2 Personnel security assurance
The purpose of personnel security is to provide a level of assurance as to the honesty, trustworthiness and loyalty of individuals who access government resources.
PERSEC1: Agencies must ensure that New Zealand government employees, contractors and temporary staff who require ongoing access to New Zealand government information and resources:
- are eligible to have access
- have had their identity established
- are suitable to have access, and
- are willing to comply with government policies, standards, protocols and requirements that safeguard that agency’s resources (people, information and assets) from harm.
Agencies must have in place policies and procedures to assess and manage the ongoing suitability for employment of all staff and contractors.
Refer also to GOV8
2.1 Pre-employment checks
Agencies must conduct pre-employment screening in accordance with State Services Commission recommendations:
The recommended base level for employment checks is:
- identity verification
- confirmation of citizenship
- confirmation of right to work in New Zealand
- criminal records check
- confirmation of employment history
- character references.
In particular, agencies should meet the Department of Internal Affairs baseline for evidence of identity standards:
Evidence of identity standard
For more information, refer to Agency Personnel Security.
2.2 Suitability for access
Pre-employment screening reduces the likelihood of recruiting problematic staff. Over time, however, people and their circumstances change, and employees who were previously of low concern may become unsuitable for employment.
Agencies must ensure that all employees are monitored to ensure their ongoing suitability to have access to official information and resources.
For more information refer to Personnel Security Guide.
3 Personnel security risk assessment
An agency’s personnel security risk assessment must be incorporated into the agency’s security risk review or other agency risk review processes.
Agencies should undertake a personnel security risk assessment in accordance with:
The relationship of personnel security to physical security and information security should be outlined in the overview of security in an agency’s risk assessment and planning.
For more information, refer to Agency Personnel Security.
3.1 Risk management
GOV3: Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation in accordance with the New Zealand standard AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines.
Agencies should employ a risk management approach to personnel security consistent with protective security principles.
The aim is to reduce the risk of loss, damage or compromise of New Zealand government protectively marked resources by applying personnel security measures before and during employment.
These measures in isolation do not provide a guarantee of reliability and need to be supported by effective management. They are not an alternative to the correct application of the need-to-know principle, access controls and information security measures.
PERSEC2: Agencies must:
- identify positions within their agency that require access to CONFIDENTIAL, SECRET and TOP SECRET assets and information
- ensure that the level of security clearance sought is necessary, and
- ensure personnel have the requisite level of security clearance prior to being granted access to information protectively marked as CONFIDENTIAL or higher.
PERSEC3: Agencies must maintain a register of personnel and contractors who hold security clearances.
3.2 Identification of positions requiring access
Agencies must determine what level of protectively marked information or resources a position is required to access when established. Agency security staff can advise managers on the need for, and the appropriate level of, the national security clearance that is required.
To determine whether a national security clearance is required and at what level, the manager should analyse the duties of the position and the highest level of protective marking carried by the information that will be accessed. If the protective marking is CONFIDENTIAL or above, a national security clearance is required.
Agencies should ensure that all employees accessing protectively marked Information Communications Technology (ICT) networks have at least the highest level of clearance required to access information that can be held on the network.
If the networks are compartmentalised, then the clearance level an employee requires is that of the highest-level compartment that they can access. It is recommended that agencies seek Government Communications Security Bureau (GCSB) advice prior to determining the clearance levels required for compartmentalised systems.
3.3 Foreign nationals
On occasion, foreign nationals may access New Zealand government protectively marked information and resources.
Agencies must follow the guidance contained in Agency Personnel Security.
3.4 Emergency access to protectively marked information
Where there is an urgent operational need for access to protectively marked material and insufficient time to complete vetting inquiries, agency heads or managers with delegated authority may authorise staff temporary supervised access to protectively marked material one level above their current national security clearance level.
For example, if their current clearance is CONFIDENTIAL, staff may be supervised to view SECRET material when there is an urgent operational need for the duration of the emergency.
Emergency access must not be used:
- for administrative or management purposes to facilitate entry or appointment into a position
- on reassignment of duties, while awaiting completion of a security vetting recommendation, or
- for access to information carrying an endorsement or compartmented marking.
