Creating a policy for protective marking of documents

Keep your valuable information safe with a comprehensive policy for protective marking of documents

GOV004

Set your policy objectives

In your policy, aim to:

  • identify the value of your information
  • determine the level of protective marking needed, based on the impact if the confidentiality of the information was compromised.
  • mitigate risks to your information security, while enabling information sharing
  • balance the need to make information as widely available as possible with protecting the national interest and national security.
  • Base your policy on the New Zealand Government Security Classification System.

Consult widely

To make sure your protective marking policy is as comprehensive as possible, consult representatives from every section of your organisation.

 If your organisation has several functions, you may need more than one policy, or a section in your policy for each function.

You may also need policies to help your business partners mark classified information they create on behalf of your organisation.

Remember to consider whether your policy itself needs protective marking (either the whole policy or any individual parts).

Group information by type and potential harm

In your policy, consider grouping information by type and potential harm to make it easier for your people to select the right level of protective marking. 

Examples of groupings for types of information are:

  • client information
  • financial information
  • personnel information
  • project information – you might group projects with similar objectives or processes.

Examples of groupings for levels of potential harm are:

  • individuals
  • organisations
  • your organisation
  • the government
  • the national interest or national security.

Develop a protective marking guide

To develop the right guidance, consider:

  • the capabilities of your ICT systems to label, store and transmit information
  • your archiving processes
  • your disposal processes, following the Public Records Act 2005
  • how you will protect the integrity of information
  • who will be accountable and responsible for protectively-marked material.

Handling Requirements for Protectively Marked Information and Equipment has more information.

Say which information needs marking

In your guide, provide a summary of the types of information that need protective markings, based on:

  • the impact if confidentiality is compromised
  • specific sensitivity concerns that require endorsement and/or compartmented markings
  • any provisions for legislative secrecy.

Remember to include a process for information generated from protectively-marked information that has come from other sources. Give guidance on:

  • marking information at the same level or higher than that received
  • requesting permission to use the information at a lower level.

You also need a process for information from foreign governments. It must be handled according to any agreement with the foreign government.

State how to apply protective markings

Give instructions on how to apply protective markings to:

  • documents through templates or manually
  • files in your records management system
  • document metadata in your electronic records management systems
  • emails (include what types of information can be emailed and to who).

Consider including how to apply timeframes to information that is event-specific.

Include a review and declassification process

Have processes for reviewing and declassifying protectively-marked information.

Archiving protectively-marked information can create high administrative and financial costs. As the impact of most information changes over time, you should have processes to review the protective markings.

Add other instructions as needed

If not included in elsewhere in your information security processes, cover:

  • storage advice, including storage within your organisation and with external providers
  • how to transfer information to other agencies
  • your destruction processes (in line with the Public Records Act 2005), including where shredders and bin are and how to use them correctly.