Classification system

The Classification system provides a framework for assessing the potential harm should government information be compromised and defines the minimum requirements for protecting government information

The Government Information Security Classification System (Classification system) is the primary way that government information is protected. When used well, the Classification system can also enable and support appropriate sharing of government information and increase transparency and accountability to the public through systematic declassification and release.

This section contains downloadable Classification system resources such as policy and guidance, tools, assessment and training materials, and change management support.

The Classification system is mandated for use by INFOSEC2 of the Protective Security Requirements. To meet this mandatory requirement, your agency must implement the 2022 Classification system policy and requirements.

Overview of the classification system

Why classification matters

Classification resources

Classification system policy

Policy overview

The Government Information Security Classification System (Classification System) is owned and promoted by the Director-General of New Zealand Security Intelligence Service (NZSIS), which holds the Government’s functional lead role as the Government Protective Security Lead (GPSL). Cabinet agreed to the Classification System in December 2000 [CAB(00)M42/4G(4)]. The Security and Intelligence Board (SIB) agreed to this policy on 23 March 2022.

This policy describes the Classification System – New Zealand government’s administrative system for the appropriate classification and handling of government information. It is not a statutory scheme but operates within the framework of domestic legislation.

The Classification System is mandatory for use within government departments, ministerial offices, the NZ Police, and the NZ Defence Force. This is aligned with the Cabinet decision in 2014 agreeing which agencies are mandated to follow the Protective Security Requirements (PSR) [CAB (14) 39/38].

The Classification System is made available for use by all other government organisations as a best practice policy framework for classifying, handling and protecting government information. These organisations are encouraged to voluntarily adopt the Classification System.

This Government Information Security Classification System Policy 2022 and supporting guidance came into force on 1 July 2022. Adoption of this policy by mandated agencies is expected to be completed within 2 to 3 years.

The Classification System policy principles

A foundational objective of the Classification System is to encourage and support partnership and collaboration.

The spirit of partnership and goodwill envisaged by Te Tiriti o Waitangi is encouraged and supported in how government information is made available, handled, shared and protected. People work together and are inclusive in the spirit of ‘mahi tahi’. This principle contributes to learning, growth, and innovation of the Classification System to meet the ongoing needs of all New Zealanders.

The Classification System policy is based on these principles:

  1. Organisational accountability
  2. Personal responsibility
  3. Information-sharing
  4. Information declassification.

Principle 1

Organisational accountability

New Zealand government agencies who handle government information must establish the conditions that enable people to handle government information correctly and safely.

Agency heads own their organisation’s approach to classification and security and invest in ongoing capability and improvement. The Classification System policy and principles are embedded within their organisation’s policies and procedures and people are supported to encourage desired behaviour.

Policy statement – Agency heads must establish an organisational classification policy and procedures in line with the Classification System and ensure that all people who handle government information do so correctly and safely.

The following requirements should be considered when establishing classification policies and procedures.

Resource and invest – Agency heads must own and maintain their organisation’s approach to classification and security, and resource and invest in ongoing capability and improvement commensurate with the risks of information compromise that the organisation faces.

Obligations – Government information and assets must be handled in accordance with all relevant legislation, the Classification System, and regulatory requirements, including any international agreements and obligations. Agencies understand their obligations and build these requirements into the organisational classification policy and procedures.

Availability and transparency – Under legislation such as the Official Information Act 1982, Local Government Official Information and Meetings Act 1987, Privacy Act 2020, and Public Records Act (2005), agencies have an obligation to make government information available unless there is a good reason to withhold it. The relevant legislation sets the criteria for withholding information. Agencies must consider the public right to government information and define how they will meet these obligations within their organisational classification policies and procedures. This principle supports the core values of government transparency, accountability, and public participation. Information should be considered open, unless there is a compelling reason to withhold it.

Protection – Classification drives the appropriate security of the information. Classified information must be protected to ensure its availability, integrity, and confidentiality commensurate with its classification. Protection of classified information is controlled through appropriate personnel, physical, and information security mechanisms as defined within the PSR and NZISM.