Agencies must follow the guidance for emergency access contained in Agency Personnel Security.
Personnel not holding a national security clearance must not be given access to information or resources marked CONFIDENTIAL, SECRET or TOP SECRET.
3.5 The need-to-know principle
The fundamental rule of personnel security is that agencies must base all access decisions on the need-to-know principle.
Agencies must establish the existence of a legitimate need to access the protectively marked resources to carry out official duties before granting access.
Other justifications such as being in a position of authority or the desire to enter controlled areas for the sake of convenience are not valid.
Agencies must limit the access to, and dissemination of, protectively marked information or resources to employees who need to use or access the information or resources to do their work and for ongoing access hold the appropriate level of national security clearance.
Agencies should ensure that all employees are aware of and implement the need-to-know principle.
3.6 Endorsement and compartmented markings access
Agencies should liaise with the organisation that imposed an endorsement or compartmented marking on protectively marked material to determine any additional personnel security requirements.
For more information, refer to Information Security Management Protocol.
3.7 Contracted service providers requiring a security clearance
Agencies must identify and sponsor service providers and contractors requiring access to protectively marked information and resources.
Agencies should ensure this requirement is identified during the procurement process or as contracts are amended.
Also refer to Security of Outsourced Services and Functions.
The security clearance management of contracted staff remains the responsibility of the sponsoring agency.
Agencies must ensure that any personnel security risks (‘qualifications’) identified by the NZSIS during security vetting are managed appropriately.
4 National security clearances
Employees whose work will involve access to material protectively marked at CONFIDENTIAL, or higher, must first be granted a national security clearance at the appropriate level by the agency head.
National security clearance levels are determined by the security classification of material that staff members need to access on a regular and routine basis to fulfil their duties.
PERSEC4: An application for a security clearance must be sponsored by a New Zealand government agency.
4.1 New Zealand Government security vetting
NZSIS has the statutory mandate for the security vetting process and for making recommendations on security trustworthiness. Only NZSIS may conduct security vetting for the New Zealand government. Agencies must receive a security vetting recommendation from NZSIS before granting a national security clearance
The security vetting process is intrusive by its very nature and NZSIS must conduct the process with care and sensitivity and in accordance with New Zealand government policy and legislation.
NZSIS must resolve any doubts about the suitability of a candidate to access protectively marked resources in favour of the New Zealand government.
4.2 Agency responsibilities
Agencies must not use the security vetting process as a general trustworthiness check for current or potential employees.
CSOs must review agency holdings, such as performance or disciplinary records, before submitting a vetting request to ensure that nothing already known to the agency indicates that a candidate may be unsuitable for access to protectively marked resources.
Indications that a candidate may be unsuitable may be shown by a record of:
- breaches of the Code of Conduct for the State Services (go to www.ssc.govt.nz/code)
Agencies must exercise their own judgement, and view the information available to them objectively to determine whether they have trust and confidence in the candidate and his or her ability to gain a favourable recommendation for a national security clearance.
If an agency considers that a candidate does not possess the strength of character and integrity necessary for access to protectively marked resources, the request should not be submitted to the NZSIS.
For more information, refer to Security Assessment Criteria and the Adjudicative Guidelines.
4.3 Security vetting
There are four levels of security vetting, each involving more rigorous checking. They are listed below.
- CONFIDENTIAL – an assessment of the individual’s suitability for ongoing access to New Zealand government resources protectively marked at the CONFIDENTIAL level.
- SECRET – an assessment of the individual’s suitability for ongoing access to New Zealand government resources protectively marked at the CONFIDENTIAL level and SECRET level.
- TOP SECRET – an assessment of the individual’s suitability for ongoing access to New Zealand government resources protectively marked at the CONFIDENTIAL, SECRET and TOP SECRET level. This includes resources that carry compartmented markings.
- TOP SECRET SPECIAL – an assessment of the individual’s suitability for ongoing access to all resources protectively marked under the security classification system, including resources that carry compartmented markings. This security vetting usually relates to employment within an agency in the New Zealand Intelligence Community.
4.4 Levels of vetting and clearance
The levels of vetting and the resulting national security clearance are on an escalating scale.
