Investigating security incidents

A security investigation establishes what caused the incident and how far it compromised or threatened the security of people, information, or assets. 

Apply the principles of fairness

The principles of procedural fairness apply to all investigations. People whose rights, interests or expectations are affected should be told the case against them, and given an opportunity to be heard by an unbiased decision-maker.

The actions that result from an investigation must be fair. More information is in Procedural fairness requirements.

Understand the likely outcomes of an investigation

Outcomes of an investigation may include:

  • dismissal of the disciplinary charge(s)
  • training/education
  • changes to administrative or security policies, procedures or practices
  • security outcome, including potential loss of security clearance
  • referral to an outside agency for further investigation or prosecution
  • disciplinary action.

Interim measures while an investigation is underway

In some circumstances it will be appropriate to take interim security measures while an investigation is underway.  What is appropriate will be different in every case.  You need to balance the need to protect your people, information, or assets with your employment obligations of natural justice.

Interim measures you may consider include:

  • conducting an audit of relevant information
  • monitoring computer usage
  • monitoring building access
  • limiting computer access
  • removing computer access
  • limiting after hours access to place of work
  • removing access to a place of work (following decision to suspend having followed due process).

Any response must be justifiable and proportional to the concern held, and appropriately directed to protect any people, information, or assets potentially at risk. It must be an interim step to protect your people, information, or assets while the security investigation is underway.

In most circumstances it will be appropriate to tell the employee what interim measures are being taken, particularly where the employee remains in the workplace. For example, limiting access to a building or a system should be clearly explained. The employee should be told that security measures are being taken, that they are interim while the security investigation is ongoing, and do not signal predetermination. The measures must be targeted to the concerns held and not arbitrarily applied.

However, there will be instances where notifying the employee about the interim measures is not appropriate. For example, when monitoring of computer use is considered necessary, notifying the employee might compromise the purpose of the monitoring. 

Early engagement with HR is essential to ensure appropriate security measures are taken while also balancing employment obligations of natural justice.

Who needs to be involved?

If you initiate a security investigation, get advice from the police or NZSIS when a violation may involve national security or criminal behaviour.

If an incident requires more than one type of investigation, work with the other agency(ies) to determine priorities and an investigative approach.

The role of a criminal investigation

A criminal investigation gathers evidence that may lead to bringing offenders before the courts.

You may need to hold a criminal investigation in cases such as fraud, theft, and unauthorised disclosure of official information.

Information gathered in a security investigation may not be satisfactory in a criminal investigation.

The role of a security investigation

The purpose of a security investigation is to establish what has happened and how. It is not to establish whether a criminal offence has been committed, to aid prosecution, or to resolve employment or code of conduct disputes.

A security investigation focuses on establishing:

  • the nature of the incident
  • how the incident occurred
  • what circumstances led to the incident
  • who was involved
  • the degree of damage to national security interests
  • procedures needed to prevent a similar event or reduce its likelihood.

If a security investigation gives way to a criminal investigation, from then on you need to use procedures for a criminal investigation and for gathering evidence that is admissible in court.

Set procedures for investigating security incidents

Your organisation should set policy and procedures for investigating security incidents. Cover these requirements.

Responsibilities and actions:

  • Responsibilities of the investigator and senior management
  • What to do when you get a complaint or allegation, including anonymous allegations and reports from whistleblowers
  • Terms of reference for the investigation
  • When to refer security investigations to the NZSIS,  police or other outside agencies.


  • Standards of ethical behaviour by investigators, recording activities, and how you manage investigation cases
  • Procedures for operations like holding interviews.

Requirements for reporting:

  • Maintaining detailed file notes
  • Keeping senior management informed of the progress
  • A final report that includes background information
  • Summary of major findings and recommendations.

Select an investigator

Appoint an investigator who is appropriately trained and qualified. They should be impartial. They must not have a conflict of interest, real or apparent, in the investigation.

If the investigator you appoint does not have the power or authority to collect any evidence, or if a conflict of interest comes up, refer the investigation to a person or agency with the necessary delegations.

More information is in Procedural fairness requirements.

Understand the role of an investigator

An investigator’s key tasks should include:

  • understanding the incident and the terms of reference
  • identifying the relevant law, policy or procedures
  • gathering all relevant facts
  • verifying whether the incident is an offence
  • reporting the findings, and the reasons for the findings
  • making recommendations.

Determine the nature of the investigation

At the start, assess:

  • whether the investigation is likely to be a criminal, security or other type of investigation
  • resources needed
  • legal boundaries for the investigation
  • authorisation needed
  • nature of the possible outcome.

Set the terms of reference for investigations

The terms of reference should be clear, comprehensive, and include any limits. They could include:

  • the background
  • resources allocated (for example, people, financial)
  • timeframes
  • types of inquiries to be conducted
  • powers of the investigating officer to collect evidence
  • the format for reporting
  • any special requirements or factors specific to the investigation.

Also cover how the investigator will collect evidence, such as:

  • from policies, processes, and practices
  • from relevant records and material
  • through interviews
  • by search and surveillance.

At the start of an investigation, appoint a senior staff member to approve the terms of reference and the investigation plan.

Set processes for holding investigations

Your organisation’s investigation processes should include:

  • general and organisation-specific legislation and powers
  • inter-agency relationships
  • what to do when you receive an allegation (including process for “whistleblowers” under the Protected Disclosures Act)
  • methods for managing and supporting investigations
  • investigation practices
  • investigation report or brief of evidence
  • Information Privacy Principles (IPPs)
  • investigation result and review
  • recovery actions.

Assess the incident

The investigator should assess:

  • relevant laws
  • the nature of the incident
  • the incident’s seriousness and its possible level of harm to the organisation or government
  • whether the incident shows there is a systemic problem
  • whether it is part of a pattern
  • whether it may breach New Zealand law.

Develop an investigation plan

Use the incident assessment to prepare an investigation plan that identifies:

  • the key issues to be investigated
  • any relevant legislation, provisions of a code of conduct, organisation policy and procedures, standards and requirements
  • required evidence
  • methods for collecting the evidence
  • legal requirements and procedures to be followed in collecting evidence
  • allocation of tasks, resources
  • timing.

If the terms of reference and the investigation plan need to change during the investigation, the investigator should consult the person who authorised the investigation.

Gather information

An investigator identifies, collects and presents information proving or disproving the facts relating to the incident. Types of information are:

  • physical
  • documentary
  • oral
  • expert advice.

Record and store all evidence

Investigators should keep a separate file for each investigation. Store it, and any physical evidence, securely.

The file should be a complete record of the investigation. Document every step, including dates and times, all discussions, phone calls, interviews, decisions, and conclusions. Include how physical evidence was handled.

If any protectively-marked information was gathered or created during the investigation, investigators must meet the standards for storage. More information is in How to protect information.

Prepare the investigation report

The investigator should report findings to the commissioning body or the decision-maker. They should identify the reasons for the findings according to the terms of reference, use supporting material, and make recommendations.

Close and review the investigation

An investigation is closed when all reports are completed and evidence is documented and filed.

An independent person, ideally more experienced than the investigator, should review the closed investigation. They should impartially assess the investigation, and that could identify how to improve requirements for future investigations.


Page last modified: 21/02/2024