Before sharing non-public Commonwealth information with non-government recipients, it is critical that you consider a number of factors including the:
- context
- scope of information
- sensitivity and value of the information
- potential recipients, and
- level of risk with the proposed disclosure.
This determination is important in assessing the appropriate confidentiality arrangements and level of protection that may be necessary in order to reduce the likelihood of inappropriate disclosure or use of the information by the recipient.
The considerations below are intended to assist in managing confidentiality when engaging with the non-government sector.
Key considerations
Context
Understand the context of the operating environment that you are engaging in.
This will naturally depend on the type of engagement that you are undertaking (for example, policy consultation, stakeholder engagement, administering a program or legislative function, a procurement activity, a grant process, a transaction, or some other activity that may involve sharing information).
It will be important that you are aware of and adhere to any existing requirements that might apply to the sharing and management of information for the engagement you are undertaking. This could include any existing contractual or legislative requirements or other internal policies. It may be that there are restrictions, consents or particular obligations that will need to be addressed before the information can be shared.
Assess information
Consider the nature of the information and the level of sensitivity and value that applies to it.
In thinking about the nature of information that is not already in the public domain, you should consider if it is confidential, proprietary, or sensitive in any way. Specific restrictions will need to apply if the information involves any classified information. You should also consider the source of the information, and whether it involves any information of a third party (and whether you have authority to share that information further or if any other restrictions might apply).
This may influence whether disclosure is in fact necessary or the scope of the information that you share. For example, you could consider extracting, deidentifying or summarising information before it is shared with the non-government sector.
To help understand the sensitivity and value of the information, you should consider the consequences of and the potential harm that might arise from inappropriate disclosure or use of the information by the recipient. Different levels of sensitivity require different precautions.
Potential consequences of inappropriate access, disclosure or use of information could include, but are not limited to:
Financial Loss: What are the potential financial consequences of unauthorised disclosure or misuse?
Reputation Damage: What potential harm could come to the Commonwealth or someone else’s reputation if the information is leaked or misused?
Competitive Advantage: Could the shared information give parties a significant advantage if used for purposes other than what it was shared for.
National Security: Could disclosure or misuse compromise national security or intelligence operations?
Legal Liability: Could disclosure or misuse expose the Commonwealth or someone else to legal liability, such as lawsuits or regulatory fines?
Public Interest: Could disclosure or misuse harm the public interest, such as by undermining public trust or exposing vulnerabilities?
Individual Privacy: Could disclosure or misuse compromise the privacy of individuals?
Evaluate recipients and the purpose of information sharing
Ensure proposed recipients need to know the information.
Recipients should have a clear need for receiving non-public Commonwealth information, aligned with your intended purpose (again this will depend on the type of engagement that you are undertaking). You should keep in mind that in some circumstances it may be best only to share the minimum amount of information necessary to achieve the intended purpose.
Consider the purpose for sharing non-public information and how it should be used.
The intended purpose for sharing the information may also influence whether there are justifiable reasons to restrict access to the information. It will be important that any such restrictions on the use or sharing of the information are clearly communicated to, and understood by, the recipient(s), as well as the consequences of any non-compliance.
Before sharing any non-public Commonwealth information, you should be clear on who the potential recipient(s) will be.
Key aspects to keep in mind include:
whether the information to be shared should be confined to particular roles, teams or individuals within a potential recipient’s organisation – if there is more than one company in a group, can information be shared between companies?
whether a potential recipient has a genuine ‘need to know’ regarding the information
whether it is necessary to assess a potential recipient’s ability to protect and handle the shared information securely (any such assessment could consider the recipient’s track record regarding data management and confidentiality)
whether a potential recipient has any conflicts of interest with the Commonwealth (whether this is a real, potential, or apparent conflict) – conflicts of interest might incentivise inappropriate use of information.
These considerations are important to assess before making the decision to share information but will also be relevant to what specific protections may be required if information is shared. Keep in mind that how and why information is shared (and how it may be used) may change (or may need to change) over time depending on the particular arrangement.
Assess the risk and apply proportionate mitigations
You should undertake a risk assessment to help guide you in determining the appropriate management strategies and proportionate mitigations for sharing information. This should take into account the risk tolerance of your entity. You should document your assessment and ensure that the assessment is endorsed by an officer of sufficient seniority.
