1 Introduction

Print this section

1.1 Purpose

The purpose of the protocol is to:

  • provide guidance on achieving a consistent approach to personnel security management
  • assist agencies to fulfil their security, recruitment and management obligations and responsibilities.
Back to the top of page Print this subsection

1.2 Audience

This protocol applies to staff within all New Zealand government agencies, particularly:

  • security employees such as Chief Security Officers (CSOs), security consultants and security practitioners within agencies responsible for:
    • assessing risks to agency people, information or assets
    • everyday personnel security in the agency
    • developing agency-specific personnel security policies and procedures used by agency employees.
  • managers to meet their responsibilities
  • staff responsible for promoting and assessing compliance with personnel security standards in corporate functions such as human resources/recruitment, risk management, compliance and legal
  • external parties such as commercial contractors to aid their understanding of the New Zealand government’s overall personnel security position and, where fitting, to evaluate or direct the operation of specific personnel security controls to meet their contractual obligations.
Back to the top of page Print this subsection

1.3 Definition of personnel security

Personnel security is the management of staff to assist in the protection of New Zealand's people, information and assets.

It is an essential component of protective security and an enabler of operational effectiveness.

Correct application of the personnel security protocols will provide assurance as to the trustworthiness, integrity and reliability of staff and contractors.

Personnel security encompasses three major components:

  • identifying suitable staff to access agency information, resources and assets
  • educating staff about their security responsibilities
  • monitoring and evaluation of staff for their continuing suitability.

Personnel security arrangements within an agency must be based on each agency’s security risk assessment.

Back to the top of page Print this subsection

1.4 Scope

The personnel security protocol and associated requirements detail the standards required to:

  • comply with core policies
  • meet the seven mandatory personnel security requirements of the New Zealand Protective Security Requirements (PSR).

Personnel security measures help agencies manage the risk of staff or contractors exploiting their legitimate access to their people, information and assets for unauthorised purposes.

Personnel security is a discipline that must be maintained throughout a staff member’s time in employment through appraisal procedures, communication programmes and even managing attitudes and relationships.

It should include a formal process for managing staff leaving the business.

When consistently applied, personnel security measures not only reduce operational vulnerabilities, they can also help build a beneficial security culture at every level of an agency. 

Back to the top of page Print this subsection

1.5 Compliance requirements

A control with a ‘must’ or ‘must not’ compliance requirement indicates that use of the control is mandatory. These are the baseline controls unless the control is demonstrably not relevant to the respective agency and can be clearly demonstrated to the agency head or accreditation authority.

A control with a ‘should’ or ‘should not’ requirement indicates that use of the control is considered good and recommended practice.  Valid reasons for not implementing a control could exist, including;

  • a control is not relevant because the risk does not exist,
  • or a process or control(s) of equal strength has been substituted.

Agencies must recognise that not using a control without due consideration may increase residual risk for the agency.  This residual risk needs to be agreed and acknowledged by the agency head.  In particular an agency should pose the following questions:

  1. Is the agency willing to accept additional risk?
  2. Have any implications for All of Government security been considered?
  3. If so, what is the justification?

A formal auditable record of this consideration and decision is required as part of the governance and assurance processes within an agency.

The PSR provides agencies with mandatory and best practice security measures.

The controls detailed above describe if and when agencies need to consider specific security measures to comply with the mandatory requirements.

Refer to Strategic Security Objectives, Core Policies and the Mandatory Requirements for Agencies.

Back to the top of page Print this subsection

1.6 Policy context

The New Zealand Security Intelligence Service (NZSIS) approves the Personnel Security Management Protocol.

This protocol is part of the third tier of the New Zealand government's personnel security policy hierarchy, as shown in Figure 1.

It draws its authority from the Directive on the Security of Government Business and should be read in conjunction with:

Figure 1: Protective Security Requirements Framework

Personnel security policy hierarchy

Back to the top of page Print this subsection

1.7 Documents given authority by this protocol

The documents given authority by this protocol are:

This protocol and supporting personnel security requirements supersede the New Zealand Government Protective Security Manual - Chapter 5: Personnel Security.

Back to the top of page Print this subsection

1.9 Relationship to PSR structure

This protocol specifies personnel security controls that satisfy the mandatory requirements.

The standards and supporting requirements to this protocol amplify the protocol and detail how the controls should be implemented.

Requirements are developed where no suitable standards exist and include a mixture of mandatory controls, advice and supporting information.

These standards and requirements will evolve to reflect changes in technologies and personnel security risk. They are likely to change more often than the protocol.

The policy hierarchy is supported by various governance protective security management activities such as reporting and audit procedures, security awareness training and several compliance measures.