Originator-controlled – The authority to classify or declassify rests with the originator and the organisation or government that controls the information. To ensure information is protected across its whole lifecycle, the originator and organisation or government that controls the information are responsible for establishing, communicating, reviewing, and managing how the information is handled by everyone with access to it. Agencies’ classification policy and procedures must detail how originator control will be maintained over the information’s lifecycle.

Partner information – Government information or assets received from or exchanged with external partners must be protected in accordance with legislative or regulatory requirements, including any international agreements and obligations. This policy applies equally to information entrusted to the New Zealand government by others, such as foreign governments, international organisations, NGOs, private organisations, and private individuals. Agencies’ policy and procedures must detail the partner information security and management requirements and how these will be adhered to and monitored.

Education and training – Agency heads must provide their people with timely and ongoing classification training, assess their understanding and ensure that they have the ability to fulfil their government information obligations within the Classification System. This includes training on how to securely handle government information, including how to classify it, how to share it, and how to declassify it. This training should form part of the agency’s wider information management and security training.

Regular reviews – Information sensitivity will change over the information lifecycle and the organisation’s policy should prescribe when subsequent reviews of classification levels and protective markings are to take place for particular information types as part of their information and records management practices. The purpose of the review is to ensure that the protective markings were correctly applied initially and are still appropriate for the information as the information ages or changes. Outcomes of reviews should be tracked, reported and used as learning opportunities.

Measuring function and performance – In line with PSR GOV8 (Assess your capability), Agency heads must ensure that their organisation’s classification capability and performance is assessed using the PSR Capability Maturity Model and annual PSR assurance process as part of their overall protective security programme.

Principle 2

Personal responsibility

Everyone who works in or with the New Zealand public sector, including employees, contractors, and suppliers, has a duty to classify, declassify and handle information appropriately. Individual classification, declassification, and sharing decisions are based on an effective risk assessment of the harm and impact of information compromise and in line with the organisation’s classification system policies and procedures.

Policy Statement – Everyone must take responsibility to understand and fulfil their obligations to classify, declassify, and handle information correctly in line with the organisation’s classification policy and legislative, regulatory, and other organisational obligations.

The following requirements should be considered when taking personal responsibility for classifying, declassifying, and handling government information.

Duty to safeguard – Individuals are responsible for protecting government information and assets in their care in line with their classification. Accidentally or deliberately compromising government information without authorisation may lead to harm or damage and can be a criminal offence under relevant legislation (e.g. Crimes Act 1961, Criminal Disclosure Act 2008, Summary Offences Act 1981.)

Risk assessment – Individuals must make classification decisions based on the best information available. Decisions must be made transparently, based on a risk assessment that considers the level of harm and the likelihood of compromise.

Harm and impact – Individuals must assess and be able to articulate the level of harm and impact that could eventuate to the organisation, individuals, government, or partners if the information or asset is compromised.

A considered approach – Information is of most value when it can be used appropriately by everyone who could benefit from its use. When assessing the harm of compromise, individuals should consider all audiences who could benefit from its use and look for ways to reach the widest audience to achieve the greatest benefit. When in doubt, individuals should consider whether the particularly sensitive information could be redacted or reframed at a lower classification level to achieve the greatest value of releasing or sharing the information for a specific audience.

Avoid over-classifying – Individuals must use classification appropriately. Over-classifying information causes serious harm, such as limiting access to necessary information, requiring infrastructure to store it and people to manage it, and increasing administration and cost to the New Zealand Government. Government information should only be classified when the result of compromise warrants the expense of increased protection. Government information must be classified and protectively marked at the lowest level possible that will still provide the necessary level of protection for its sensitivity.

Seeking and acting on learning opportunities – Accidental or unintended over- or under-classification will occur, and should be challenged and used as learning opportunities. People should be open to challenging others and being challenged themselves on classification decisions and security behaviours. Agencies should encourage a no blame culture that focuses on learning and improving classification and handling decisions over time.

Don’t withhold information inappropriately – Individuals must not use classification to withhold information inappropriately. For example, government information should not be withheld to:

  • hide violations of law, inefficiency, or administrative error
  • prevent embarrassment to an individual, organisation, agency, or the government
  • restrain competition
  • prevent or delay the release of information that does not need protection in the public interest.

Principle 3

Information-sharing

Government organisations recognise that appropriately sharing decision-useful information with relevant organisations is a core foundation to protecting New Zealand and New Zealanders from threats, and for realising the potential of information to aid government effectiveness and enable wellbeing of New Zealanders. This is underpinned by a culture of trust between partners that shared information is handled and used appropriately and safely.

Policy Statement – Agency heads must ensure that policies and procedures for handling classified information reinforce the value of information-sharing, collaboration, and cross-partner trust. They must implement effective and safe information-sharing practices within their agency and with other trusted partners. People are supported and empowered to achieve decision-useful sharing appropriately and safely.

The following requirements should be considered when establishing organisational information-sharing policies and procedures.

Stakeholders’ needs – Agencies must understand the stakeholders they should share classified information with or collaborate with to achieve good stewardship of government information and get the maximum benefit of the information for all New Zealanders. Agencies should look beyond their common information-sharing partners including other sector government organisations, international partners, local government, civil defence, hapū, iwi, and local communities. Agencies must work collaboratively to understand stakeholder needs and what decision-useful information-sharing looks like.

Legislative requirements – Agencies must understand their information-sharing obligations under relevant legislation (e.g. Privacy Act), and regulatory or partner agreements that enable and hinder information-sharing across partners.

Information flows and barriers – Agencies should understand how classified information flows between partners (e.g., information types, channels, methods, systems) and identify the barriers to effective information-sharing. Where barriers exist, agencies should prioritise investment in removing those barriers where possible.

Use of information-sharing instruments – When appropriate, agencies should make appropriate use of available government information-sharing instruments (e.g. AISA, MoU). These instruments should include the criteria and rules for sharing between parties and any requirements for handling and declassifying classified information in compliance with their obligations.

Empowering information-sharing – Agencies must establish policies, procedures, and training for sharing classified information. This will give people confidence that they are complying with their obligations, contribute to increased trust in classified information-sharing, and empower people to share information appropriately, safely, and timely.

Principle 4

Information declassification

Government information must not remain classified indefinitely without being subject to review for declassification as defined within organisation’s declassification policy. This policy must be in line with the Public Records Act 2005 and information management standards and should be made available to the public to improve transparency and accountability of declassification decisions.

Policy Statement – Agency heads must establish an organisational declassification policy and procedures in line with the Classification System and relevant legislation including Official Information Act 1984, Public Records Act 2005, Privacy Act 2020, and requirements contained in relevant international agreements or arrangements.

The following requirements should be considered when establishing organisational declassification policies and procedures.

Understanding classified information holdings – To inform the design of their declassification policy and criteria, Agencies must have a clear understanding of their classified information holdings as part of their obligations under the Public Records Act 2005 and the Information and Records Management Standard.

Declassification policy – Agencies that hold classified information must have a policy that establishes a systematic approach to declassifying government information. This policy must prohibit the indefinite classification of government information without transparent criteria. This policy should be made available to the public to improve transparency and accountability of declassification decisions.

Declassification criteria – Not all information may be suitable for declassification if it is of short-term or low value. Within the classification policy, decision makers need to set up and use criteria to clearly articulate the rules for declassification in the organisation (e.g. information types, review periods, harm test rules, declassification topics and priorities). This criteria should be consistent with information and records management practices and decisions (e.g. appraisal, sentencing, and disposal.) The criteria should be used to prioritise how resources are allocated and to agree the scope and plan for a declassification programme. These criteria should be clear, transparent and objective and reflect the expected value to New Zealand of the declassification programme.

Declassification governance – Agencies must establish an appropriate governance framework for declassification. Governance must ensure that investment in declassification delivers value for the public, set precedents for reviews, arbitrate declassification decisions when conflicting opinions arise, and make final decisions on declassification matters that are referred for consideration.

Declassification programme – Agencies must appropriately resource and establish a regular programme for declassifying government information in line with their policy and priorities. Agencies must report transparently on the progress, results, and expected value that the programme delivered.

Legislation requirements

Under section 14 of the Bill of Rights Act 1990, everyone has the right to seek, receive, and impart information. As government holds information that has the potential to harm national or personal interest and security of the public, constraints on this right have been enacted by legislation.

