Classification system

How to protect information

Protection – Classification drives the appropriate security of the information. Classified information must be protected to ensure its availability, integrity, and confidentiality commensurate with its classification. Protection of classified information is controlled through appropriate personnel, physical, and information security mechanisms as defined within the PSR and NZISM.

These requirements for securely handling government information applies to all government information, with or without a security classification.

Protective markings are not just for paper documents – they’re also for electronic information, digital media, information that will be delivered verbally, and equipment in which protectively-marked information is held or stored.

Quick guides for control and handling requirements for each classification

Applying protective markings to government information

Protective markings are placed on information and equipment to show the level of protection they need. Once you’ve identified information or equipment that needs protection or special handling (or both), you must assign a protective marking to it.

Requirements to apply protective markings also apply to information held within information and communications technology (ICT) systems such as databases, document management systems, email, or removable media.

How to apply protective markings depends on the how and where the information is created, stored, accessed, and used. For example, protective markings go at the top and bottom of each page of a document. A document means any form of recorded information, such as reports, letters, books, email, minutes, memoranda, films, charts, tapes, images, and digital media.

When printed documents are filed, their protective markings should be clearly visible. The same rule applies to removable electronic and optical media, such as USBs, CD-ROMs, microfilms, photographs, and removable hard drives.

Protective markings include Classifications and Endorsements.

Who sets and controls protective marking?

The person and organisation responsible for creating or preparing the information is the ‘originator’ and decides on its protective marking.

When information is created, the originator must do a risk assessment of the harm or prejudice that would result from specific content or equipment being compromised. If adverse consequences could occur, or the agency is legally required to protect the information, it must be given a protective marking.

Protective markings suggested by outside organisations or individuals should not automatically be accepted by New Zealand government agencies unless there has been a prior agreement.

Information derived directly from protectively-marked sources must carry, at a minimum, the highest security classification of any of the source classifications.

Who can change protective markings?

Information sensitivity will change over the information lifecycle and the protective markings should be reviewed and changed to reflect the changes in sensitivity.

Only the agency that assigns the original protective marking (the originating agency) can change it. All agencies must respect this rule.

Originating agencies should ensure that information shared with other agencies and partners are informed of changes to protective markings and does not withhold information inappropriately.

However, if you assess that the information is over-classified, you should seek agreement to remove or change a protective marking. If the originating agency doesn’t agree to remove the marking, the information should not be released.  If the requirement to release the information is subject to an official information request, an agency may transfer a request to another agency to fulfil the request should the information be held by the originating agency. See the Office of the Ombudsman for more information on official information request transfers.

However, the absence of permission to release or acceptance of transfer from the originating agency does not absolve the receiving agency of the obligation to decide on the request. The agency should use the tools provided in the Ombudsman’s guidance to assess the harm of disclosure against the public interest. This does not prevent the agency from consulting other interested parties before making the decision.

What to do if the owning organisation is disestablished or merged

If an agency is disestablished or merged, the agency assuming the former agency’s responsibilities is considered the owner.

The point of contact should be the Chief Security Officer (CSO) of the new agency.

What happens when information goes to Archives New Zealand

Archives New Zealand has limited capacity to store protectively-marked information, so consult with them first. If they can’t accommodate your information, seek leave to defer the transfer of protectively-marked records in line with the Public Records Act 2005.

If your agency is considering transferring records marked CONFIDENTIAL or above, consult with Archives New Zealand about declassifying the protective marking to a more relevant level.

Access to public archives in the control of the Chief Archivist is governed by an Access Authority set by the controlling public office and not the markings themselves. This access authority should take the protective markings into account, but it is the Access Authority which determines access. Handling and storage is consistent across all holdings regardless of the markings and meets the requirements of records marked at RESTRICTED.

When a record has been marked under the Public Records Act 2005 as being an open access record, any protective markings cease to have effect for any purpose.

See also: How to declassify information

Releasing government information to the public

New Zealand government employees must have agency authorisation to release any information to members of the public, regardless of any protective marking it may or may not have.

Authorisation may be granted by the agency head or a person given delegated authority by the agency head.

Even if information is intended for public release or publication, it may carry a control measure, such as an endorsement marking before its release. For example, Budget papers.

In this case, the point at which the information will be publicly available should be marked. When this information ceases to require the original control measures, your agency should consider applying protection measures consistent with the type of information contained within the document.

All personal information held, even if it is publicly available, must be handled in line with the Privacy Act 2020, Information Privacy Principles.

For records transferred to Archives New Zealand the agency remains responsible for managing requests to access or release of information restricted under their access authority.

Handling requests for official information

Your agency should have policy in place for addressing every request for government information, which may be released under the Official Information Act 1982 (OIA).

Understanding the legislation and implementing agency-specific OIA policy reduces the likelihood of an official information security breach through unintended or accidental disclosure.


Page last modified: 20/06/2022