The protocol should be applied in conjunction with an agency’s other governance activities, strategies and business plans.

The protocol, standards and requirements will inform the agency-specific personnel security policy and procedures.

Back to the top of page Print this subsection

2 Personnel security assurance

The purpose of personnel security is to provide a level of assurance as to the honesty, trustworthiness and loyalty of individuals who access government resources.

Mandatory requirement

PERSEC1: Agencies must ensure that New Zealand government employees, contractors and temporary staff who require ongoing access to New Zealand government information and resources:

  • are eligible to have access
  • have had their identity established
  • are suitable to have access, and
  • are willing to comply with government policies, standards, protocols and requirements that safeguard that agency’s resources (people, information and assets) from harm.

Agencies must have in place policies and procedures to assess and manage the ongoing suitability for employment of all staff and contractors.

Refer also to GOV8

Print this section

2.1 Pre-employment checks

Agencies must conduct pre-employment screening in accordance with State Services Commission recommendations:

Pre-employment checks.

The recommended base level for employment checks is:

  • identity verification
  • confirmation of citizenship
  • confirmation of right to work in New Zealand
  • criminal records check
  • confirmation of employment history
  • character references.

In particular, agencies should meet the Department of Internal Affairs baseline for evidence of identity standards:

Evidence of identity standard

For more information, refer to Agency Personnel Security.

 

 

 

 

Back to the top of page Print this subsection

2.2 Suitability for access

Pre-employment screening reduces the likelihood of recruiting problematic staff. Over time, however, people and their circumstances change, and employees who were previously of low concern may become unsuitable for employment.

Agencies must ensure that all employees are monitored to ensure their ongoing suitability to have access to official information and resources.

For more information refer to Personnel Security Guide.

Back to the top of page Print this subsection

3 Personnel security risk assessment

An agency’s personnel security risk assessment must be incorporated into the agency’s security risk review or other agency risk review processes.

Agencies should undertake a personnel security risk assessment in accordance with:

The relationship of personnel security to physical security and information security should be outlined in the overview of security in an agency’s risk assessment and planning.

For more information, refer to Agency Personnel Security.

Print this section

3.1 Risk management

GOV3: Agencies must adopt a risk management approach to cover all areas of protective security activity across their organisation in accordance with the New Zealand standard AS/NZS ISO 31000:2009 Risk Management - Principles and Guidelines.

Agencies should employ a risk management approach to personnel security consistent with protective security principles. 

The aim is to reduce the risk of loss, damage or compromise of New Zealand government protectively marked resources by applying personnel security measures before and during employment. 

These measures in isolation do not provide a guarantee of reliability and need to be supported by effective management. They are not an alternative to the correct application of the need-to-know principle, access controls and information security measures.

Mandatory requirements

PERSEC2: Agencies must:

  • identify positions within their agency that require access to CONFIDENTIAL, SECRET and TOP SECRET assets and information
  • ensure that the level of security clearance sought is necessary, and
  • ensure personnel have the requisite level of security clearance prior to being granted access to information protectively marked as CONFIDENTIAL or higher.

PERSEC3: Agencies must maintain a register of personnel and contractors who hold security clearances.

Back to the top of page Print this subsection

3.2 Identification of positions requiring access

Agencies must determine what level of protectively marked information or resources a position is required to access when established. Agency security staff can advise managers on the need for, and the appropriate level of, the national security clearance that is required.

To determine whether a national security clearance is required and at what level, the manager should analyse the duties of the position and the highest level of protective marking carried by the information that will be accessed. If the protective marking is CONFIDENTIAL or above, a national security clearance is required.

Agencies should ensure that all employees accessing protectively marked Information Communications Technology (ICT) networks have at least the highest level of clearance required to access information that can be held on the network.

If the networks are compartmentalised, then the clearance level an employee requires is that of the highest-level compartment that they can access. It is recommended that agencies seek Government Communications Security Bureau (GCSB) advice prior to determining the clearance levels required for compartmentalised systems.

Back to the top of page Print this subsection

3.3 Foreign nationals

On occasion, foreign nationals may access New Zealand government protectively marked information and resources.

Agencies must follow the guidance contained in  Agency Personnel Security.

Back to the top of page Print this subsection

3.4 Emergency access to protectively marked information

Where there is an urgent operational need for access to protectively marked material and insufficient time to complete vetting inquiries, agency heads or managers with delegated authority may authorise staff temporary supervised access to protectively marked material one level above their current national security clearance level.

For example, if their current clearance is CONFIDENTIAL, staff may be supervised to view SECRET material when there is an urgent operational need for the duration of the emergency.