For each step up the scale there is an increase in:
- the breadth and depth of inquiries
- the degree of intrusion into the privacy of candidates
- the time required for completion of inquiries
- the time required for assessments and recommendations
- the degree of assurance of the individual’s trustworthiness, honesty and loyalty to New Zealand.
For more information, refer to Information for Security Vetting Candidates.
4.5 Identifying people who need a security clearance
Employees who are responsible for the creation, use, handling, storage and disposal of material protectively marked CONFIDENTIAL or higher must hold a security clearance at the appropriate level.
Employees do not require a security clearance for access to material protectively marked IN CONFIDENCE, SENSITIVE or RESTRICTED. Access to such material is granted by chief executives on the basis of the agency’s own pre-employment checks. Employees should acknowledge that they are responsible for safeguarding any information or resources for which they are responsible against loss, misuse or compromise, regardless of its protective marking.
Eligibility for a security clearance
New Zealand citizens or holders of a Residence Class visa whose backgrounds can be checked for the requisite period are eligible to be vetted for a New Zealand government security clearance. In exceptional circumstances other individuals may be considered for security vetting.
Also refer to Agency Personnel Security.
A candidate is considered to have an uncheckable background when the NZSIS cannot complete the necessary checks and inquiries for the requisite checking period.
CSOs must ensure that vetting candidates meet the minimum requirements for a checkable history before a vetting request is submitted.
Also refer to Agency Personnel Security.
Recruiting for a role which requires a national security clearance
Agencies must ensure, when recruiting for roles which require the employee to hold a national security clearance, that candidates are eligible or security vetting.
Also refer to Agency Personnel Security.
4.6 Identifying when to upgrade a national security clearance
If the tasks or duties of a job change to the extent that it requires an individual to have access to resources protectively marked at a higher level than their current national security clearance, the individual must undergo security vetting at that higher level.
4.7 Transferring security clearances
New Zealand government agencies should recognise security clearances granted by another agency, when the clearance transfer process has been followed.
Agencies must follow the guidance for this process contained in Agency Personnel Security.
5 Security clearance vetting
PERSEC5: Agency heads must obtain a recommendation from the NZSIS prior to granting a security clearance. Agencies must follow the Protective Security Requirements Personnel Security Management Protocol and supporting requirements for personnel security.
5.1 Vetting recommendations
NZSIS security vetting recommendations are based on an assessment of the whole person and must be made in accordance with procedural fairness principles and the Procedural Fairness Requirements.
NZSIS must advise the agency requesting the security vetting in writing of the decision to recommend a national security clearance and any conditions imposed (‘qualifications’).
If a national security clearance at the requested level is not recommended, NZSIS will, where possible, advise the agency requesting the security vetting and the candidate of the reasons.
Vetting candidates must be advised of their right to complain to the Inspector-General of Intelligence and Security if they consider that they have been adversely affected by any act, omission, practice, policy or procedure of the NZSIS.
5.2 Inspector-General oversight of security vetting decisions
Even where a national security clearance is recommended, the candidate may have concerns about the manner in which the NZSIS conducted the security vetting. The Inspector-General should be contacted in the first instance.
Compaints must be in writing and addressed to:
Inspector General of Intelligence and Security
c/- the Registrar of the High Court of New Zealand
DX SX 11199
More information is available at www.igis.govt.nz.
5.3 Regular reviews of security clearances
Agencies must initiate reviews of all national security clearances five years after they were granted unless:
- NZSIS has recommended an earlier review as part of the original vetting recommendation
- the employee is no longer in a position requiring a security clearance, or
- the employee has left New Zealand government employment.
5.4 Review for cause
A review for cause should be initiated whenever a security concern regarding a national security clearance holder arises.
A review for cause can be initiated by the employing agency in response to information from:
- a clearance holder’s agency, colleagues or supervisors
- the security clearance holder
- any other individual who has reason to believe that the security clearance holder’s personal circumstances, attitudes or behaviour have changed.
6 Personnel security clearance management
Personnel security is an important element of an agency’s effective protective security regime as well as sound overall management practice.
The initial security vetting process and any subsequent reviews provide only a snapshot of an individual.
Aside from formal periodic and NZSIS initiated reviews of the national security clearance, agency managers are responsible for providing support, awareness and education as part of an agency security clearance management regime.
