The Classification System is a best-practice framework for protecting and sharing government information. Follow this guidance to adopt it within your organisation.
In this section you will find guidance on:
The Royal Commission of Inquiry (RCOI) into the terrorist attack on Christchurch masjidain made a number of recommendations towards the objective that, ‘public sector agencies can and should share information more widely’.
In particular, the RCOI referenced the need to classify information correctly and to use the need-to-know principle to enable rather than restrict information sharing.
The 2022 changes have not fundamentally changed the Classification System; rather they have introduced a change in emphasis to meet the RCOI recommendations.
By implementing the policy, the following outcomes are sought:
The structure, levels and definitions of the New Zealand Government Information Security Classification System (Classification System) are not changing as a result of this project.
For those familiar with the Classification System, changes are mostly about a change in emphasis to promote information sharing. Those with existing knowledge will not need to learn new rules about how to classify and protect information. However, experienced agencies can use the new plain English guidance aimed to make it easier to classify and protect information.
Specifically, the following topics have changed. Review the updated content to determine how your practices may need to change.
| Topic | Nature of the change |
| Classification System Policy Classification System Policy (PDF) [PDF, 86 KB] |
To enable the RCOI recommendations, the new Classification System policy includes four overarching principles and clarifies the requirements and behaviours expected by agencies. This include new principles and policies to support information sharing and declassification. While these changes do not substantively change the Classification System itself, they are designed to encourage some change in how it is applied. |
| Classification System | The PSR website section on the Classification System has been updated to reflect the revised policy and provide plain English guidance to support its use and adoption. This includes new or revised guidance on: Minor website layout changes have been introduced to make it easier to find new or changed content on the site. |
| Classification System Resources | There are new or updated Classification System resources for your use including online training modules, FAQs, and other downloadable documents, campaign collateral, and tools. |
| Secure handling requirements (now under How to protect information) | The secure handling requirements have largely not changed. We have moved them into a new section called 'How to protect information' and created or updated the following sections:
|
The policy became effective on 1 July 2022. However, we understand that it will take agencies some time to implement them in their organisation.
PSR mandated agencies
PSR mandated agencies will first be assessed against the changes in March 2024. The table below shows the key actions required of PSR-mandated agencies.
Agencies will typically begin gathering evidence around November each year to be ready to submit their self-assessment in March the following year. By this assumption, PSR-mandated agencies will need to have made any required changes by the end of October 2023 in order for these to be captured in the March 2024 self-assessment.
| July 2022 | July 2022 to March 2023 | March 2023 | March 2023-2024 | March 2024 |
| Release of new policy | Agencies agree what maturity level to target for the March 2024 self-assessment. Agencies assess and plan how they will adopt the classification system policy. |
Agencies report back on their classification improvement plan in PSR self-assessment report. | Agencies develop and new policies, processes and guidance required to implement. Nov 2023: Agencies begin gathering evidence for the self-assessment. Agencies continue classification improvement plan. |
First receipt of self-assessment from PSR-mandated agencies. |
This gives agencies about 16 months to make changes once the new policy is introduced. Agencies will need to make their own assessment about how much change is realistic. For example, an agency may choose to target a ‘basic’ maturity level initially, if their risks are low and it does have the resources to meet all the requirements of a higher maturity level.
Please note, if the agency chooses to target ‘basic’, they will not ‘meet’ the mandatory requirement for INFOSEC2 in the November 2023 to March 2024 self-assessment round.
Non PSR mandated agencies
Agencies that are not PSR mandated are not required to complete the PSR self-assessment process. However, the PSR guidance and self-assessment requirements do give a clear indication of what best practice looks like.
All agencies are encouraged to consider these requirements against their own business needs and to consider what changes they may need to adopt to better manage their protective security.