UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Defence Security Manual
DSM Part
2:36 Protection of Foreign Government Information
Version
1
Publication date July 2015
Amendment list
18
Optimised for Screen; Print; Screen Reader
Releasable to Public
ic
Defence personnel are, and external service providers subject to the terms and conditions of their
Compliance
Requirements contract may be, bound by security policy contained in the DSM and Information Security Manual
(ISM). Failure to comply with the mandatory requirements of the DSM and ISM may result in
action under the relevant contract provision or legislation including, but not limited to; the Defence
Force Discipline Act 1982, the Public Service Act 1999, and the Crimes Act 1914.
bl
Mandatory requirements in the DSM and ISM are identified through the use of the terms must /
must not and should / should not. Compliance with these requirements is mandatory unless
the appropriate authority, if applicable, has considered the justification for non-compliance and
accepted the associated risk through the granting of a dispensation.
The terms ‘recommend’ and ‘may’ are used to denote a sensible security practice and noncompliance need not be approved or documented.
Note: Non-compliance with a sensible security practice ought to be informed by
sound risk management principles.
Pu
The DSM compliance regime, including the authority to approve non-compliance with mandatory
requirements, the use of dispensation indicators, and how to apply for a dispensation is detailed
in DSM Part 2:1 Dispensations.
Copyright
© Commonwealth of Australia 2010
This work is copyright. Apart from any use as permitted under the Copyright Act 1968,
no part may be reproduced by any process without prior written permission from the
Department of Defence. Requests and inquiries concerning reproduction and rights should be
addressed to Defence Publishing Services, Department of Defence.
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Introduction
1.
Defence receives valuable information from its international partners in support of strategic,
operational and capability development objectives. If a foreign government was to lose confidence in
Defence ability to protect its information, the willingness of that government to share information would be
affected. Defence is, therefore, committed to protecting this information and in many cases is obliged to do
so under a Security of Information Agreement or Arrangement (SIA).
2.
The purpose of Defence Security Manual (DSM) Part 2:36 is to detail the security policy for the
protection of foreign government information.
Policy
ic
3.
Defence will protect foreign government information received under a SIA in accordance with the
terms of the SIA. Foreign government information received by Defence not covered by a SIA will be
protected from unauthorised access when the foreign government has indicated that it has an expectation
that the information is to be safeguarded.
Process
Protection of Foreign Government Classified Information
bl
4.
Defence personnel and external service providers are required to protect foreign government
classified information received by Defence under a SIA in accordance with the terms of the SIA. A complete
list of Defence SIA is held by the Defence Security and Vetting Service (DS&VS).
Pu
5.
Where the SIA establishes equivalent or corresponding classifications, Defence personnel and
external service providers are to protect the foreign government classified information to the standards
outlined in the DSM for the equivalent or corresponding classification. Furthermore, foreign government
classified information received by Defence can not be released to any foreign government or foreign national
without the written approval of the originator.
6.
Defence personnel and external service providers must register foreign government classified
information in the appropriate classified document register.
Storage on Networks
Defence personnel and external service providers are not to store foreign government classified
7.
information on the DRN or any other network which is not accredited for the enforcement of REL and EYES
ONLY caveats.
Protection of Foreign Government Unclassified Information
8.
As SIA are generally focused on the protection of classified information, unclassified information
received from foreign governments may not be covered by the terms of a SIA.
9.
Defence personnel and external service providers must protect unclassified information, received from
foreign governments, from unauthorised access when the foreign government has indicated that it has an
expectation that the information is to be safeguarded. A foreign government may indicate its expectation that
its unclassified information is to be safeguarded by the use of markings such as ‘For Official Use Only’,
‘Unclassified but Sensitive’, or ‘Controlled Unclassified’.
DSM Part 2:36 Page 2 of 6
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
10. If the protection of this information is not covered under the terms a SIA, or if there are no other
arrangements in place (eg, Memoranda of Understanding, Project Security Instructions, or contractual
arrangements) that establish agreed standards for its protection, then Defence personnel and external
service providers are to protect the information as follows:
access to the information must be limited to those individuals whose official duties require such
access;
b.
the information can be stored in unlocked containers if it is within an area categorised as a
Zone 3 or above; but should be stored in a locked container if within an area categorised as
Zone 2 or below;
c.
electronic transmission of the information should be by secure communications system,
consistent with the minimum standards in the ISM, when possible and unless otherwise
indicated by the originating party;
d.
the information must not be released to another foreign government or foreign entity without
prior approval of the originating government; and
e.
the information must not be released to the public without prior approval of the originating
government and must be done in accordance with DSM Part 2:30 Classification and Protection
of Official Information and relevant legislation (eg, the Freedom of Information Act 1982).
ic
a.
bl
11. In addition to the measures listed in the paragraph above, individuals seeking to access Canadian
PROTECTED A information must, as a minimum, hold a BASELINE security clearance.