Emergency access must not be used:

  • for administrative or management purposes to facilitate entry or appointment into a position
  • on reassignment of duties, while awaiting completion of a security vetting recommendation, or
  • for access to information carrying an endorsement or compartmented marking.

Agencies must follow the guidance for emergency access contained in Agency Personnel Security.

Personnel not holding a national security clearance must not be given access to information or resources marked CONFIDENTIAL, SECRET or TOP SECRET.

Back to the top of page Print this subsection

3.5 The need-to-know principle

The fundamental rule of personnel security is that agencies must base all access decisions on the need-to-know principle. 

Agencies must establish the existence of a legitimate need to access the protectively marked resources to carry out official duties before granting access. 

Other justifications such as being in a position of authority or the desire to enter controlled areas for the sake of convenience are not valid.

Agencies must limit the access to, and dissemination of, protectively marked information or resources to employees who need to use or access the information or resources to do their work and for ongoing access hold the appropriate level of national security clearance.

Agencies should ensure that all employees are aware of and implement the need-to-know principle.

Back to the top of page Print this subsection

3.6 Endorsement and compartmented markings access

Agencies should liaise with the organisation that imposed an endorsement or compartmented marking on protectively marked material to determine any additional personnel security requirements.

For more information, refer to Information Security Management Protocol.

Back to the top of page Print this subsection

3.7 Contracted service providers requiring a security clearance

Agencies must identify and sponsor service providers and contractors requiring access to protectively marked information and resources.

Agencies should ensure this requirement is identified during the procurement process or as contracts are amended.

Also refer to Security of Outsourced Services and Functions.

The security clearance management of contracted staff remains the responsibility of the sponsoring agency. 

Agencies must ensure that any personnel security risks (‘qualifications’) identified by the NZSIS during security vetting are managed appropriately.

Back to the top of page Print this subsection

4 National security clearances

Employees whose work will involve access to material protectively marked at CONFIDENTIAL, or higher, must first be granted a national security clearance at the appropriate level by the agency head.

National security clearance levels are determined by the security classification of material that staff members need to access on a regular and routine basis to fulfil their duties.

Mandatory requirement

PERSEC4: An application for a security clearance must be sponsored by a New Zealand government agency.

Print this section

4.1 New Zealand Government security vetting

NZSIS has the statutory mandate for the security vetting process and for making recommendations on security trustworthiness. Only NZSIS may conduct security vetting for the New Zealand government. Agencies must receive a security vetting recommendation from NZSIS before granting a national security clearance

The security vetting process is intrusive by its very nature and NZSIS must conduct the process with care and sensitivity and in accordance with New Zealand government policy and legislation.

NZSIS must resolve any doubts about the suitability of a candidate to access protectively marked resources in favour of the New Zealand government.

Back to the top of page Print this subsection

4.2 Agency responsibilities

Agencies must not use the security vetting process as a general trustworthiness  check for current or potential employees.

CSOs must review agency holdings, such as performance or disciplinary records, before submitting a vetting request to ensure that nothing already known to the agency  indicates that a candidate may be unsuitable for access to protectively marked resources.

Indications that a candidate may be unsuitable may be shown by a record of:

  • dishonesty
  • misconduct
  • breaches of the Code of Conduct for the State Services (go to www.ssc.govt.nz/code)

Agencies must exercise their own judgement, and view the information available to them objectively to determine  whether they have trust and confidence in the candidate and his or her ability to gain a favourable recommendation for a national security clearance.

If an agency considers that a candidate does not possess the strength of character and integrity necessary for access to protectively marked resources, the request should not be submitted to the NZSIS.

For more information, refer to Security Assessment Criteria and the Adjudicative Guidelines.

 

Back to the top of page Print this subsection

4.3 Security vetting

There are four levels of security vetting, each involving more rigorous checking. They are listed below.

  • CONFIDENTIAL – an assessment of the individual’s suitability for ongoing access to New Zealand government resources protectively marked at the CONFIDENTIAL level.
  • SECRET – an assessment of the individual’s suitability for ongoing access to New Zealand government resources protectively marked at the CONFIDENTIAL level and SECRET level.
  • TOP SECRET – an assessment of the individual’s suitability for ongoing access to New Zealand government resources protectively marked at the CONFIDENTIAL, SECRET and TOP SECRET level. This includes resources that carry compartmented markings.
  • TOP SECRET SPECIAL – an assessment of the individual’s suitability for ongoing access to all resources protectively marked under the security classification system, including resources that carry compartmented markings. This security vetting usually relates to employment within an agency in the New Zealand Intelligence Community.
Back to the top of page Print this subsection

4.4 Levels of vetting and clearance

The levels of vetting and the resulting national security clearance are on an escalating scale.

