Case studies

CASE003

Risks of discussing sensitive information outside the workplace: a PERSEC case study

This case study looks at the possible implications of discussing sensitive information outside the workplace. 

Themes include:

  • employees’ responsibility to protect protectively marked, privileged and sensitive information
  • importance of security information and awareness training.

Scenario – what happened

Lucy is a TOP SECRET cleared government employee who works with protectively marked information on a regular basis. 

She has never had a recorded security breach or incident and has an impeccable record of locking away documents. 

Her good friend Daniel, who works in the same department and is also a TOP SECRET cleared employee, commutes with Lucy to and from work on the train every day. 

They both discuss their day at work on the way home, including details of operational requirements and the content of their individual reporting. 

This is a frequent occurrence and neither thinks their discussions breach their organisation’s security policy. They both have the necessary level of clearance and believe they are always discreet in their discussions. 

Despite their attempts at discretion, they are overheard on the train on two occasions but it isn’t until a concerned member of the public reports Lucy and Daniel that the incident is brought to the attention of their CSO.

Lessons learned – what should have happened

Lucy and Daniel and their agency made a couple of simple, but important errors in this scenario.

Lucy and Daniel should not have:

Discussed sensitive information outside their workplace

Government employees have a responsibility to protect protectively marked, privileged and sensitive information. This extends much further than the correct handling of documents. 

Employees must not have protectively marked discussions outside of an appropriately secured environment and should avoid discussing sensitive aspects of their job outside the workplace to ensure that they do not disclose information not intended for public dissemination. 

Employees should also be aware that there is always the potential for hostile human intelligence collection. While some information may seem innocuous, small pieces of information provided inadvertently by government employees may form part of an intelligence collection ‘jigsaw’. 

Also, this type of discussion in public could identify an employee as a potential recruit for further cultivation by a foreign intelligence service.

Lucy and Daniel’s agency should have:

Provided them with security information and awareness training

As part of complying with the mandatory requirements of the PSR, agencies must provide all staff with sufficient security information and awareness training. 

Staff should:

  • receive adequate security training
  • be briefed on the access privileges and prohibitions attached to their security clearance
  • receive ongoing information about their security responsibilities, issues and concerns. 

In particular, staff should be aware of, and accept their individual responsibilities to protect protectively marked information (such as national security classified, sensitive and official information) from inappropriate use, loss and any breach of privacy. 

Page last modified: 5/08/2019