1 Introduction

Print this section

1.1 Purpose

The purpose of these requirements is to:

  • support the New Zealand government’s development of a series of systems and processes intended to protect information from potential compromise through accidental or deliberate disclosure
  • protect official information by ensuring New Zealand government employees are aware of the risk posed by foreign intelligence services and other threat groups in New Zealand and overseas, that are potentially collecting official information
  • support the New Zealand Government Contact Reporting System, overseen by the New Zealand Security Intelligence Service (NZSIS), which records and analyses potential threats to information collection posed by foreign or domestic adversaries
  • provide guidance on achieving a consistent approach to help agencies protect their people, information and assets
  • provide assurance to other agencies when sharing information and assets
  • provide the types of controls that are suitable to address contact reporting concerns
  • help establish consistent terminology for personnel security across the New Zealand government.
Back to the top of page Print this subsection

1.2 Audience

The audience for these requirements is:

  • New Zealand government security management staff
  • contractors to the New Zealand government providing protective security advice and services
  • any person or body with access to New Zealand's official or protectively marked information
  • any other body or person responsible for the security of New Zealand government people, information or assets.
Back to the top of page Print this subsection

1.3 Scope

These requirements cover:

  • the New Zealand contact reporting system
  • potential contact threat sources, scenarios and indicators
  • reporting criteria and procedures
  • the implementation of the contact reporting process.

The requirements relate to personnel security measures where there is the potential for the compromise of official information, including protectively marked information, through accidental or deliberate disclosure within New Zealand government facilities, within facilities handling New Zealand government information and assets or where New Zealand government employees are located.

They support the implementation of the New Zealand Protective Security Requirements (PSR)

In particular, they support thePersonnel Security Management Protocol.

They are part of a suite of documents that aid agencies to meet their personnel security requirements.

Where legislative requirements are higher than controls identified in these requirements, legislative controls take precedence and must be applied.

Agencies should protect any information or assets provided by another government in accordance with international agreements.

Also refer to Safeguarding Foreign Government Information (under development).  

Back to the top of page Print this subsection

1.4 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including:

  1. a control is not relevant because the risk does not exist,
  2. or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Also refer to the Strategic Security Objectives, Core Policies and the Mandatory Requirements.

Back to the top of page Print this subsection

2 Contact threats

NZSIS oversees the New Zealand Government Contact Reporting System.

The aim of the Contact Reporting System is to assist the NZSIS in identifying attempts at intelligence collection or other potentially hostile activity directed against New Zealand and its interests.

It also helps identify threat trends, including:

  • what information is of interest to foreign intelligence services
  • who is interested in it
  • the methods foreign intelligence services use to collect information.

NZSIS uses this intelligence to produce threat assessments and security intelligence advice.

These threat assessments can help agencies understand current and potential threats and formulate appropriate counter measures for risk mitigation.

Human intelligence collection is low-risk, effective and a very common form of intelligence collection.

Intelligence services will develop their intelligence picture through the aggregation of information gathered from a range of targeted or opportunistic sources including government employees.

Small pieces of information provided inadvertently may form part of an intelligence collection 'jigsaw'.

Employees must recognise an apparently innocent conversation or contact (for example, an unsolicited email or through a social networking site) can be the beginning of a human intelligence approach or ‘cultivation’. 

Print this section

3 Threat sources

Agencies and their employees should be aware that the following groups or individuals may be potential threat sources:

  • foreign intelligence services
  • foreign officials
  • political groups
  • criminal organisations
  • commercial businesses
  • issue-motivated groups or individuals.

Agencies and their employees should be aware interest from threat sources is not limited to protectively marked information.

The access sought often includes official information and intellectual property not normally available to the general public.

Individuals or groups can expend considerable energy and resources into obtaining access to political, economic, scientific, technological, military, commercial and other information.

Any compromise may be prejudicial to New Zealand’s national interest and future prosperity.

Print this section

3.1 Scenarios for potential contact with threat sources

Agencies and their employees should be aware that relationships or contact with threat sources often take place when an employee's role requires communication with foreign representatives.

Contacts can also occur in, but are not limited to, scenarios such as:

  • invitations to attend functions
  • written correspondence
  • sporting and recreational activities
  • overseas travel
  • visits to embassies, consulates or involvement with trade missions or other international events
  • membership of international clubs, institutes, professional associations or friendship societies
  • incidental social interaction
  • unsolicited emails or telephone calls
  • training or study (for example, language classes)
  • online social networking sites
  • introductions through a third party.

Scenarios where there is the potential for contact with a threat source can, however, include social situations outside of the employee's regular role or duties. This should be noted by agencies and their employees. 

Back to the top of page Print this subsection

3.2 Indicators for potential contact by threat sources

The initial advance might be subtle, planned and take place over an extended period of time.

When done well, the target will not be aware the cultivation is occurring however indicators that should raise suspicion include:

  • a seemingly innocuous interest in an employee’s official, social or personal activities
  • a fascination with some particular aspect of an employee’s work, social or personal activities
  • requests for information about other employees who work in the agency
  • a request to meet with the employee away from the work environment
  • introduction to another person who takes a similar interest
  • encouragement to participate in questionable or illegal activity
  • offers of hospitality or gifts
  • excessive flattery or sexual interest.
Back to the top of page Print this subsection

4 Reporting criteria

Employees should complete a contact report when a contact has occurred that appears suspicious, persistent or unusual in any respect, or becomes on going (whether in an official or social capacity) with:

  • embassy or foreign government officials within New Zealand
  • foreign officials or nationals outside New Zealand, including trade or business representatives.

