Principle 1
Organisational accountability
New Zealand government agencies who handle government information must establish the conditions that enable people to handle government information correctly and safely.
Agency heads own their organisation’s approach to classification and security and invest in ongoing capability and improvement. The Classification System policy and principles are embedded within their organisation’s policies and procedures and people are supported to encourage desired behaviour.
Policy statement – Agency heads must establish an organisational classification policy and procedures in line with the Classification System and ensure that all people who handle government information do so correctly and safely.
The following requirements should be considered when establishing classification policies and procedures.
Resource and invest – Agency heads must own and maintain their organisation’s approach to classification and security, and resource and invest in ongoing capability and improvement commensurate with the risks of information compromise that the organisation faces.
Obligations – Government information and assets must be handled in accordance with all relevant legislation, the Classification System, and regulatory requirements, including any international agreements and obligations. Agencies understand their obligations and build these requirements into the organisational classification policy and procedures.
Availability and transparency – Under legislation such as the Official Information Act 1982, Local Government Official Information and Meetings Act 1987, Privacy Act 2020, and Public Records Act (2005), agencies have an obligation to make government information available unless there is a good reason to withhold it. The relevant legislation sets the criteria for withholding information. Agencies must consider the public right to government information and define how they will meet these obligations within their organisational classification policies and procedures. This principle supports the core values of government transparency, accountability, and public participation. Information should be considered open, unless there is a compelling reason to withhold it.
Protection – Classification drives the appropriate security of the information. Classified information must be protected to ensure its availability, integrity, and confidentiality commensurate with its classification. Protection of classified information is controlled through appropriate personnel, physical, and information security mechanisms as defined within the PSR and NZISM.
Originator-controlled – The authority to classify or declassify rests with the originator and the organisation or government that controls the information. To ensure information is protected across its whole lifecycle, the originator and organisation or government that controls the information are responsible for establishing, communicating, reviewing, and managing how the information is handled by everyone with access to it. Agencies’ classification policy and procedures must detail how originator control will be maintained over the information’s lifecycle.
Partner information – Government information or assets received from or exchanged with external partners must be protected in accordance with legislative or regulatory requirements, including any international agreements and obligations. This policy applies equally to information entrusted to the New Zealand government by others, such as foreign governments, international organisations, NGOs, private organisations, and private individuals. Agencies’ policy and procedures must detail the partner information security and management requirements and how these will be adhered to and monitored.
Education and training – Agency heads must provide their people with timely and ongoing classification training, assess their understanding and ensure that they have the ability to fulfil their government information obligations within the Classification System. This includes training on how to securely handle government information, including how to classify it, how to share it, and how to declassify it. This training should form part of the agency’s wider information management and security training.
Regular reviews – Information sensitivity will change over the information lifecycle and the organisation’s policy should prescribe when subsequent reviews of classification levels and protective markings are to take place for particular information types as part of their information and records management practices. The purpose of the review is to ensure that the protective markings were correctly applied initially and are still appropriate for the information as the information ages or changes. Outcomes of reviews should be tracked, reported and used as learning opportunities.
Measuring function and performance – In line with PSR GOV8 (Assess your capability), Agency heads must ensure that their organisation’s classification capability and performance is assessed using the PSR Capability Maturity Model and annual PSR assurance process as part of their overall protective security programme.