Go to top of page

Decide and assign access permissions

To manage access to records, you need to:

  • decide who can access them and assign appropriate permissions
  • make sure records can be found and used
  • promote the use and re-use of records.

Not all employees have the right to use, or even find, every piece of information your agency manages. Access to sensitive, confidential or private information has to be controlled.

You should review access permissions regularly to make sure they meet all your requirements, and are not over or under-restrictive. When reviewing restrictions, be aware that requirements can change and the sensitivity of information naturally decreases over time.

We recommend the following process for reviewing and setting access permissions:

Step 1: Identify access restrictions

Step 2: Develop access classifications

Step 3: Match records to access classifications

Step 4: Assign access permissions

Step 5: Implement access permissions

Step 1. Identify access restrictions

If you are starting from scratch in a new agency, you will have to develop access permissions for employees.

If you are working in an established agency, it’s likely that a range of decisions have already been made about who should have access to what records.

Access restriction requirements can be found in:

It is recommended that you focus on high-priority areas first (e.g. current employee records, client or customer information, Cabinet documents).

Think carefully before applying higher access restrictions. Most government information isn’t sensitive, confidential or private, and won’t require any special internal access restrictions.

Information owners can help you understand records, decide on access and review restrictions.

You should also consult with employees likely to be affected by access permissions.

See also Information security and identity management and Information access and use (IS33).

Step 2. Develop access classifications

You can use an access classification framework to set out the different kinds or levels of restriction you use to protect certain information.

Develop a framework based on the access restrictions you decided in step 1. You can use the Queensland Government information security classification framework (QGISCF). It is mandatory for government departments and statutory bodies defined in the Financial Accountability Act 2009 to implement this framework and its requirements. Even though the terms in this document refer to security classifications, they are also suitable for classifying access.

See Principle 2 of Information Standard 18: Information security (IS18) for further information.

Even if you don’t work in a department or statutory body, you may decide to implement the QGISCF as a best practice framework. The QGISCF will also help to ensure consistent access management across government and make it easier to maintain access during machinery-of-government changes.

Common security classifications

The security classifications most commonly used in agencies include:

  • PUBLIC for information that can be made publicly available
  • UNCLASSIFIED for the majority of information that does not need internal access controls, but needs the owner’s permission to be publicly released
  • IN-CONFIDENCE or SENSITIVE for information that, if compromised, could cause limited damage to the state, the government, commercial entities or members of the public
  • PROTECTED and CABINET-IN-CONFIDENCE for information that, if compromised, could cause damage to the state, the government, commercial entities or members of the public.

Higher security classifications can be applied to information that requires a substantial degree of protection and to national security information. These are rarely used.

IN-CONFIDENCE information

Examples of IN-CONFIDENCE classifications include:

  • EMPLOYEE-IN-CONFIDENCE for human resources information (e.g. employee files or recruitment documents)
  • COMMERCIAL-IN-CONFIDENCE for procurement/contractual information, sensitive intellectual property
  • CLIENT-IN-CONFIDENCE for sensitive legal advice or personal information held about clients
  • EXECUTIVE-IN-CONFIDENCE for sensitive executive level information (e.g. financial reports, strategic plans)
  • AUDIT-IN-CONFIDENCE for some audit information(e.g. reports identifying security and control weaknesses).

Step 3. Match records to access requirements

Access restrictions typically apply to groups of records linked by business activities (e.g. payroll information).

Use your agency business classification scheme (BCS) or retention and disposal schedule (RDS) to identify the relevant business activities and records to match with the appropriate access restrictions.


  • use your agency’s core schedule or core business activities and functions
  • use the General Retention and Disposal Schedule (GRDS) for functions and activities common to most agencies (e.g. financial management, HR)
  • use your knowledge of your agency’s business processes and records if your agency does not have a BCS or core schedule.

Step 4. Assign access permissions

All employees should be able to access PUBLIC or UNCLASSIFIED records.

Use your agency’s organisational charts to help you assign permissions to employees. These can be based on business areas / roles and activities (e.g. HR employees need access to HR records, case workers need access to client files).

Access restrictions should be placed on the record, container or file. Access permissions should then be assigned to roles or positions rather than individual people. This reduces the need to update access permissions as employees change, and ensures employees with access to some IN-CONFIDENCE records do not have access to all IN-CONFIDENCE records.

Decisions can be documented in a standalone access register and/or in the relevant applications as control information or access metadata, depending on the particular applications’ functionality.

Step 5. Implement access permissions

The way you implement access permissions depends on your agency’s recordkeeping system, the format of your records, and on your business or recordkeeping applications.

Physical records

You will need appropriate security measures for physical records. Restricted records could be:

  • locked away in a filing cabinet
  • placed in a storage room accessible only to appropriate employees
  • stored in a location accessible only to recordkeeping employees, who would then be responsible for providing access.

Marking records with their assigned access or security classification, or using different coloured folders to represent different classifications may also be useful.

You may need to keep a register tracking which users have access to sensitive records. See the QGISCF for further information.

Digital records

There are 7 things to think about when implementing access permissions for digital records.

Access to applications

You can restrict access to the application the records are stored and managed in.

Default access permissions are built into your desktop and local drives, and individual email inboxes. The information stored there is protected with log-ins and passwords and is accessible only to particular individuals and teams.

Other business systems and applications can be restricted to certain employees e.g. access to financial applications is restricted to financial employees.

Access within application

Access to records can be given by implementing controls within applications.

You will need to do this if you have a recordkeeping solution or application designed to manage a variety of records and provide access to a broad range of users (like a core business application).

Managing access within these applications is usually the responsibility of the recordkeeping team, but IT areas may need to help input the access classification framework.

Access groups

Access permissions can be assigned to a whole business unit or team, or to specific roles and levels.

You may need to create specific access groups, usually based on teams, business units, levels and/or roles.

Access levels

Access permissions can be assigned at document level and/or a file, folder, functional or subject level.

Deciding which level to apply permissions to depends on the records and how easily they can be grouped together.

Assigning permissions at a file, folder or functional level means individual records inherit access permissions from the files or folders that they belong in. This reduces the number of access restrictions to be assigned and controlled.

Types of access

Access can be restricted based on what users are able to do with a record (e.g. full read/write or read-only access).

This can sometimes be applied to the record and its metadata separately–that is, users can see the metadata about a record and know the record exists, but not view the record itself.

Classifying new records

You can classify the access status of new records by:

  • automatically applying the access classification of the parent file or folder


  • prompting the user to choose an access classification.

You may need to set up a warning or prompt to re-classify the record if the classification selected for a record does not match its parent location.

Information security

Use information security processes to stop unauthorised access to records. These processes are typically the responsibility of IT teams (digital), and records and facilities teams (physical).

For example, authenticating potential users before providing them with access to digital records is a standard information security process. Most IT applications support this kind of functionality. Locking away sensitive physical information in secure filing cabinets or rooms, and providing access on an as needed basis achieves the same outcome.

Information Standard 18: Information security (IS18) sets out best practice principles and mandatory requirements for departments and statutory bodies, including for information assets with higher security levels.

See also Information security and identity management.

More information