The document linked below shows a range of real-life classification scenarios. The examples do not take away the need for people to consider and assess the harm before making classification decisions. It does however show that for many common types of information, the most appropriate classification can be straightforward.
The line between two neighbouring classification levels can be vague. The following scenarios are given to show the kind of considerations that could affect the classification decision.
USER TIP: An agency’s context, information sets, and harm scenarios can be nuanced and unique. Agencies should ensure that their classification policies and procedures contextualise their specific information sets and classification choices to make it easier for their people to make appropriate classification decisions for their specific information sets and scenarios.
Scenario 1 – Names and contact details for workshop attendees
A government agency runs a series of regional workshops on construction safety and collect the names and contact details of everyone who attends.
Attendees are predominantly health and safety managers in construction firms or other health and safety professionals. As part of the registration process, attendees consented to have their names and locations shared across the health and safety community. Carlo works for the government agency and wants to classify this information. He believes that there is no risk of real harm if the list was released so he is happy it is not SENSITIVE. However, he knows that the release of people’s personal information can cause trouble and is considering classifying the document as IN-CONFIDENCE.
Is he right?
This information can be marked as UNCLASSIFIED. All individuals have privacy rights that are defined in the Privacy Act 2020 and must be protected accordingly. Not all personal information requires classification to increase protections beyond the standard protections applied to all personal information. Compromise of this information is unlikely to result in a privacy breach.
Scenario 2 – Record of an investigation into an individual for wrong-doing
A whistleblower alleged to the agency’s finance manager that an individual currently working for the agency was committing financial fraud. An investigation file was opened to ascertain the validity of the claim.
The staff member creating the investigation file is clear that release of this information would, at the least, cause distress and that it should be at least IN-CONFIDENCE. However, given the nature of the information the staff member agreed with the manager that it should be classified as SENSITIVE.
Are they right?
Yes. It is reasonable to assume that the release of this information could harm someone’s well-being. On the basis of the harm test, this information should be SENSITIVE.
Page last modified: 20/06/2022