Risk levels are categorised as:
Low risk – the information is not in the public domain but the risks associated with a recipient misusing it or inappropriately disclosing it to a third party are low
Medium risk – the information is sensitive and the risks associated with a recipient misusing it or inappropriately disclosing it to a third party are medium
High risk – the risks associated with a recipient misusing the information or inappropriately disclosing it to a third party are high
Unacceptable risk – if after considering and assessing all potential consequences it is deemed that the risks arising from disclosure to the non-government party and/or potential misuse or inappropriate disclosure of information by the non-government party are so significant that they are beyond the risk appetite of your entity or it is against the law to share such information, you should not share the information.
See the Example table of key considerations below for further information.
Consider how the information is shared
The method of sharing the information and to whom it is shared can pose a risk of inappropriate disclosure or use of the information. To manage this risk, you should apply proportionate mitigations to reduce the likelihood of the inappropriate disclosure or use.
The appropriate controls and mitigations to establish will depend on the level of risk assessed for the disclosure or use.
When dealing with medium or high-risk disclosures, potential mitigations can include, but are not limited to:
Access Restrictions: Access to the information shared is limited to those who genuinely require it – clearly specifying who these people are, their roles and how they are to use the information.
Secure data storage: The information shared is stored, and shared with the organisation as required, on secure servers with robust security measures.
Encryption: The information shared is encrypted to protect it from unauthorised access (internal and external to the organisation).
Retention and disposal: Set expectations on how long the information can be held and how it should be returned or securely disposed.
To identify additional mitigations that may be appropriate in a particular case, it is recommended you liaise with your entity’s information/data management area and your legal area.
Drafting and documenting the confidentiality obligations
Consider the appropriate form of documentation for your arrangement.
Once you have determined the necessary measures to mitigate the risk of misuse or inappropriate disclosure of information by the non-government party, you should consider the form of documentation that would be appropriate to govern the sharing and use of the information. For medium to high-risk disclosures, it may be appropriate to consult your legal area to draft legally binding confidentiality arrangements.
The confidentiality arrangement should:
- be clear about the purpose for which the information is being shared
- be clear about how the recipient (and its personnel where applicable) is permitted to make use of the information
- set out disclosures the recipient is permitted to make – for example whether disclosure is freely permitted within an entity or is limited to particular individuals
- include the identified mitigations as obligations on the recipient and how those obligations are to be applied to its personnel.
If you are seeking a written arrangement from a recipient that sets out confidentiality requirements, it should be signed by an appropriate and authorised representative(s) of the recipient organisation. The Commonwealth entity and the recipient organisation should each then retain a copy of the arrangement, both for your records and to assist with monitoring adherence.
Consider if it would be useful to document broader process considerations.
If you are sharing non-public Commonwealth information with non-government recipients outside of an established process (such as a procurement, grant or other documented process), then in addition to thinking about how you protect against inappropriate disclosure or misuse of information, you may also need to think about broader process considerations.
The confidentiality arrangements could be a useful avenue to address process considerations, though there might also be other means to achieve this (such as a standalone ‘process letter’, a terms of reference or other document that describes the activity). Depending on the reason why the information is being shared, the types of process matters that might benefit from being documented include timeframes, the parties’ respective roles, communication channels and authorised officers, intellectual property, probity and expectations on ethical behaviour (similar to those outline in the Commonwealth Supplier Code of Conduct), responsibility for costs associated with the activity, and managing expectations on rights, limitations or obligations.
Individuals employed by organisations
Where an individual with whom information is being shared is employed by an organisation, it is often necessary to put in place the confidentiality arrangement with the organisation as the individual will receive the information as part of their employment and it will likely be stored on the organisation’s systems. The confidentiality arrangements with the organisation can be supplemented with individual acknowledgements or arrangements but these may not be effective on their own if the organisation has not also endorsed the arrangements.
Take care in dealing with any requests for you to keep information confidential
You may need to obtain advice from your legal team if you are asked to sign any legally binding confidentiality deeds, agreements or undertakings. This could arise both as a request for a standalone commitment from you as an individual or on behalf of your entity or where your entity is asked to agree to a ‘mutual’ confidentiality obligation.
Statutory duties of Commonwealth officials (and common law considerations) usually make it unnecessary for the Commonwealth to sign a confidentiality undertaking. The terms of any arrangement (including use and disclosure limitations) might be inconsistent with legislative or accountability requirements or the Commonwealth’s operational requirements. This means that signing any such undertaking could create a risk of inadvertent breach and unintended consequences (including potential ramifications for you or your entity).
