DCS-2025-06 Managing Cyber Security Incident Information: Limited Use Obligations for NSW Government

Overview 

In November 2025, the NSW Government agreed to bind NSW state bodies to the limited use obligations (LUO) established under the Intelligence Services Act 2001 and the Cyber Security Act 2024. 

As part of cyber security incident response activities, NSW Government state bodies may be provided information subject to LUO from relevant Australian Government bodies under approved conditions. 

Scope 

This Circular applies to all NSW Government departments, public service agencies, and eligible state bodies that may engage with the limited use information sharing mechanism under the CS Act and the IS Act as outlined in Attachment A.

Limited use information 

‘Limited use’ means that cyber security incident information voluntarily shared by industry with the Australian Signals Directorate or the National Cyber Security Coordinator cannot be used against the sharing entity for regulatory or law enforcement purposes, except in specific situations (i.e. if the entity has violated parts of the CS Act or IS Act or committed a criminal offence under other laws). 

Information sourced through other lawful means, such as self-initiated investigations, use of powers or media reports, is not considered limited use. 

Agency obligations 

Where a NSW Government agency receives limited use information, it must be handled in accordance with the restrictions and protections set out in the CS Act and the IS Act, in addition to any applicable NSW Government policies (such as the State Records Act 1998 (NSW), and the NSW Government Information Classification, Labelling and Handling Guidelines). Specifically, agencies must: 

• Use the information only for the purposes permitted under the Acts, including to: 
  • prevent, mitigate, respond to a cyber security incident, or 
  • perform the functions of the agency to the extent they relate to cyber security. 
• Not use the information for enforcement, disciplinary, regulatory, or unrelated administrative actions. 
• Limit internal access to staff with a legitimate operational need-to-know, for example, those directly involved in cyber response, threat assessment, or executive coordination and communication. 
• Protect the information in line with NSW Government security and privacy standards, including applying appropriate classification, handling and storage requirements (e.g. OFFICIAL Sensitive – NSW Government or PROTECTED). 
• Prevent adjacent or unintended disclosure, including in legal, HR, audit, or regulatory processes, unless explicitly authorised by law or the Commonwealth source agency. 
• Document how the information was used, including the context in which it was received, the internal decisions it informed, and any onward communications.

Participation in the obligation does not remove or override existing reporting obligations (e.g. to Cyber Security NSW, the NSW Information and Privacy Commission, under the Security of Critical Infrastructure Act 2018 or to external regulators). It is strongly encouraged to consult Cyber Security NSW or internal legal/privacy teams where uncertainty exists around how the information can or cannot be used under the limited use obligations.

Training requirement 

Online training about the limited use obligations provided by Cyber Security NSW should be completed annually by staff with an operational need to-know. This includes Chief Information Security Officers, cyber security teams, information governance officers, ICT professionals, and executive decision-makers who are responsible for: 

• Managing cyber security incidents and reporting. 
• Assessing whether incidents meet the threshold in which services and systems have sustained degradation, operational impact or notable harm to reputation and stakeholder confidence. 
• Determining if and when information should be voluntarily shared with the ASD or the Coordinator.

Agencies must keep a record and where possible, monitor completion of this training. Cyber Security NSW may periodically seek assurance or visibility of how the limited use mechanism is being implemented across the sector. 

State bodies, public servants and other entities or persons that breach the obligations outlined in the CS Act or the IS Act by misusing or improperly disclosing limited use information may be held personally liable to a civil penalty.

Cyber Security NSW support for state bodies 

Cyber Security NSW serves as the NSW Government’s central cyber security function and is the key point for managing limited use information in NSW. This includes overseeing the receipt, handling, and any subsequent use or communication within the NSW Government. 

To support these requirements, Cyber Security NSW assist agencies and Ministers through structured policy guidance, targeted training, and supporting collateral to ensure staff are fully informed and equipped to operationalise limited use obligations with confidence. These resources are available to agencies by request via [email protected].