Controlling access to information

Access and sharing of government information may be restricted due to its nature and sensitivity including:

• Limiting access to authorised people (e.g. those with the appropriate security clearance and authorisation)
• Limiting access to those with a need-to-know (e.g. those who require the information to perform their job)

An individual’s access may be restricted on:

• Physical locations
• File system permissions, including physical documents and files, such as the ability to create, read, edit or delete
• Application or program permissions, such as the right to run a program
• Data and information rights, such as the right to retrieve, print, update, or delete information in a database or system.

The information’s protective marking defines a minimum requirement for specific types of access controls that must be in place to protect the information from compromise.

Those with the right clearance must be briefed about the significance of the information and any special handling requirements before they are given access to it.

See also:

• NZISM Section 16. Access Control and Passwords for information on ICT access controls
• Security Zones for specific physical location zone access controls.

Limiting access to authorised people

Before you grant access to information with a protective marking, check that the person has the right level of security clearance.

They must hold a security clearance that is at the same level or higher than the security classification on the information. People who don’t have the right clearance must not be given access.

Individuals must have a national security clearance administered by the New Zealand Security Intelligence Service (NZSIS) to be able to handle and access information at: CONFIDENTIAL, SECRET, TOP SECRET levels. Refer to the PSR website on Personnel Security for more information.

Government agencies may administer their own security clearance process as part of their pre-employment checks for individuals to be authorised to use information at IN-CONFIDENCE, SENSITIVE, and RESTRICTED.  These organisations may utilise the Ministry of Justice Criminal Record Check service or the New Zealand Police Vetting Service if they meet the criteria for access to the service. In addition, contractors and suppliers may require non-disclosure agreements or contracts before being given access to classified information.

See also:

• National Security Clearances
• New Zealand Police Vetting Service
• Ministry of Justice Criminal Record Check

Limiting access to those with a ‘need-to-know’

What is ‘need-to-know’?

In common practice, the phrase ‘need-to-know’ is often used as a shorthand explanation of why information cannot be shared, as in ‘sorry, that’s need to know’. 

This is an incorrect interpretation.  The concept of ‘need-to-know’ is simply that one should confirm that it is appropriate to share a piece of information before one does so. 

For example, while a piece of intelligence may be shared relatively widely the details of the source of that information may be much more tightly guarded.  Equally, a doctor at a hospital does not have a ‘need-to-know’ the details of a patient that they are not treating.

The words ‘need-to-know’ of themselves have no explanatory power.  ‘Need-to-know’ simply means that there should be a good reason for an individual to have access to information. 

Who decides on ‘need to know?’

Information is ‘originator controlled’ and the originator and controlling organisation or government decides if the information should have restrictions based on a ‘need-to-know’.  They will assign an endorsement marking or compartmented marking to indicate the ‘need-to-know’ compartment which will identify the special handling requirements for the information.

Requesting access to ‘need-to-know’ compartmented information

In most normal circumstances, ‘need-to-know’ is a two-way process that relies both on the agency holding the information and on the requestor making a reasonable request, i.e., an individual or agency should only request information when it needs it to carry out its functions.   It is not sufficient to request information just because you want to know – there must be a legitimate need for the request. Further, the ‘gatekeepers’ of information requests may lack the knowledge to know if an information request by another person or agency is reasonable or not. 

Agencies holding information still maintain a responsibility to check whether information should be shared.  However, effective information sharing will be better enabled if agencies assume information sharing requests are made in good faith and supported by professional judgement.

Diagram 1: Need to know principle flow chart

The need-to-know process is a two or three step process that can be applied to any information sharing. 

1. Step 1 confirms whether a ‘need-to-know’ exists. If there is not a valid reason to access information, it should not be provided.  Step 1 confirms whether somebody should receive information.
2. Step 2 confirms whether the person receiving the information is appropriately authorised to hold it. This might mean that they have the appropriate security clearance and/or systems and locations accredited to manage classified information. In a commercial setting, it might mean confirming a contractor has signed a non-disclosure agreement before sharing business information.
3. If the decision at Step 2 is ‘no’, step 3 asks whether information can be provided in a different format (e.g. by removing some more sensitive pieces of information).

Page last modified: 20/06/2022