Skip to main content

Classify information

Information is classified to protect its integrity, availability and confidentiality. To manage the information risk, consider the nature and value of the information, the technical landscape and the threat environment.

All government-held information should have a protective marking or classification to ensure it is treated appropriately. The Government Security Classification System sets out what level of classification should be applied to official information depending on the level of risk if the information was released or compromised.

Classification markings should be applied in default document templates, email signatures or extensions to email clients.

Clear classification marking of information allows for easy filtering techniques such as outbound filtering and inspection by mail servers to lessen the risk of inadvertent information leakage via email.

What you need to know about publishing information on the web

  • Information published by agencies in the public web domain is unclassified or has been released under the Official Information Act.
  • Web publishers, site owners and managers need confidence in their agencies’ processes to ensure that classified information is not inadvertently published online.
  • If you’re unsure about what classification to use for your information or have other concerns talk to your IT Security Manager (ITSM) or CISO. They’re responsible for ensuring that agency business and security practices are aligned with government security requirements.

Classification levels

This section describes the classification levels, type of information they apply to, and whether they have transmission and access restrictions.

Unclassified

Describes all information published to the government web domain that is not protected by access controls (that is, information requiring user login and authentication).

  • Unclassified means that no reason exists to apply a classification to the information.
  • There are no restrictions to access, although there should be processes in place to ensure it is appropriate to publish.

IN-CONFIDENCE

Applies to policy and privacy information.

  • Compromise would prejudice the maintenance of law and order, impede the effective conduct of government in New Zealand, or adversely affect the privacy of its citizens.
    Note:
    Large collections or aggregations of IN-CONFIDENCE information, or information that if compromised could cause harm to an individual or organisation, may need to be classified as SENSITIVE.
  • Use IN-CONFIDENCE for all personal information provided by users through online sites or services.
  • The Privacy Act requires agencies to take reasonable steps to protect that information from unauthorised disclosure or access by using:
    • SEEMail or password-protected attachments
    • Government Communications Security Bureau (GCSB)-encrypted access
    • encryption in transit (for example, transport layer security [TLS] for email transfer)
    • RealMe login authentication.

SENSITIVE

Applies to policy and privacy information.

  • Compromise would damage the interests of New Zealand or endanger the safety of its citizens.
  • SENSITIVE information should not generally be stored on systems accessible from the public Internet and must:
    • not be transmitted via email
    • use GCSB-encrypted access
    • when working off-site, use encryption on mobile devices communicating over public infrastructure, the Internet or non-agency-controlled networks
    • use RealMe login authentication.

RESTRICTED

Applies to national security information.

  • Compromise would be harmful to New Zealand.
  • RESTRICTED information should not generally be stored on systems accessible from the public Internet and must:
    • not be transmitted via email
    • use GCSB-encrypted access
    • when working off-site, use encryption on mobile devices communicating over public infrastructure, the Internet or non-agency-controlled networks
    • use RealMe login authentication.

CONFIDENTIAL

Applies to national security information.

  • Compromise would damage national interests in a significant manner.
  • CONFIDENTIAL information is not stored on systems accessible from the public Internet. Systems need to be certified and accredited in accordance with the information risk profile.
  • CONFIDENTIAL information must:
    • not be transmitted via public email systems
    • use GCSB-encrypted access
    • when working off-site, use encryption on mobile devices communicating over public infrastructure, the Internet or non-agency-controlled networks.

SECRET

Applies to national security information.

  • Compromise would damage national interests in a serious manner.
  • Access, transmission and storage are not connected to the public Internet.

TOP-SECRET

Applies to national security information.

  • Compromise would damage national interests in an exceptionally grave manner.
  • Access, transmission and storage are not connected to the public Internet.

Notes

  • GCSB-encrypted means that information is encrypted using a system approved by the GCSB if information is transmitted or systems are communicating across public networks within New Zealand or across any networks overseas.
  • An endorsement may also be applied in addition to any security classification. Endorsements are used to indicate the specific nature of the information or where there are temporary sensitivities, etc. Common endorsements include EMBARGOED FOR RELEASE, LEGAL PRIVILEGE, and BUDGET.

Before publishing information

  • If information is still marked with a classification, follow up with the author/appropriate manager to check whether it is suitable for release.
  • If it’s being released under the Official Information Act, this should be clearly marked on each page of the document (‘Released under the Official Information Act’ watermark).
  • Check whether an endorsement applies, for example whether the content has been embargoed to a particular date/time.

Resources

NZ Government Security Classification System

NZ Information Security Manual (NZISM)

Designing for security and privacy

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated