Classification system

How to meet the classification principles

How to meet Principle 1:
Organisational accountability requirements

Principle 1 states that:

New Zealand government agencies that handle government information must establish the conditions that enable people to handle government information correctly and safely.

Agency heads own their organisation’s approach to classification and security and invest in ongoing capability and improvement. The Classification System policy and principles are embedded within their organisation’s policies and procedures and people are supported to encourage desired behaviour.

Policy Statement: Agency heads must establish an organisational classification policy and procedures in line with the Classification System and ensure that all people who handle government information do so correctly and safely.

To meet your obligations under Principle 1, organisations need to:

  • Have a classification policy: Review your agency’s existing classification policy or establish a new policy. You can use the sample classification policy which can be adapted for your organisation. This policy should include:
    • Roles responsible for management and support of the Classification System
    • Outline the core legislative, regulatory, legal, organisational policy, and partner requirements that governs information creation, security, management, sharing, declassification, and release.
    • Define the core policies and principles for classification
    • Link to related policies, guidance and standard operating procedures.
  • Establish classification procedures: Review and update your procedures and guidelines for handling government information (including partner information) securely and correctly.
    • Security classifications and protective marking guidelines
    • Partner information guidelines.
  • Provide people with regular and ongoing classification training: Provide your people with timely and ongoing classification training including how to classify it, handle it, share it, and declassify it. This training should form part of your wider information management and security training. Regularly assess how well people understand and can use the Classification System.
  • Build classification policy requirements into your supplier contracts: Suppliers and third parties become an extension of your business and broaden your security risks. Build your classification policy requirements into your contracts and require your suppliers to do the same when sub-contracting work to other suppliers. Provide your supplier’s staff with regular and ongoing training to ensure they understand how to classify and handle your information securely. Build assurance activities into your supply chain management functions which include evaluation of their compliance with your classification policy.
  • Undertake regular reviews of classifications: Information sensitivity will change over the information lifecycle and therefore protective markings should be reviewed to ensure they are still appropriate. Pragmatically, you can perform reviews over the information lifecycle:
    • The information owner/creator can review while drafting, editing, changing, publishing, or disseminating the information
    • A user can review and confirm the classification when using the information and raise any clarification/justification requests to the information owner if they think it is no longer appropriate (including under a request for official information release)
    • An information management or security professional can review and audit a random selection of information and record its findings and recommendations to learn and improve capability over time.
    • A declassification officer will review historical records as part of the declassification assessment.
  • Ensure your classification approach is fit for purpose: Regularly review how well the classification practices are working for your organisation. Plan improvements and report back on your programme.
    • Assess performance by looking at recent information vulnerability assessments, information compromises, and outcomes from audits by internal staff, the Ombudsman or the Chief Archivist.
    • Assess if you have the right resources and investment in classification commensurate with the risks faced by your organisation.
    • Plan improvements or changes to classification efforts as part of your protective security improvement programme. This can include changes to roles and responsibilities, policies, procedures and guidance, training and education, or leadership and communication.
    • Assess your classification capability as part of your protective security capability maturity assessment. Annually, report back on the performance of your programme and areas for further investment and improvement.

See also:

How to meet Principle 2:
Personal responsibility requirements

Principle 2 states that:

Everyone who works in or with the New Zealand public sector, including employees, contractors, and suppliers, has a duty to classify, declassify and handle information appropriately. Individual classification, declassification, and sharing decisions are based on an effective risk assessment of the harm and impact of information compromise and in line with the organisation’s classification system policies and procedures.

Policy Statement: Everyone must take responsibility to understand and fulfil their obligations to classify, declassify, and handle information correctly in line with the organisation’s classification policy and legislative, regulatory, and other organisational obligations.

To meet your personal responsibility obligations, people working with government information need to:

  • Build and keep your classification knowledge and skills up to date: Attend and participate in available training and education and read guidance materials to ensure you can fully understand and fulfil your obligations for correctly classifying and handling information securely and correctly.
  • Become adept at assessing and articulating the harm of information compromise: Government information must be classified and protectively marked at the lowest level possible that will still provide the necessary level of protection for its sensitivity. Even unclassified information is protected. Each information set will have different sensitivities which will change over time. Use paragraph marking to help you keep track of the parts of information that have greater or lesser sensitivity. Be able to justify the classification decision.
  • Set the duration of protective markings: When you first apply a protective marking to information, try to set a date or event when you will review it for declassification. Base the date or event on an assessment of how long the information will remain sensitive. For example, Budget papers need high protection before the Budget’s release, but not afterwards. Some information may need increased protection because it is under embargo until a specific public policy statement, after which time it becomes public information. On reaching the date or event, the information should be automatically downgraded to a more relevant level of control.
  • Seek and act on classification learning opportunities: When using information, don’t take the classification or protective marking at face value – do your own risk assessment and seek clarification from the information owner if your assessment differs. Be open to challenge on the information you classify. If you can justify your assessment, you can have a useful conversation on potential harm and risk. Note that information sensitivity will change over time, and it may be time to change the classification. Use these interactions as learning opportunities for both parties; do not look to blame or shame.
  • Consider the intended audiences who could benefit from the use of the information: When creating information for use by others, look for ways to reach the widest audience to achieve the greatest benefit. When in doubt, individuals should consider whether the particularly sensitive information could be redacted or reframed at a lower classification level to achieve the greatest value of releasing or sharing the information for a specific audience.
  • Don’t withhold information inappropriately: It is not appropriate to use classification or protective marking to withhold information inappropriately such as to:
    • hide violations of law, inefficiency, or administrative error
    • prevent embarrassment to an individual, organisation, agency, or the government
    • restrain competition
    • prevent or delay the release of information that does not need protection in the public interest.