For each step up the scale there is an increase in:

  • the breadth and depth of inquiries
  • the degree of intrusion into the privacy of candidates
  • the time required for completion of inquiries
  • the time required for assessments and recommendations
  • the degree of assurance of the individual’s trustworthiness, honesty and loyalty to New Zealand.

For more information, refer to Information for Security Vetting Candidates.

Back to the top of page Print this subsection

4.5 Identifying people who need a security clearance

Employees who are responsible for the creation, use, handling, storage and disposal of material protectively marked CONFIDENTIAL or higher must hold a security clearance at the appropriate level.

Employees do not require a security clearance for access to material protectively marked IN CONFIDENCE, SENSITIVE or RESTRICTED. Access to such material is granted by chief executives on the basis of the agency’s own pre-employment checks. Employees should acknowledge that they are responsible for safeguarding any information or resources for which they are responsible against loss, misuse or compromise, regardless of its protective marking.

Eligibility for a security clearance

New Zealand citizens or holders of a Residence Class visa whose backgrounds can be checked for the requisite period are eligible to be vetted for a New Zealand government security clearance. In exceptional circumstances other individuals may be considered for security vetting. 

Also refer to Agency Personnel Security.

Uncheckable backgrounds

A candidate is considered to have an uncheckable background when the NZSIS cannot complete the necessary checks and inquiries for the requisite checking period.

CSOs must ensure that vetting candidates meet the minimum requirements for a checkable history before a vetting request is submitted.

Also refer to Agency Personnel Security.

Recruiting for a role which requires a national security clearance

Agencies must ensure, when recruiting for roles which require the employee to hold a national security clearance, that candidates are eligible or security vetting.

Also refer to Agency Personnel Security.
 

Back to the top of page Print this subsection

4.6 Identifying when to upgrade a national security clearance

If the tasks or duties of a job change to the extent that it requires an individual to have access to resources protectively marked at a higher level than their current national security clearance, the individual must undergo security vetting at that higher level.

Back to the top of page Print this subsection

4.7 Transferring security clearances

New Zealand government agencies should recognise security clearances granted by another agency, when the clearance transfer process has been followed.  

Agencies must follow the guidance for this process contained in Agency Personnel Security.

Back to the top of page Print this subsection

5 Security clearance vetting

Mandatory requirement

PERSEC5: Agency heads must obtain a recommendation from the NZSIS prior to granting a security clearance. Agencies must follow the  Protective Security Requirements Personnel Security Management Protocol and supporting requirements for personnel security.

Print this section

5.1 Vetting recommendations

NZSIS  security vetting recommendations are based on an assessment of the whole person and must be made in accordance with procedural fairness principles and the Procedural Fairness Requirements.

NZSIS must advise the agency requesting the security vetting in writing of the decision to recommend a national security clearance and any conditions imposed (‘qualifications’). 

If a national security clearance at the requested level is not recommended, NZSIS will, where possible, advise the agency requesting the security vetting and the candidate of the reasons.

Vetting candidates must be advised of their right to complain to the Inspector-General of Intelligence and Security if they consider that they have been adversely affected by any act, omission, practice, policy or procedure of the NZSIS.

Back to the top of page Print this subsection

5.2 Inspector-General oversight of security vetting decisions

Even where a national security clearance is recommended, the candidate may have concerns about the manner in which the NZSIS conducted the security vetting. The Inspector-General should be contacted in the first instance.

Compaints must be in writing and addressed to:

Inspector General of Intelligence and Security

c/- the Registrar of the High Court of New Zealand

DX SX 11199

Wellington

More information is available at www.igis.govt.nz.

 

 

Back to the top of page Print this subsection

5.3 Regular reviews of security clearances

Agencies must initiate reviews of all national security clearances five years after they were granted unless:

  • NZSIS has recommended an earlier review as part of the original vetting recommendation
  • the employee is no longer in a position requiring a security clearance, or
  • the employee has left New Zealand government employment.
Back to the top of page Print this subsection

5.4 Review for cause

A review for cause should be initiated whenever a security concern regarding a national security clearance holder arises.

A review for cause can be initiated by the employing agency in response to information from:

  • a clearance holder’s agency, colleagues or supervisors
  • the security clearance holder
  • any other individual who has reason to believe that the security clearance holder’s personal circumstances, attitudes or behaviour have changed.
Back to the top of page Print this subsection

6 Personnel security clearance management

Personnel security is an important element of an agency’s effective protective security regime as well as sound overall management practice. 

The initial security vetting process and any subsequent reviews provide only a snapshot of an individual.

