A NSW Government website

Data.NSW
Data.NSW

Using the business impact levels tool

The business impact levels (BIL) tool provides parameters to assess potential damage from compromise of the confidentiality of information. The tool assists in the consistent classification of information and the assessment of impacts on government business. 

This tool considers potential impact on the:

  • individual
  • organisation
  • legal compliance
  • compiled data
  • government
  • Australian economy
  • infrastructure
  • international relations
  • crime prevention, defence or intelligence operations.

The BIL tool has been modified slightly for use in NSW. When assessing information using the tool all sub impact categories need to be used to make the assessment, and then the security classification should be set at the lowest reasonable level

The intent of the BIL tool is to provide a way of consistently assessing potential damage due to compromise of information, however the classifications also need to be practically applied. Limiting the dissemination of information due to security classification could also have a negative impact if the people who need to know are unable to view the information when they require it. A pragmatic and risk-based approach is recommended.

Download the NSW Business Impact Levels Tool

Example

An agency has sensitive information within a dataset and is trying to decide if it should be labelled with a NSW DLM or a security classification of PROTECTED, using the BIL tool. Considering the assets and finances sub-impact category, if the unauthorised release of information could cause limited damage to an agency’s asset or operational budget estimated to be between $10 million to $100 million dollars, the information would be labelled with a NSW DLM with a prefix of OFFICIAL: Sensitive. If the unauthorised release could cause damage between $100 million to $10 billion, then the information would be labelled as PROTECTED

Assessing whether information is sensitive or security classified

Often it is the difference between assessing information as sensitive (requiring a DLM) or assessing the information as PROTECTED which causes the most concern for NSW agencies. The figure below describes a way to help determine if a document is sensitive or if a security classification is needed.

Figure 3: Assessing whether information is sensitive or security classified

Assessing info

 

Caveated information is described here.