonwealth records and disposed of in line with Records Authorities.
What happens if you do not comply
Unauthorised disclosure of security-classified information can attract criminal offences under Part 5.6 of the Criminal Code Act 1995 (Cth) with penalties up to 10 years imprisonment. Cabinet-in-confidence breaches can attract disciplinary action and referrals to the NACC. APS employees face Code of Conduct sanctions including termination.
Reporting requirements
Security incidents reported within agency timeframes (generally immediately for compromise, within 24-48 hours for risk events). Annual PSPF compliance assessment to the Attorney-General's Department. Serious incidents may be reportable to the NACC. Loss or compromise of classified information is reportable to ASIO.
What firms should do today
- Train every cleared employee on current PSPF markings and Cabinet Handbook handling
- Integrate classification metadata into document management tooling so markings are automatic
- Build a Zone-to-classification mapping for every agency site
- Run an annual destruction audit covering Class A shredder use and T4-approved methods
- Pre-brief the agency security officer for compromise response and ASIO reporting
- Align FOI decision-making with classification registers to manage release consistently
Compliance with Quillio
Quillio drafts classification decision notes, Cabinet Handbook compliance briefs, FOI decision statements, and security incident reports aligned to PSPF, Cabinet Handbook, and the Archives Act. Australian-hosted infrastructure aligns with PSPF data handling. See /practice-areas/commercial-lawyers or start a free trial.
This guide is general information about Cabinet and security-classified information — not legal or security advice. Classification and handling are fact-specific and carry criminal liability. Obtain specialist advice before downgrading, declassifying, or releasing any classified information.
Build compliance into your stack.
Quillio is built around AU compliance from the ground up — SOC 2 Type II + ISO 27001 + Australian data sovereignty. The free trial requires no credit card.
Start your free trial