Decide and assign access permissions
To manage access to records, you need to:
- decide who can access them and assign appropriate permissions
- make sure records can be found and used
- promote the use and re-use of records.
Not all employees have the right to use, or even find, every piece of information your agency manages. Access to sensitive, confidential or private information has to be controlled.
You should review access permissions regularly to make sure they meet all your requirements, and are not over or under-restrictive. When reviewing restrictions, be aware that requirements can change and the sensitivity of information naturally decreases over time.
We recommend the following process for reviewing and setting access permissions:
Step 1: Identify access restrictions
Step 2: Develop access classifications
Step 4: Assign access permissions
Step 5: Implement access permissions
If you are starting from scratch in a new agency, you will have to develop access permissions for employees.
If you are working in an established agency, it’s likely that a range of decisions have already been made about who should have access to what records.
Access restriction requirements can be found in:
- legislation administered by or relevant to your agency (e.g. Information Privacy Act 2009, the Public Health Act 2005)
- government-wide policies (e.g. guidelines on the management of Cabinet documents)
- internal policies or processes (e.g. management of legal opinions, procurement information, employee and financial records, or important strategic planning records)
- general business and recordkeeping requirements.
It is recommended that you focus on high-priority areas first (e.g. current employee records, client or customer information, Cabinet documents).
Think carefully before applying higher access restrictions. Most government information isn’t sensitive, confidential or private, and won’t require any special internal access restrictions.
Information owners can help you understand records, decide on access and review restrictions.
You should also consult with employees likely to be affected by access permissions.
You can use an access classification framework to set out the different kinds or levels of restriction you use to protect certain information.
Develop a framework based on the access restrictions you decided in step 1. You can use the Queensland Government information security classification framework (QGISCF). It is mandatory for government departments and statutory bodies defined in the Financial Accountability Act 2009 to implement this framework and its requirements. Even though the terms in this document refer to security classifications, they are also suitable for classifying access.
See Principle 2 of Information Standard 18: Information security (IS18) for further information.
Even if you don’t work in a department or statutory body, you may decide to implement the QGISCF as a best practice framework. The QGISCF will also help to ensure consistent access management across government and make it easier to maintain access during machinery-of-government changes.
Common security classifications
The security classifications most commonly used in agencies include:
- PUBLIC for information that can be made publicly available
- UNCLASSIFIED for the majority of information that does not need internal access controls, but needs the owner’s permission to be publicly released
- IN-CONFIDENCE or SENSITIVE for information that, if compromised, could cause limited damage to the state, the government, commercial entities or members of the public
- PROTECTED and CABINET-IN-CONFIDENCE for information that, if compromised, could cause damage to the state, the government, commercial entities or members of the public.
Higher security classifications can be applied to information that requires a substantial degree of protection and to national security information. These are rarely used.
Examples of IN-CONFIDENCE classifications include:
- EMPLOYEE-IN-CONFIDENCE for human resources information (e.g. employee files or recruitment documents)
- COMMERCIAL-IN-CONFIDENCE for procurement/contractual information, sensitive intellectual property
- CLIENT-IN-CONFIDENCE for sensitive legal advice or personal information held about clients
- EXECUTIVE-IN-CONFIDENCE for sensitive executive level information (e.g. financial reports, strategic plans)
- AUDIT-IN-CONFIDENCE for some audit information(e.g. reports identifying security and control weaknesses).
Access restrictions typically apply to groups of records linked by business activities (e.g. payroll information).
Use your agency business classification scheme (BCS) or retention and disposal schedule (RDS) to identify the relevant business activities and records to match with the appropriate access restrictions.
- use your agency’s core schedule or core business activities and functions
- use the General Retention and Disposal Schedule (GRDS) for functions and activities common to most agencies (e.g. financial management, HR)
- use your knowledge of your agency’s business processes and records if your agency does not have a BCS or core schedule.
All employees should be able to access PUBLIC or UNCLASSIFIED records.
Use your agency’s organisational charts to help you assign permissions to employees. These can be based on business areas / roles and activities (e.g. HR employees need access to HR records, case workers need access to client files).
Access restrictions should be placed on the record, container or file. Access permissions should then be assigned to roles or positions rather than individual people. This reduces the need to update access permissions as employees change, and ensures employees with access to some IN-CONFIDENCE records do not have access to all IN-CONFIDENCE records.
Decisions can be documented in a standalone access register and/or in the relevant applications as control information or access metadata, depending on the particular applications’ functionality.
The way you implement access permissions depends on your agency’s recordkeeping system, the format of your records, and on your business or recordkeeping applications.
You will need appropriate security measures for physical records. Restricted records could be:
- locked away in a filing cabinet
- placed in a storage room accessible only to appropriate employees
- stored in a location accessible only to recordkeeping employees, who would then be responsible for providing access.
Marking records with their assigned access or security classification, or using different coloured folders to represent different classifications may also be useful.
You may need to keep a register tracking which users have access to sensitive records. See the QGISCF for further information.
There are 7 things to think about when implementing access permissions for digital records.
Access to applications
You can restrict access to the application the records are stored and managed in.
Default access permissions are built into your desktop and local drives, and individual email inboxes. The information stored there is protected with log-ins and passwords and is accessible only to particular individuals and teams.
Other business systems and applications can be restricted to certain employees e.g. access to financial applications is restricted to financial employees.
Access within application
Access to records can be given by implementing controls within applications.
You will need to do this if you have a recordkeeping solution or application designed to manage a variety of records and provide access to a broad range of users (like a core business application).
Managing access within these applications is usually the responsibility of the recordkeeping team, but IT areas may need to help input the access classification framework.
Access permissions can be assigned to a whole business unit or team, or to specific roles and levels.
You may need to create specific access groups, usually based on teams, business units, levels and/or roles.
Access permissions can be assigned at document level and/or a file, folder, functional or subject level.
Deciding which level to apply permissions to depends on the records and how easily they can be grouped together.
Assigning permissions at a file, folder or functional level means individual records inherit access permissions from the files or folders that they belong in. This reduces the number of access restrictions to be assigned and controlled.
Types of access
Access can be restricted based on what users are able to do with a record (e.g. full read/write or read-only access).
This can sometimes be applied to the record and its metadata separately–that is, users can see the metadata about a record and know the record exists, but not view the record itself.
Classifying new records
You can classify the access status of new records by:
- automatically applying the access classification of the parent file or folder
- prompting the user to choose an access classification.
You may need to set up a warning or prompt to re-classify the record if the classification selected for a record does not match its parent location.
Use information security processes to stop unauthorised access to records. These processes are typically the responsibility of IT teams (digital), and records and facilities teams (physical).
For example, authenticating potential users before providing them with access to digital records is a standard information security process. Most IT applications support this kind of functionality. Locking away sensitive physical information in secure filing cabinets or rooms, and providing access on an as needed basis achieves the same outcome.
Information Standard 18: Information security (IS18) sets out best practice principles and mandatory requirements for departments and statutory bodies, including for information assets with higher security levels.
- Information security classification framework (QGISCF)
- Information access and use policy (IS33)
- Information security information standard (IS18:2009)
- Information security and identity management
- Health agencies - data quality and data security, Office of the Information Commissioner
- Protection and security of personal information, Office of the Information Commissioner