Information security

INF008

Protecting official information from unauthorised access and accidental disclosure

The New Zealand Government Security Classification System protects official information through a series of security measures. Once in place, these measures apply to anyone with access to official information.
The classification system is designed to protect official information from disclosure or access that would be harmful to New Zealand citizens, the New Zealand Government, or government organisations.

INFOSEC2 - Design your information security

Consider information security early in the process of planning, selection, and design. Design security measures that address the risks your organisation faces and are consistent with your risk appetite. Your security measures must be in line with: • the New Zealand Government Security Classification System • the New Zealand Information Security Manual • any privacy, legal, and regulatory obligations that you operate under. Adopt an appropriate information security management framework that is appropriate to your risks.

Your agency should use the classification system to:

  • identify which information assets your agency needs to protect
  • implement policies and protocols for handling official information and applying protective markings.

Cabinet agreed to the security classification system in December 2000 [CAB(00)M42/4G(4)].

Legislation also protects official information

Your organisation must consider any legal requirements to protect official information under relevant legislation, such as the:

If legislative requirements require higher security measures than the classification system, apply the legislative measures.

The Official Information Act 1982

The Official Information Act 1982 provides the legislative basis for the release of government information. 
Sections 6, 7, and 9 of the Act describe the types of government documents that may be exempt or are conditionally exempt from authorised disclosure.

What is official information?

Official information is any information held by the New Zealand Government and its agencies.

There are two types of official information:

  • information that does not need increased security
  • information that needs increased security measures to protect it from unauthorised disclosure.

Official information can include public sector information sanctioned for public access or circulation, such as publications or websites. 

Limiting access to official information

Security measures to protect official information include:

  • Procedural measures that restrict who can use, handle, transmit, and access official information, such as policies and processes
  • Physical measures that control access to areas where official information is stored or used, such as physical barriers or safes
  • Technical measures that help to protect official information, such as firewalls and encryption.

Limit access to those with a ‘need-to-know’

To reduce the risk of an unauthorised disclosure, only people with a proven need-to-know should be granted access to official information, regardless of whether it is subject to the classification system or not.

You should not give people access to official information because it would be convenient for them to know, or because of their status, position, rank, or level of authorised access.

For more details on personnel security requirements, go to the Management protocol for personnel security.

Applying protective markings

Protective markings are placed on information and equipment to show the level of protection they need. The level of protection is based on a risk assessment of the damage or prejudice that would result from specific content being compromised.

Once you’ve identified information that needs protection or special handling (or both), you must assign a protective marking to it.

The protective marking shows:

  • that the information has been identified as sensitive in nature
  • the level of protection the information must have when it is produced, used, stored, transmitted, transferred, and disposed of.

Requirements to apply protective markings also apply to information held within information and communications technology (ICT) systems.

Types of protective markings

There are three types of protective markings:
·       security classifications
·       endorsement and compartmented markings.

When these markings are applied to official information, the information is referred to as being ‘protectively marked’.

Handling requirements for protectively-marked information and equipment gives details and guidance on how to apply protective markings correctly.

However, make sure you understand and assign security classifications correctly before you mark any information and equipment.

Page last modified: 17/02/2021