Personnel Security

PER009

Ensure their ongoing suitability

Effective pre-employment checks reduce the risk of threats to your people, information, and assets. However, people and their circumstances can change. Changes can happen over time or suddenly as a reaction to an event. Your organisation needs to make sure that people remain suitable for having access to your information and assets.

PERSEC2 - Ensure their ongoing suitability

Ensure the ongoing suitability of all people working for your organisation. This responsibility includes addressing any concerns that may affect the person’s suitability for continued access to government information and assets.

Because people and their circumstances can change over time, you must monitor changes and events that can affect people.

Ongoing security education helps to keep your people, information, and assets safe from harm.

Do minimum checks to ensure ongoing suitability

At a minimum, your organisation must:

  • have a process for people to report security incidents and near misses
  • investigate security incidents
  • provide ongoing security awareness updates and training.

Report and respond to security incidents

You must have a system in place for reporting and responding to potential and actual security incidents. Managing incidents well helps your organisation to:

  • contain the effects
  • manage the consequences
  • recover as quickly as possible
  • learn from what happens.

At a minimum you must:

  • establish a formal security incident reporting and response procedure
  • report all personnel security incidents to the appropriate people in your organisation
  • make everyone aware of their responsibilities and the procedure for reporting security incidents.

Good communication between managers and employees, along with clear security expectations and procedures makes it easy for people to raise concerns, and report changes and incidents.

Managers and co-workers are in the best position to notice changes in a person’s behaviour or attitude. Encourage your people to report what they notice and make it easy for them to do so confidentially.

More guidance

Reporting incidents and conducting security investigations

Provide ongoing security awareness updates and training

Ongoing security education helps to keep your people, information, and assets safe and secure. It also enhances your security culture. When you increase your people’s understanding of security practices and processes, you increase their ‘care factor’, and their ‘do factor’ — security becomes everyone’s responsibility.

Carry out additional ongoing checks for higher risk roles

When you identify an increased security risk related to a role or the nature of your organisation’s work, additional ongoing checks could be necessary. The checks you apply will depend on a range of factors including your organisation’s security context and culture, and operating environment.

Checks to consider

Additional checks you can consider to ensure ongoing suitability include:

  • requiring people to report any significant change in personal circumstances (for example, a divorce, new partner, bankruptcy, foreign citizenship, or new and significant debt)
  • requiring people to report any suspicious contacts
  • encouraging people to report any suspicion of ‘insider threat’
  • carrying out an engagement survey to understand how satisfied and engaged your people are
  • briefing people on the risks related to international travel
  • requiring regular police vetting
  • carrying out regular financial or credit checks
  • requiring drug and alcohol testing
  • checking regularly for conflicts of interest
  • obtaining copies of annual practising certificates.

Report significant changes in personal circumstances

Significant changes in personal circumstances can arise from many different areas: relationships, finances, health, work issues, substance abuse, or new interests and contacts.

These changes can put people under pressure. They could act irrationally or inappropriately, or be vulnerable to exploitation by others.

Reporting significant changes in circumstances helps you to manage the risk of someone:

  • breaching your security intentionally or unintentionally
  • being coerced into breaching your security by an external party.

Your people should know which changes of circumstances they need to report and who they should report them to. If you’re unsure which significant changes need to be reported, consult with your HR and security teams.

Report suspicious contacts or behaviour

Foreign officials, foreign intelligence services, and commercial, political, or issue-motivated groups can devote considerable energy to accessing information (for example, political, economic, scientific, technological, and military information).

Small pieces of information can all contribute to a valuable picture. Make sure your people understand that a seemingly innocent conversation or contact, such as an email, may be part of a wider intelligence gathering exercise. Contacts can be official (as part of a person’s role) social, or incidental and can take place in a wide variety of contexts.

Your people should complete a contact report when an official or social contact appears suspicious, ongoing, unusual, or persistent (SOUP) in any respect. This contact could be with:

  • embassy or foreign government officials within New Zealand
  • foreign officials or nationals outside New Zealand, including trade or business representatives
  • any individual or group, regardless of nationality, that seeks to obtain official or commercially sensitive information that they do not have a valid ‘need to know’.

Attempts to get information may involve techniques such as phishing or tailgating.

Brief people on the risks related to international travel

When your people travel overseas, they could be targeted by foreign intelligence services aiming to get access to classified material.

To protect your organisation and New Zealand’s interests, consider providing advice or briefing your people on the risks and the security measures they need to take. When they return, consider debriefing them to check for any contact that appears suspicious, ongoing, unusual, or persistent (SOUP).

Your employees, contractors, and secondees should:

  • consult your chief security officer before travelling to check if a security briefing is necessary
  • know what methods foreign agents may use to gather information
  • understand how to protect your organisation’s information and assets
  • know what information they must protect
  • know what information they can share and trade
  • be aware of how to manage electronic equipment.

More advice

Security advice for New Zealand Government officials travelling overseas on business

Carry out checks for national security clearance holders

For people who hold a national security clearance, in addition to your general ongoing suitability checks, you must:

  • provide annual security awareness updates
  • conduct security briefings
  • ensure they report any change in their personal circumstances
  • ensure they report any suspicious contacts
  • manage any emergency access to classified material
  • report changes to their security clearance level
  • review their security clearances.

More guidance

Recruiting and managing national security clearance holders 

Guide to managing national security clearance holders

Manage role changes

It’s common for people to enter an organisation in one role and then move to another role with greater responsibilities and a higher risk profile. Not completing proper checks for the new role because the person is ‘known’ to your organisation increases the risk of problems.

Before you confirm a person in a new role, make sure you complete all required pre-employment checks and/or ongoing suitability checks to the level required for the new role.

Page last modified: 16/12/2019

Supporting documents