PERSEC6: Agencies must have personnel security clearance management arrangements in place for all staff, including contractors, who hold a security clearance.
GOV6: Agencies must provide all staff, including contractors, with sufficient information and security awareness training to meet the obligations of the Protective Security Requirements.
GOV7: Agencies must have established procedures for reporting and investigating security incidents and for taking corrective action.
GOV8: Agencies must ensure contracted providers comply with the Protective Security Requirements and agency-specific protective security protocols.
Agencies should have in place processes that provide for the timely identification and assessment of issues that affect an individual’s continued suitability to hold a security clearance. These processes should complement, but not substitute, the clearance review and security education processes.
These processes should:
- include tailored agency-specific security management programmes
- provide clear instructions and requirements in agency security clearance management policy and procedures
- regularly reinforce through security education and training the requirement for staff to report significant changes in personal circumstances and contacts.
6.1 Significant changes of personal circumstances
Agencies must advise all national security clearance holders of their responsibility to report any changes of personal circumstances.
Also refer to Reporting Changes in Personal Circumstances.
All national security clearance holders must acknowledge their obligation to notify their employing agency of any changes in their personal circumstances. The purpose of this requirement is to ensure that any change does not impact on the holder’s security trustworthiness.
CSOs should seek advice from the NZSIS if they are unsure of the significance of changes in personal circumstances. Managers and other employees must advise the CSO of changes in personal circumstances of clearance holders.
6.2 Contact reporting
National security clearance holders must report suspicious or inappropriate contacts or approaches to the agency CSO.
These may include contact with foreign officials and foreign nationals, criminal groups or individuals or other suspicious individuals.
- collect contact reports from their employees
- assess the reports
- forward any suspicious reports relating to national security to the NZSIS.
Also refer to Contact Reporting.
6.3 Incident reporting
Some inappropriate contacts may be of a criminal or business nature that involves a conflict of interest or give an unfair advantage. The agency should investigate these contacts and if appropriate advise the Police for further investigation.
Also refer to Reporting Incidents and Conducting Security Investigations.
6.4 Granting a national security clearance
Agencies must have received a security vetting recommendation from NZSIS before granting a national security clearance.
The emergency access provisions detailed in section 3.4 and in Agency Personnel Security must not be used to facilitate entry or appointment into a position, or on reassignment of duties, while awaiting completion of a full security clearance.
PERSEC7: Agencies must notify the NZSIS of the granting, downgrading, suspension or cancellation of a security clearance. Any reason associated with disciplinary action or unsuitability of the candidate to obtain/maintain the appropriate level of clearance must be reported to the NZSIS.
6.5 Actions on receipt of an NZSIS vetting recommendation
NZSIS will advise the agency when a security vetting is completed.
A national security clearance may be recommended:
- at the level requested
- at a lower level
- with specific security clearance management provisions (‘qualifications’).
Agencies must advise NZSIS of:
- their decision whether to grant a national security clearance
- the level of clearance granted
- the management plan for any specific security clearance management provisions (‘qualifications’).
6.6 Action when clearance is recommended at the requested level
Agencies must provide the candidate with:
- a briefing on his or her responsibilities in relation to information handling
- details of action in case of a change in circumstance
- details of the agency’s security awareness training programme
- any other requirements as specified in the NZSIS vetting recommendation.
6.7 Action when the clearance is not granted or granted at a lower level
The agency must withdraw any access to protectively marked information or resources above the level of the national security clearance granted, if any, until such time as any reviews or appeals are finalised.
6.8 Monitoring and evaluation of staff
Initial character checks and security vetting determine a person’s suitability to access agency facilities, control assets and/or access protectively marked resources and information at the time they are performed.
Agencies must monitor their staff for continued suitability to access resources and protectively marked information. Management should monitor employees for behaviour that could suggest unreliability or susceptibility to duress. Particular attention should be given to those staff members who:
- are under 20 years old whose character will still be forming
- might be unwilling to talk matters over but who are clearly unhappy
- have few friends and appear to be alienated from colleagues.
When monitoring individuals, managers must maintain a sense of perspective and act within their normal duty of care responsibilities.
Also refer to Agency Personnel Security.