See also:

How to meet Principle 3:
Information-sharing requirements

Principle 3 states that:

Government organisations recognise that appropriately sharing decision-useful information with relevant organisations is a core foundation to protecting New Zealand and New Zealanders from threats, and for realising the potential of information to aid government effectiveness and enable wellbeing of New Zealanders. This is underpinned by a culture of trust between partners that shared information is handled and used appropriately and safely.

Policy Statement: Agency heads must ensure that policies and procedures for handling classified information reinforce the value of information-sharing, collaboration, and cross-partner trust. They must implement effective and safe information-sharing practices within their agency and with other trusted partners. People are supported and empowered to achieve decision-useful sharing appropriately and safely.

To meet your obligations under Principle 3 organisations need to:

  • Ensure policies reinforce the value of information sharing. Information sharing is authorised and enabled in many areas and recommend that the value of information sharing is embedded into appropriate policies, e.g. Declassification Policy, Information Sharing agreements, Information Management policies etc. The concept of Information-sharing should be embedded into information management best practice.
  • Understand the stakeholders you need to share classified information with. Agencies should know what information they need to do their job and what information they hold that will help others do their job. From an operational point of view, a lot of information sharing happens already. Assess the following questions:
    • Are you sharing with everyone you should (inside and outside the organisation)?
    • Is the information that is being shared fit for purpose?
    • Is the classification appropriate for intended distribution?
  • Understand your information-sharing obligations under relevant legislation: Information is often not shared due to misunderstanding of the relevant legislation and/or fears of acting outside the legislation. While these behaviours are the result of both attitudes and knowledge, agencies should assess whether staff knowledge is accurate and, if not, provide training to address any knowledge gap.
  • Identify any barriers to effective information sharing: Information sharing is a business process that can be influenced by many factors, including culture, people factors, processes and technology. Agencies should identify any specific barriers to information sharing in their own context. For example, working on culture will not improve information sharing if the underlying need is that there are no agreements in place to share information.
  • When appropriate, agencies should make appropriate use of available government information-sharing instruments: Not all information sharing requires formal agreement. However, the delivery of effective public services can be enabled by appropriate agreements, from Memorandums of Understanding to Approved Information Sharing Agreements. An AISA is a legal mechanism that authorises the sharing of information between or within agencies for the purpose of delivering public services. An AISA authorises agreed departures from some of the privacy principles, if there is a clear public policy justification and the privacy risks of doing so are managed appropriately.
  • Establish policies, procedures and training for sharing classified information: Effective information sharing requires several things to work. Organisations must adopt and promote it, systems must make it possible, processes must enable it and people must have the skills and motivation to do so.

See also:

The following resources can assist agencies to identify what change is needed to improve information sharing.

How to meet Principle 4:
Information declassification requirements

Principle 4 states that:

Government information must not remain classified indefinitely without being subject to review for declassification as defined within organisation’s declassification policy. This policy must be in line with the Public Records Act 2005 and information management standards and should be made available to the public to improve transparency and accountability of declassification decisions.

To meet your obligations under Principle 4 organisations need to:

  • Understand what classified information your agency holds: Before writing a declassification policy, agencies need to understand what classified information they hold, how that information is currently scheduled for release and what public value the release of this information would hold.
  • Have a declassification policy: You can use the sample declassification policy which can be adapted for your organisation.
  • Establish declassification criteria: Agencies need to set declassification criteria that are consistent both with information management standards and with common sense. With regard to information management, this means that agencies need to establish rules and standards for how classified information will be managed and for how long it will be classified, and for the process of declassification. This ensures that the classification applied to most information will end (or be reassessed) after an agreed time period.

Agencies also need to consider the proactive declassification of archived material, i.e. releasing information of high public value before required by policy. Where agencies hold archived classified information of public interest (e.g. relating to key moments in the nation’s history), they are encouraged to determine criteria through which these can be released and establish a programme to do so.

  • Establish declassification governance: Agencies must establish an appropriate governance framework for declassification. Governance bodies must: ensure that declassification: delivers value for the public; and, have the organisational experience [and political acumen] to arbitrate declassification decisions when conflicting opinions arise.
  • Establish a declassification programme:
    • Where appropriate, agencies should appropriately resource and establish a regular programme for declassifying government information in line with their policy and priorities.
    • Agencies must report transparently on the progress, results, and expected value that the programme delivers (most likely via their annual report).

See also:

Page last modified: 20/06/2022