Set up and check that recipients are following confidentiality requirements
While you may have a written confidentiality arrangement in place with a recipient, it does not stop there. It is important to set up the practical arrangements so that they are consistent with the confidentiality arrangements. For example, if the confidentiality arrangements only permit information to be shared with particular individuals, make sure your entity also supports compliance with that requirement by only sharing confidential information with those individuals.
It is your ongoing duty to monitor the organisation to assess their adherence to their obligations. Monitoring for compliance will assist in making it clear to the recipient that they must continue to comply with the confidentiality requirements, and also enables you to be better prepared to take the appropriate steps to manage the consequences of a breach of those obligations should it occur. Monitoring adherence is particularly important given that breaches of confidentiality can lead to consequences which are difficult to prevent or mitigate.
You should consider what measures would be appropriate to monitor compliance having regard to the level of risk. This includes internal processes to govern how you will manage ongoing oversight of the organisation (and its compliance with confidentiality obligations), as well as the steps that should be captured as part of the documented arrangement with the recipient.
Examples of key controls include, but are not limited to:
Briefings: briefings on information management requirements can help to reinforce knowledge of and compliance with information management requirements
Reporting: If the arrangement you have established requires a recipient to put in place specific processes or document storage arrangements, you could ask for periodic or regular reporting on the implementation of those arrangements (or in more significant situations, you could ask the recipient to create and provide you with a plan that shows how they will implement the arrangements and report against that plan).
Reviews: In high-risk situations your entity could engage an independent third party to conduct periodic reviews of the organisation's implementation and adherence to the agreed information management practices and procedures to ensure compliance with the contract/agreement.
Incident reporting: Confidentiality arrangements usually require the organisation to report any incidents or breaches immediately. Sometimes this type of requirement is also captured in other contract clauses such as the Significant Events clause in Clausebank.
Internal confidentiality register: It may be prudent to prepare and maintain an internal confidentiality register to record all confidentiality deeds or other written confidentiality arrangements that the entity has in place with non-government sector recipients for your particular engagement/activity (this will be particularly useful if there are differences in the timeframes or permitted purposes that apply to various recipients or arrangements that you have in place). In some cases, a register of information that has been shared with external parties is also appropriate.
Example table of key considerations
| Consideration | Low risk | Medium risk | High risk |
|---|---|---|---|
| Type of information | Non-sensitive, general information. | Moderately sensitive information. | Highly sensitive information. |
| Assessment of recipient | Known or public entities with no or minimal known risk of misuse. | Reliable but with some degree of exposure or third-party handling involved. | High level of scrutiny needed (for example, known instances of previous breach, or requirement for personnel to have certain clearances). |
| Purpose of disclosure and consequences of a breach | Routine or general sharing. Minimal impact if there is an inappropriate disclosure. | Important purpose, but could be consequences and reputational harm if there is an inappropriate disclosure. | Could lead to significant harm if there is an inappropriate disclosure. |
| Security measures | Basic security controls. | Moderate security controls (For example, password protection, limited access). | High level security (For example, data encryption, access-controlled systems, seeking assurances on security procedures). |
| Duration of disclosure | Short-term or onetime disclosure. | Periodic or medium-term disclosure. | Ongoing or long-term disclosure. |
| Storage and access requirements | No special storage or access control needed. | Limited access, but reasonable control measures required. | Restricted access and highly controlled storage systems required, requirements for return or disposal of the information or sharing only on Commonwealth premises. |
| Type of confidentiality arrangement/ agreement | Clear labels/caveats provided when sharing the information, or a written acknowledgement/ undertaking from the recipient (perhaps more applicable if the information is covered by an existing regime and it would be appropriate for you simply to acknowledge that the regime exists). | If information use and disclosure is not already covered off in a binding agreement, a standard short form non-disclosure agreement (NDA) or confidentiality deed may be appropriate to receive from the relevant organisation and potentially from relevant individuals in the organisation (or other similar safeguards). | Must have a formal, legally binding non-disclosure agreement (NDA) or other written agreement in place. |
Other tools that may be available
In addition to confidentiality agreements, depending on the risks and the circumstances, other tools that can be considered to manage information shared with non-government parties include:
developing or requiring the non-government party to develop an information management plan
providing for the issue of information management protocols from time to time to address specific handling requirements for particular types of information
briefing relevant individuals on the information management requirements to reinforce compliance with the confidentiality requirements.
