Using, copying, and reproducing information | Protective Security Requirements

Using government information

Dealing with verbal information

If information that carries a protective marking is delivered verbally (for example, through classified discussions in person or over the phone), the recipient(s) must be told the classification and protective marking and told how the information needs to be protected before the information is conveyed.

For example, “The information I am about to convey is RESTRICTED. This information cannot be discussed or shared with anyone else without agreement from the CSO.”

Ensure that the verbal discussions cannot be overheard by those who are unauthorised to receive the information.

Physical security zones

Dealing with virtual meetings

ICT systems are certified and accredited to protect information to a maximum classification level.

The ICT systems (e.g. telephone and electronic networks, virtual software platforms, and technical infrastructure) used to share and discuss classified information virtually must be accredited to enable sharing of information at the security classification level or higher.

Be sure that your users understand the maximum classification level of information that they can share or discuss in virtual meetings across the different ICT systems used by the organisation.

Storing and filing information

USER TIP: Before sharing classified information virtually (e.g. verbally and/or screen sharing), ensure that the systems used are accredited to protect information at the classification level or higher.

You must not use or share information at higher classifications than the ICT system is accredited to protect.

For example, if an ICT system is certified for sharing up to IN CONFIDENCE information, you cannot dissemination, share, or discuss information at SENSITIVE or higher classifications using that ICT system.

Speak to your information security team for more information.

Releasing or changing information with protective markings from another agency

If you want to release, share, or transmit information that has a protective marking from another agency, you need to agree the appropriate process with that agency first. This might result in the information being relabelled.

You also need the agreement of the originating agency to remove or change a protective marking. If the originating agency doesn’t agree to remove the marking, the information should not be released.

If the requirement to release the information is subject to an official information request, an agency may transfer a request to another agency to fulfil the request should the information be held by the originating agency. See the Office of the Ombudsman(external link) for more information on official information request transfers.

However, the absence of permission to release or acceptance of transfer from the originating agency does not absolve the receiving agency of the obligation to decide on the request. The agency should use the tools provided in the guidance to assess the harm of disclosure against the public interest. This does not prevent the agency from consulting other interested parties before making the decision.

Copying and transmitting

Copying and using photocopiers

To help control protectively-marked information, keep the number of copies to a minimum. Only reproduce protectively-marked information when necessary.

To make copies of protectively-marked information with a copy number, you must get permission from the originator or originating organisation (the person or organisation that created the information). However, it’s better to ask the originator to supply any additional copies that you or your organisation need.

If the originator gives permission to make copies, let them know how many copies you intend to distribute. The originator will then tell you which copy numbers you need to mark on your copies.

Your agency should develop a policy for use of photocopiers, fax machines and similar devices. Devices used to copy and transmit protectively-marked documents come with risks which you must understand and manage.

Photocopiers, fax machines and similar devices, known as multi-function devices (MFDs) may:

retain images of copied documents that can then be transmitted
be connected to ICT systems that don’t have the necessary level of protection.

Reducing risks when you copy and transmit protected information

Take the following steps to reduce risks:

Put approved devices in an area where you can observe all copying and transmitting activity.
Make sure a designated person stays near the device until all activity is finished.
Make sure documents are removed from the device as soon as activity is over.

Devices you can’t use for copying and transmitting

If a device is connected to your ICT system and a document has a higher protective marking than your ICT system, you can’t use the device to copy or transmit that document.

You also can’t copy or transmit a protected document using a device connected to a public network, or a fax machine (unless that information is protected in line with the New Zealand Information Security Manual (NZISM) – 11. Communications systems and devices(external link).

Transmitting electronic data

Protectively-marked data that is imported, exported, or transferred electronically must be protected in line with the NZISM – 20. Data Management(external link).

Reproducing protectively-marked information

When you reproduce government information, the original protective-marking and handling requirements still applies to all reproduced information. You must protectively mark the reproduced information at the original marking levels or higher.

These requirements apply to all government information (with or without security classifications).

Follow these requirements to ensure your agency complies with the Protective Security Requirements for information security.

Managing ‘Accountable material’

Once disseminated, ACCOUNTABLE MATERIAL must not be copied or reproduced in any form.

If your agency needs more copies, you must request them from the originator.

You also need the originator’s permission to extract information from ACCOUNTABLE MATERIAL.

ACCOUNTABLE MATERIAL must be destroyed under supervision of two officers cleared to the appropriate level who must supervise the removal of the material to the point of destruction, ensure destruction is complete, and sign a destruction certificate.

All TOP SECRET information must be made ACCOUNTABLE MATERIAL by default.

Tracking ‘Accountable material’

ACCOUNTABLE MATERIAL must have a copy number on the front cover, so your agency can keep accurate records and control distribution.

Electronic accountable information, items or materials are usually uniquely identifiable (usually a serial or identification number) and are tracked from acquisition or creation to final disposal. Refer to the NZISM for more information on controls for ACCOUNTABLE MATERIAL.

When protectively-marked information is made 'accountable', the person with responsibility for that information must check and certify its safe custody.