Why classification matters
The Government Information Security Classification System (Classification System) is owned and promoted by the Director-General of New Zealand Security Intelligence Service (NZSIS), which holds the Government’s functional lead role as the Government Protective Security Lead (GPSL). Cabinet agreed to the Classification System in December 2000 [CAB(00)M42/4G(4)]. The Security and Intelligence Board (SIB) agreed to the 2022 policy on 23 March 2022.
Use of the Classification System is the primary way government information is protected from compromise.
Government information is all information, regardless of form or format, including documents, data, audio recordings and visual images. The New Zealand government collects, stores, processes, generates, or shares information to deliver services and conduct business. This includes information from or exchanged with the public, external partners, foreign governments, contractors, or consultants and includes email, phone calls, verbal conversations, text messages, metadata, and datasets.
Government information is a key strategic asset that enables both short-term and long-term outcomes that benefit all New Zealand and requires an appropriate degree of protection to keep it safe and available to those who need it. Government information therefore needs to be appropriately classified to achieve this result.
The New Zealand Government Information Security Classification System (Classification System) provides a framework for assessing the potential harm should government information be compromised and defines the minimum requirements for protecting government information.
Classification is the practice of assessing the sensitivity of the information and the likely harm that would result from the information being compromised.
All government information requires an appropriate degree of protection to ensure its continued integrity, availability, and confidentiality as required.
There are two types of government information:
- Information that would cause only minimal harm if compromised and does not need special security or handling over and above the standard protections that apply to all government information. This is called ‘unclassified information’.
- Information that would cause harm to individuals, organisations, or New Zealand’s national interest if compromised and needs specific security measures to reduce the likelihood of compromise. This is called ‘classified information’.
The classification defines the sensitivity of the information (i.e. the likely harm that would result from its compromise) and defines the security measures needed to protect it.
Note that a classification is a point-in-time risk assessment made by individuals. Classifications cannot themselves be used to justify withholding information; rather any request for information must be considered on its merits using harm criteria defined within the relevant legislation. See How to classify information for more information.
A classification and any other protective markings help to keep government information secure. Protective markings are a reminder of the sensitivity of the information or equipment and the security measures and special handling requirements that apply to it.
It is important though to get classification right so that information is not:
- over-classified making its access or dissemination inappropriately restricted
- under-classified making it at-risk of being compromised and create harm for New Zealand or its allies.
Both situations are equally harmful to New Zealand and discussed in more detail in the How to classify information section.
Vision: A Classification System that protects and benefits all New Zealanders
Our vision is to have a Classification System:
- that enables and supports the appropriate classification and systematic declassification of government information to improve government transparency and accountability to the public
- that enables information-sharing and purposeful collaboration between those who need it, when they need it
- where all government information is appropriately protected and used to its full potential
- where stewardship of government information benefits all New Zealanders.
The Classification System plays a part within the New Zealand Government’s information management and security ecosystem. The core components of that ecosystem are:
- New Zealand legislation provides our legal obligations for collecting, accessing, handling, releasing, and managing government information appropriately. The main legislation supporting the Classification System includes the Official Information Act 1982, Public Records Act 2005, and Privacy Act 2020.
- Classification System provides a framework for assessing the impact of harm on people, organisations, or government if the information were compromised and defines the minimum requirements for secure handling of information to protect it.
- Protective security requirements (PSR) (which includes the Classification System and New Zealand Information Security Manual (NZISM)) provides a framework for establishing appropriate protective security measures to protect people, information, and assets from harm and compromise. The classification level determines the minimum requirements for personnel, information, and physical security measures and controls defined within the NZISM and PSR.
Page last modified: 20/06/2022