Additionally, employees should complete a contact report for instances when any individual or group, regardless of nationality, seeks to obtain official information for which they do not have a valid ‘need-to-know’. 

Print this section

4.1 Reporting procedures

If an employee believes he or she has been the subject of a suspected contact by a party that meets the reporting criteria, he or she must report the incident to their Chief Security Officer (CSO) without delay.

The CSO must provide employees with a Contact Report Form and ensure this is completed and returned to the CSO.

Also see Annex A.

To assist with the accurate recall of events, the employee should complete the Contact Report Form (or equivalent written report) as soon as possible after the suspected contact has occurred.

The CSO is responsible for receiving completed contact reports.

CSOs must have the appropriate experience and expertise to:

  • analyse reports
  • understand the level of risk presented
  • make a sound judgement about the best course of action
  • provide support and advice to the person who has been contacted.

CSOs should seek advice from NZSIS to assist in determining the best course of action.

In certain exceptional circumstances, a contact report may lead to an internal or external security, counter-intelligence or criminal investigation.

If the incident involves actual or potential fraud or theft, the agency should inform the police.

Fraud and theft may also involve loss of equipment or technology that may have application to a foreign country, including intellectual property.

See also Reporting Incidents And Conducting Security Investigations.

Additionally, agencies must promptly report any potentially major security incident to NZSIS independent of the Contact Reporting System.

Examples of such incidents include the loss or compromise of protectively marked information in any format (for example, hard copy, electronic, verbal) or the loss of equipment or technology.

Such incidents must be reported to NZSIS through the agency’s CSO.

Back to the top of page Print this subsection

5 Implementation of the contact reporting process

Agencies must provide awareness training programmes to employees to ensure:

  • employees understand their obligations and the reporting arrangements
  • employees are aware of the Contact Reporting System.

The Contact Reporting System is not intended to restrict legitimate contact between employees and foreign officials.

It is intended to protect the employee and the New Zealand government by providing support and encouraging information sharing.

As part of security awareness training, agencies must ensure employees are aware of:

  • the sources and nature of the threats to security
  • their personal and professional responsibilities
  • their obligations as a security clearance holder
  • the ways that people can be deceived, coerced or pressured into actions harmful to national security or interest
  • the fact that targeting occurs across all levels or ranks of an organisation, not just at the executive level
  • the fact that most attempts to collect intelligence will be subtle and often appear innocuous
  • the need for high standards of personal conduct, particularly when overseas
  • the procedures for contact reporting.

Agencies must identify whether or not they have people working in high-risk areas and, if so, provide additional defensive briefings.

High-risk employees include those who:

  • are required to liaise with foreign officials because they are proficient in the native language of the foreign officials
  • are involved in sensitive or priority negotiations or policy work
  • work in units which regularly share information with foreign officials.

Also refer to Security Awareness Training.

NZSIS can provide a briefing on the Contact Reporting System to agencies. These briefings should be arranged through the agency’s CSO.

Print this section

5.1 Implementation of the contact reporting process when outside New Zealand

Employees performing official duties overseas should be made aware that intelligence and security services in certain countries will routinely conduct physical and electronic surveillance of foreign representatives.

To ensure the requirements for employees travelling outside of New Zealand for official and non-official purposes are met, agencies should refer to the Personnel Security Protocol.

Employees are responsible for contacting their CSO prior to travel to ascertain the potential threat from foreign intelligence services and to seek appropriate briefings.

NZSIS can, where relevant, provide a briefing on security situations that individuals may encounter when they perform official duties overseas.

This includes advice on information and physical security, reporting procedures and other security issues.

The Contact Reporting System is not intended to constrain official and social contact with representatives of other governments outside New Zealand.

Rather, it aims to protect employees through alerting them to the possibility that foreign officials may have ulterior motives such as obtaining official or protectively marked information to which the employee has access.

Back to the top of page Print this subsection

5.2 Required contact report information

The style and format of contact reports may vary from agency to agency, but the following information must be included as a minimum:

  • time and date, indicating if details are approximate
  • location, including the address where the contact or incident occurred
  • names, designations and nationalities, including the reporting person’s details along with those of all other persons present during the contact
  • types of contact, which may include a combination of social, informal, official business and/or other aspects (all aspects should be stated)
  • details of conversations, including any conversation or discussion covering a number of subjects. The general topic areas should be described, including personal details disclosed by either party
  • other details such as the circumstances that led to the contact or incident and the factors that made it noteworthy or unusual.

The individual making the report should contact his or her CSO in the first instance with any enquiries regarding the Contact Reporting System or Contact Reporting procedures.

Refer to: Annex A

Back to the top of page Print this subsection

About

The requirements are designed to help protect information from compromise through accidental or deliberate disclosure.  While all government employees should be aware of them, they particularly relate to national security clearance holders who may be subject to unusual or suspicious contact from citizens or officials of another country.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information