Updated Regulation on Official Secrets: Modernization, Electronic Security Measures, and Comparison with International Standards

On 30 December 2025, the Thai Cabinet approved in principle the draft Regulation on the Protection of Official Secrets (No. ..) B.E. …., as proposed by the Office of the Permanent Secretary to the Prime Minister. This revision updates the framework established in B.E. 2544 (2001), primarily to address the increasing reliance on electronic systems in government operations and resolve limitations in handling classified information digitally.

Background and Rationale:

The original regulation, enacted pursuant to Section 16 of the Official Information Act, B.E. 2540 (1997), mandated measures to prevent leakage of official secrets. It detailed procedures for classification, copying, translation, transfer, transmission, disclosure, destruction, storage, backup, and security, but focused predominantly on paper-based documents.

With the widespread adoption of electronic systems, agencies faced operational delays when handling classified information, often reverting to paper methods for compliance. This practice conflicted with the Prime Minister’s Office Regulation on Administrative Correspondence (No. 4), B.E. 2564 (2021), which promotes electronic administration.

The need for reform was identified as early as the Official Information Board No. 2/2554 meeting in March 2011, leading to the formation of a sub-committee. The revised draft, endorsed by the Board in its no. 2/2568 meeting on 28 October 2025, was subsequently submitted to the Cabinet.

Key Amendments: Electronic Classified Information

The primary enhancement is the introduction of Chapter 5: Electronic Classified Information, comprising 26 new provisions (Sections 50/1 to 50/26). These establish comprehensive guidelines for digital management of classified data, covering:

•  Classification and marking of electronic documents.

•  Procedures for creation, copying, translation, transfer, transmission, receipt, and disclosure via digital channels.

•  Secure storage, backup, and recovery to mitigate loss or unauthorised destruction.

•  Cybersecurity measures, including encryption, access controls, and system auditing.

•  Protocols for secure destruction of electronic classified information when no longer needed.

These provisions aim to facilitate efficient inter-agency coordination and public service delivery while preserving confidentiality.

Expected Benefits:

By providing clear protocols for electronic transmission, the regulation enhances administrative speed and aligns secrecy practices with modern information technology. It supports digital transformation in public administration without compromising national security or obligations under the Official Information Act, B.E. 2540 (1997).

Next Steps:

The Cabinet has directed submission of the draft to the Committee for the Scrutiny of Draft Legislation and Subordinate Legislation Proposed to the Cabinet. This review will incorporate observations from entities such as the Office of the Public Sector Development Commission, the Office of the Council of State, the Digital Government Development Agency, the National Economic and Social Development Council, and the National Security Council. Formal promulgation will follow upon completion.

Comparison with International Standards:

Thailand’s revisions demonstrate strong alignment with global best practices in electronic handling of classified information, which universally emphasize encryption, access controls, auditing, and secure storage.

•  United States: Executive Order 13526 and NIST SP 800-53 Revision 5 offer detailed, risk-based controls across multiple families (e.g., Access Control, System and Communications Protection). Thailand’s provisions mirror these in core areas but are less granular.

•  European Union: Council Decision 2013/488/EU requires approved cryptography for higher classifications and comprehensive information assurance. Thailand parallels this in transmission and storage requirements.

•  United Kingdom: The Official Secrets Act 1989 (as amended) and related policies incorporate encryption and secure systems, with recent enhancements under the National Security Act 2023 addressing contemporary threats.

•  ISO/IEC 27001: This standard mandates risk-based information classification and controls for transfer and protection. Thailand’s government-specific rules complement this approach.

Similarities include mandates for encrypted transmission, restricted access, secure storage, and audited destruction. Differences lie in depth: international frameworks like NIST provide extensive, customizable controls and certification requirements, whereas Thailand’s update remains procedurally focused on administrative adaptation.

Overall, this reform represents a commendable advancement toward international convergence, bolstering Thailand’s digital governance while upholding robust confidentiality safeguards. Further enhancements could involve adopting more detailed risk-based mechanisms and independent certification processes observed in mature systems.

Author: Panisa Suwanmatajarn, Managing Partner.

Other Articles

• Proposed Amendments to Anti-Corruption Legislation to Align with OECD Standards
• Notification of the Competent Officer on Exchange Control (No. 38) — Draft Amendment
• Thailand’s Proposed Updates to the Non-Preferential Certificate of Origin Framework for Exports to the United States and the European Union
• Thailand’s Expanding Trade Network: Key Updates on FTAs with Partner Countries
• Thailand FDA — Proposed Food Labelling Rules for Prepackaged Foods
• U.S. Tariff Developments Post Supreme Court Ruling