Creating a policy for protective marking of documents

GOV004

Set your policy objectives

In your policy, aim to:

identify the value of your information
determine the level of protective marking needed, based on the impact if the confidentiality of the information was compromised.
mitigate risks to your information security, while enabling information sharing
balance the need to make information as widely available as possible with protecting the national interest and national security.
Base your policy on the New Zealand Government Security Classification System.

Consult widely

To make sure your protective marking policy is as comprehensive as possible, consult representatives from every section of your organisation.

 If your organisation has several functions, you may need more than one policy, or a section in your policy for each function.

You may also need policies to help your business partners mark classified information they create on behalf of your organisation.

Remember to consider whether your policy itself needs protective marking (either the whole policy or any individual parts).

Group information by type and potential harm

In your policy, consider grouping information by type and potential harm to make it easier for your people to select the right level of protective marking. 

Examples of groupings for types of information are:

client information
financial information
personnel information
project information – you might group projects with similar objectives or processes.

Examples of groupings for levels of potential harm are:

individuals
organisations
your organisation
the government
the national interest or national security.

Develop a protective marking guide

To develop the right guidance, consider:

the capabilities of your ICT systems to label, store and transmit information
your archiving processes
your disposal processes, following the Public Records Act 2005
how you will protect the integrity of information
who will be accountable and responsible for protectively-marked material.

Handling Requirements for Protectively Marked Information and Equipment has more information.

Say which information needs marking

In your guide, provide a summary of the types of information that need protective markings, based on:

the impact if confidentiality is compromised
specific sensitivity concerns that require endorsement and/or compartmented markings
any provisions for legislative secrecy.

Remember to include a process for information generated from protectively-marked information that has come from other sources. Give guidance on:

marking information at the same level or higher than that received
requesting permission to use the information at a lower level.

You also need a process for information from foreign governments. It must be handled according to any agreement with the foreign government.

State how to apply protective markings

Give instructions on how to apply protective markings to:

documents through templates or manually
files in your records management system
document metadata in your electronic records management systems
emails (include what types of information can be emailed and to who).

Consider including how to apply timeframes to information that is event-specific.

Include a review and declassification process

Have processes for reviewing and declassifying protectively-marked information.

Archiving protectively-marked information can create high administrative and financial costs. As the impact of most information changes over time, you should have processes to review the protective markings.

Add other instructions as needed

If not included in elsewhere in your information security processes, cover:

storage advice, including storage within your organisation and with external providers
how to transfer information to other agencies
your destruction processes (in line with the Public Records Act 2005), including where shredders and bin are and how to use them correctly.