Information security

INF016

Guidelines for protective markings

This section gives answers to some common questions about protective markings.

How to identify information that needs protective marking

Use the Business Impact Levels (BILs) to assess what the likely consequences of information being compromised, disclosed without authorisation, or misused.

If your assessment shows that compromise or misuse of information would have adverse results, you must give that information extra protection in line with the severity of the likely damage. It must be protectively marked.

Learn more about using the Business Impact Levels

Other official information that requires increased protection (but doesn’t meet the definition of national security information) is most often about:

  • government or agency business where compromise could affect the government’s capacity to make decisions or operate, the public’s confidence in government, or the stability of economic markets
  • commercial interests where compromise could affect the competitive process and provide the opportunity for unfair advantage
  • personal information that is required to be protected under the Privacy Act 2020, the Public Records Act, or other legislation.

Not all information about these matters needs to be protectively marked. Information should only be protectively marked if its compromise could cause damage.

Over-classifying information can cause harmful effects.

When to apply protective markings

When information is created, the originator must do a risk assessment. If adverse consequences could occur, or the agency is legally required to protect the information, it must be given a protective marking.

Protective markings suggested by outside organisations or individuals should not automatically be accepted by New Zealand government agencies unless there has been a prior agreement.

Information derived directly from protectively-marked sources must carry, at a minimum, the highest security classification of any of the source classifications.

Who should apply the protective markings?

The person or agency responsible for preparing the information decides its protective marking.

This person or agency is called the ‘originator’.

If information is created outside the New Zealand Government, the person working for the government organisation who actioned the information should determine whether it requires a protective marking.

Who can change protective markings?

Only the agency that assigns the original protective marking (the originating agency) can change it. All agencies must respect this rule.

If you think a protective marking is not appropriate, raise it with the person who marked the information (the originator) or the originating agency.

When not to use protective markings

Under the Official Information Act 1982, official information must not be protectively marked to:

  • hide violations of law, inefficiency, or administrative error
  • prevent embarrassment to an individual, organisation, agency, or the government
  • restrain competition
  • prevent or delay the release of information that does not need protection in the public interest.

Take care not to over-classify official information

Official information should only be protectively marked when the result of compromise warrants the expense of increased protection. New Zealand government holdings of protectively-marked information should be kept to a minimum.

It’s important that official information not requiring protection remains UNCLASSIFIED. 

Over-classifying information can cause serious harm. Here are some examples of harm.  

  • Public access to government information becomes unnecessarily limited.
  • Unnecessary administrative arrangements are set up that remain in force for the life of the document (including repository arrangements for information transferred to Archives New Zealand), which imposes an unnecessary cost on the agency
  • The volume of protectively-marked information becomes too large for an agency to protect adequately.
  • The New Zealand Government Security Classification System and associated security procedures are brought into disrepute.

These harmful effects may lead to protective markings being devalued or ignored.

For these reasons, the New Zealand Government expects that agencies will only protectively mark information when there is a clear and justifiable need to do so.

To keep the volume of protectively-marked information to minimum, agencies should limit the duration of the protective marking and set up review procedures.

How to confirm protective markings

Protective markings make information more expensive to create, handle, store, and transfer. Your agency should have a process for confirming protective markings, especially when such a marking is not normal or standard for your agency.

What to do if an agency is disestablished or merged

If an agency is disestablished or merged, the agency assuming the former agency’s responsibilities is considered the originating agency.

The point of contact should be the Chief Security Officer (CSO) of the new agency.

What happens when information goes to Archives New Zealand

When protectively-marked records are transferred to Archives New Zealand, they keep their protective markings and are stored and handled in line with those markings.

However, Archives New Zealand has limited capacity to store protectively-marked information, so consult with them first. If they can’t accommodate your information, seek leave to defer the transfer of protectively-marked records in line with the Public Records Act 2005

If your agency is considering transferring records marked CONFIDENTIAL or above, consult with Archives New Zealand about declassifying the protective marking to a more relevant level.

When a record has been marked under the Public Records Act 2005 as being an open access record, any protective markings cease to have effect for any purpose.

How to set the duration of protective markings

When you first apply a protective marking to information, try to set a date or event when you will declassify it. Base the date or event on an assessment of how long the information will remain sensitive.

For example, Budget papers need high protection before the Budget’s release, but not afterwards.

Some information may need increased protection because it is under embargo until a specific public policy statement, after which time it becomes public information.

On reaching the date or event, the information should be automatically downgraded to a more relevant level of control.

Cabinet documents are not included in such arrangements. See Security classifications for Cabinet documents for more information.

When to review your protective markings

Your agency should review the protective marking of information regularly. For example, after a project or sequence of events is completed, or when a file is withdrawn from or returned to use.

All recipients of information should contact the originator to discuss any protective marking they believe is inaccurate.

How to manage releasing official information to the public

New Zealand government employees must have agency authorisation to release any information to members of the public, regardless of any protective marking it may or may not have.

Authorisation may be granted by the agency head or a person given delegated authority by the agency head.

Even if information is intended for public release or publication, it may carry a control measure, such as an endorsement marking before its release. For example, Budget papers.

In this case, the point at which the information will be publicly available should be marked. When this information ceases to require the original control measures, your agency should consider applying protection measures consistent with the type of information contained within the document.

All personal information held, even if it is publicly available, must be handled in line with the Privacy Act, Information Privacy Principles.

Have a policy for handling requests for official information

Your agency Agencies should have policy in place for addressing every request for official information, which may be released under the Official Information Act 1982 (OIA).

Understanding the legislation and implementing agency-specific OIA policy reduces the likelihood of an official information security breach through unintended or accidental disclosure.

Why it is important to have a security classification policy

Your agency must identify official information that needs increased protection and provide protective procedures for sensitive and protectively- marked information.

Failing to do so creates an unacceptable risk to the New Zealand government’s protective security and can also put information sharing and consultative arrangements between agencies at risk. These arrangements are essential for the efficient operation of government.

Page last modified: 17/02/2021