You are here: Skip breadcrumbAttorney-General's Department >> Integrity >> Counter fraud >> Fraud countermeasures >> Sensitive information controls

 Sensitive information controls

Prevention shield icon Previous page Next page


Access to sensitive information and records is limited.

The Protective Security Policy Framework articulates the government protective security policies that underpin this control.


Some examples of this type of countermeasure include:

  • Access to the records of high profile individuals is restricted and monitored.
  • Access to sensitive information, such as Commercial-in-Confidence information, is restricted and monitored.
  • Protected information is stored in secure environments.

Purpose of this countermeasure

Staff or contractors can abuse their position of trust to:

  • access, manipulate or disclose sensitive information without authority, and
  • steal physical documents.

Staff and contractors can also be coerced to commit fraud for the benefit of another person or entity, e.g. coerced to provide sensitive information.

Abuse of public office or influencing a Commonwealth public official to commit fraud are offences under the Criminal Code Act 1995.

Allowing customers, staff or third parties to access sensitive information and records without authority can lead to fraudsters:

  • publicly releasing sensitive information,
  • using the information to improperly influence decisions, and
  • using the information to coerce others to act in an involuntary manner.


This type of control is supported by:

How do I know if my countermeasures are effective?

You can apply the following methods to measure the effectiveness of these types of countermeasures:

  • Confirm controls comply with the Protective Security Policy Framework. This includes security requirements for:
    • Sensitive and classified information
    • Access to information
    • Safeguarding information from cyber threats
    • Robust ICT systems
  • Confirm the existence of additional controls for more sensitive information.
  • Review procedures or guidance to confirm it clearly specifies what constitutes sensitive information.
  • Obtain and review requirements for can who can access sensitive information.
  • Confirm the existence of a request and approvals process for accessing sensitive information.
  • Confirm request and approvals processes are consistently applied.
  • Review procedures for requesting access to sensitive information. Confirm the processes are robust. Actively test them if required.
  • Review the need for Security Clearances for accessing sensitive information, if applicable. Confirm staff have the minimum level of clearance.
  • Undertake testing or a process walk-through to confirm that accesses or processes cannot be circumvented.
  • Undertake checks to confirm compliance with clear desk policy.
  • Confirm access to sensitive information is regularly reviewed and reconciled.

Back to top

Previous page Next page​​

​​​​Commonwealth Fraud Prevention Centre logo​​​​​​