Security Incident Management
12. All security incidents involving the actual or suspected loss or compromise of, or unauthorised access
to, foreign government information must be clearly identified as such on the relevant security incident form
and reported to the DS&VS Security Incident Centre in accordance with DSM Part 2:12 Security Incidents
and Investigations.
Pu
13. Security incidents involving foreign government classified information are to be managed in
accordance with the obligations under the relevant SIA.
14.
For further information on reporting security incidents, refer to DSM Part 2:12.
Official Visits
15. Additionally, if access to security classified information is, or may be, required during an official visit or
posting to another country, a visit authorisation request must be completed and sent to the DS&VS
International Visits Office in accordance with the procedures in DSM Part 2:22 Overseas Travel.
Roles and Responsibilities
Group Heads and Service Chiefs
16. Group Heads and Service Chiefs are responsible for ensuring that their Group or Service complies
with the obligations to protect foreign government information received by their Group or Service in
accordance with the relevant SIA.
DSM Part 2:36 Page 3 of 6
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
First Assistant Secretary Security and Vetting Service
17. FAS S&VS is responsible for monitoring the implementation Defence ongoing obligations arising from
a SIA. This includes ensuring compliance with obligations in relation to the actual or suspected loss or
compromise of foreign government classified information received under a SIA and, where necessary,
conducting security investigations.
Commanders and Managers
Commanders and managers are responsible for:
a.
ensuring compliance with obligations to protect foreign government information under their
control and that all foreign government classified information is recorded in a Classified
Document Register (CDR) upon its receipt, transfer, access or disposal; and
b.
ensuring that details of their holdings of foreign government classified information are accurately
reported in an annual Protective Security Self Assessment (PSSA) and any Protective Security
Surveys (PSS). For further information on PSSA and PSS, see DSM Part 2:10 Security
Compliance Program.
ic
18.
Security Officers
bl
19. Security officers are responsible to their commander or manager for administrative actions relating to
the protection of classified information received from foreign governments.
20. Security officers will support the conduct of each SIA performance review including providing access
to holdings of foreign government information, identification of noncompliance, and providing DS&VS access
to the security register and relevant CDR. Security officers will also support the requirement to detail holdings
of foreign government classified information in the PSSA and any PSS.
Pu
Key Definitions
21. Foreign government. A government of another country, an organisation or agency of such a
government (such as a department, ministry or defence force), or an intergovernmental organisation.
22. Intergovernmental organisation. An organisation formed by independent nations committed to
achieving a set agenda through international cooperation. For example, the North Atlantic Treaty
Organisation (NATO).
23. Originator. The entity that created the official information or on whose behalf the official information
was created. An originator can be:
a.
a military or business unit within Defence;
b.
an Australian Government department or agency; or
c.
a foreign government, including a party to a SIA.
24. Security of Information Agreement or Arrangement. An agreement or arrangement with a foreign
government or intergovernmental organisation that sets out reciprocal obligations to protect exchanged
classified information. A SIA may have:
a.
Treaty Status: which is binding under international law and uses mandatory language. The
parties are legally obliged to fulfill their obligations under the Treaty; or,
DSM Part 2:36 Page 4 of 6
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
b.
Less than treaty status: which is not legally binding under international law, but signatories
make a moral and political commitment to uphold and adhere to the provisions of the SIA. A
less than treaty status SIA is commonly called an Arrangement or a Memorandum of
Understanding.
Note:
More information on SIA is available in DSM Part 2:35 Security of Information Agreements
and Arrangements.
25. SIA performance review. The process of measuring the effectiveness of, and compliance with, the
security obligations under a SIA. SIA performance reviews assess whether a SIA provides security controls
that are appropriate to the risks associated with exchanging classified information with the other party and
whether those controls effectively support Defence classified information sharing needs. SIA performance
reviews also assess Defence and the other party’s compliance with the terms of the SIA.
Further Definitions
Further definitions for common DSM terms can be found in the Glossary.
Pu
bl
ic
26.
DSM Part 2:36 Page 5 of 6
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED
UNCLASSIFIED
UNCONTROLLED-IF-PRINTED
Annexes and Attachments
This part currently has no annexes or attachments.
Pu
bl
ic
N/A
DSM Part 2:36 Page 6 of 6
UNCONTROLLED-IF-PRINTED
UNCLASSIFIED