Guidance on handling sensitive information in IT.

‘OFFICIAL-SENSITIVE’ is not a classification. ‘Sensitive’ is a handling caveat for a small subset of information marked OFFICIAL that require special handling by staff.

You shouldn’t treat all sensitive information equally. Any information marked ‘OFFICIAL-SENSITIVE’ in your organisation will need risk appropriate security measures. These security measures will depend on the risks surrounding the information.


Don’t look for assurance that a system is ‘good for OFFICIAL-SENSITIVE’. A system that can handle OFFICIAL data may be appropriate to handle sensitive information.

As outlined by the Security Classifications policy, you must make sure procedural or personnel controls are in place when you put sensitive information into a digital system.

Most digital systems will also support technical controls, such as access control and audit logging. If your system doesn’t support technical controls, you need to make a risk based decision on where to store this information.

Published 3 February 2017