Aside from formal periodic and NZSIS initiated reviews of the national security clearance, agency managers are responsible for providing support, awareness and education as part of an agency security clearance management regime.

Mandatory requirements 

PERSEC6: Agencies must have personnel security clearance management arrangements in place for all staff, including contractors, who hold a security clearance.

GOV6: Agencies must provide all staff, including contractors, with sufficient information and security awareness training to meet the obligations of the Protective Security Requirements.

GOV7: Agencies must have established procedures for reporting and investigating security incidents and for taking corrective action.

GOV8: Agencies must ensure contracted providers comply with the Protective Security Requirements and agency-specific protective security protocols.

Agencies should have in place processes that provide for the timely identification and assessment of issues that affect an individual’s continued suitability to hold a security clearance. These processes should complement, but not substitute, the clearance review and security education processes. 

These processes should:

  • include tailored agency-specific security management programmes
  • provide clear instructions and requirements in agency security clearance management policy and procedures
  • regularly reinforce through security education and training the requirement for staff to report significant changes in personal circumstances and contacts.
Print this section

6.1 Significant changes of personal circumstances

Agencies must advise all national security clearance holders of their responsibility to report any changes of personal circumstances.

Also refer to Reporting Changes in Personal Circumstances.

All national security clearance holders must acknowledge their obligation to notify their employing agency of any changes in their personal circumstances. The purpose of this requirement is to ensure that any change does not impact on the holder’s security trustworthiness.

CSOs should seek advice from the NZSIS if they are unsure of the significance of changes in personal circumstances. Managers and other employees must advise the CSO of changes in personal circumstances of clearance holders.

Back to the top of page Print this subsection

6.2 Contact reporting

National security clearance holders must report suspicious or inappropriate contacts or approaches to the agency CSO. 

These may include contact with foreign officials and foreign nationals, criminal groups or individuals or other suspicious individuals.

Agencies should:

  • collect contact reports from their employees
  • assess the reports
  • forward any suspicious reports relating to national security to the NZSIS.

Also refer to Contact Reporting

Back to the top of page Print this subsection

6.3 Incident reporting

Some inappropriate contacts may be of a criminal or business nature that involves a conflict of interest or give an unfair advantage. The agency should investigate these contacts and if appropriate advise the Police for further investigation.

Also refer to Reporting Incidents and Conducting Security Investigations.

Back to the top of page Print this subsection

6.4 Granting a national security clearance

Agencies must have received a security vetting recommendation from NZSIS before granting a national security clearance. 

The emergency access provisions detailed in section 3.4 and in Agency Personnel Security must not be used to facilitate entry or appointment into a position, or on reassignment of duties, while awaiting completion of a full security clearance.

Mandatory requirement

PERSEC7: Agencies must notify the NZSIS of the granting, downgrading, suspension or cancellation of a security clearance. Any reason associated with disciplinary action or unsuitability of the candidate to obtain/maintain the appropriate level of clearance must be reported to the NZSIS.

Back to the top of page Print this subsection

6.5 Actions on receipt of an NZSIS vetting recommendation

NZSIS will advise the agency when a security vetting is completed.

A national security clearance may be recommended:

  • at the level requested
  • at a lower level
  • with specific security clearance management provisions (‘qualifications’).

Agencies must advise NZSIS of:

  • their decision whether to grant a national security clearance
  • the level of clearance granted
  • the management plan for any specific security clearance management provisions (‘qualifications’).
Back to the top of page Print this subsection

6.7 Action when the clearance is not granted or granted at a lower level

The agency must withdraw any access to protectively marked information or resources above the level of the national security clearance granted, if any, until such time as any reviews or appeals are finalised. 

Back to the top of page Print this subsection

6.8 Monitoring and evaluation of staff

Initial character checks and security vetting determine a person’s suitability to access agency facilities, control assets and/or access protectively marked resources and information at the time they are performed.

Agencies must monitor their staff for continued suitability to access resources and protectively marked information. Management should monitor employees for behaviour that could suggest unreliability or susceptibility to duress. Particular attention should be given to those staff members who:

  • are under 20 years old whose character will still be forming
  • might be unwilling to talk matters over but who are clearly unhappy
  • have few friends and appear to be alienated from colleagues.

When monitoring individuals, managers must maintain a sense of perspective and act within their normal duty of care responsibilities.

Also refer to Agency Personnel Security.

Back to the top of page Print this subsection

About

Personnel security is the management of staff to assist in the protection of an agency’s people, information and assets.

It is an essential component of protective security and an enabler of operational effectiveness.

Search this document for:

Last modified: 18 December 2014

Acknowledgements and licensing information