The main pieces of legislation that govern the collection, disclosure and use of government information are the Official Information Act 1982 (OIA), and the Privacy Act 2020. The OIA requires that information is made available on request unless there are specific grounds for refusal. The Privacy Act provides a right of access to an individual’s personal information about themselves. It also protects against other infringements on the right to privacy including unjustified collection, use and disclosure of personal information.

Outside of requests from the public, there is also legislation that governs the life-cycle of government information. This includes the length of time it can be held, where it is held, how it is disposed of, what it may be used for while held by the government, and the standards to which these activities must be met.

New Zealand Public Service organisations and third parties that handle government information must consider all of the legal requirements to make available, manage, and protect government information. They do this under relevant legislation, cabinet directives, strategies, and standards such as:

If legislative or regulatory requirements require higher security measures than the minimum requirements in the classification system, apply the legislated or regulated measures.

Official Information Act 1982

The OIA provides a statutory framework for processing requests for official information. The OIA generally applies to all information held by government agencies, subject to specific exceptions.

The Classification System sits alongside the OIA as an added protective measure with specific emphasis on how certain government information must be handled.

The purpose of the OIA is to increase the availability of information and protect information in the public interest. Sections 6, 7, 9, and 10 provide grounds for refusing requests for official information, based on the need to prevent specified harms arising from the disclosure of the requested information. Only those harms recognised by the OIA justify protection – otherwise there is no basis for withholding the information – irrespective of its classification.

USER TIP: Sections 6 and 7 provide conclusive grounds for withholding official information, relating to national interest and safety. Section 9 provides justification for withholding official information unless there is an overriding public interest in release of the information.

If compromise of government information would create harm in any of the following groupings, there may be justification to withhold the information:

  • Defence or security of New Zealand, Cook Islands, Niue, Tokelau, the Ross Dependency or its allies
  • International relations of New Zealand, Cook Islands, or Niue
  • Maintenance of law and order including crime prevention, law enforcement, and right to fair trial
  • Personal harm to members of the public including their health, safety, dignity, liberty, financial status, commercial position, assets, privacy, and identity
  • New Zealand economy or economic interest
  • Ministers and public service organisations operations including its commercial activities and negotiations
  • Maintenance of legal privilege
  • Maintenance of constitutional conventions including confidentiality of communications by or with Sovereign or her representatives, confidentiality of advice by Ministers of the Crown and officials, political neutrality, and ministerial responsibility
  • Maintenance of the effective conduct of public affairs including the ability to provide free and frank expression of opinions and protections from improper pressure or harassment
  • Supply of information provided in confidence where it is in the public interest that information should continue to be supplied or release of it would damage public interest.

See also: Official Information Act 1982(external link)

The Privacy Act 2020 provides the legislative framework for access and protection of an individual’s own personal information. (Personal information is a subset of official information. Requests for personal information about third parties are dealt with under the OIA.) The Privacy Act governs all personal information, including information held by public and private agencies. The Privacy Act has thirteen principles that businesses and organisations must follow when collecting, using, and storing personal information. The principles are designed to ensure personal information is protected and respected.

Personal information may sit within a classified document. However, as with all other official information, the protective markings on the document do not preclude the personal information from being released if it is requested. The Privacy Act gives individuals the right to ask any agency (with a few exceptions) for access to the personal information that an agency holds about them. So, if the request is for personal information about the requester, the Privacy Act will apply (even if the information is also official information).

The presumption under the Privacy Act is that individuals will be entitled to their information, unless one of the limited withholding grounds set out in the Privacy Act applies.

Under the Official Information Act any person or agency may ask a public sector body for any information that agency holds.

The presumption under these two Acts is also in favour of releasing information. However, there is a range of withholding grounds which allow public sector agencies to withhold official information.

Part 4 of the Privacy act outlines the conditions for the access to, and correction of, personal information. It also provides the grounds for refusing access to personal information:

  • Security, defence and international relations of New Zealand, Cook Islands, Niue, Tokelau, the Ross dependency, or its allies.
  • Protection of the Individual
  • Trade secrets and Commercial position
  • Evaluative Material
  • Maintenance of Law and Order
  • Unwarranted disclosure of another person’s affairs
  • Maintenance of legal privilege

There are also Codes of Practice issued by the Privacy Commissioner which modify the application of the Information Privacy Principles for certain sectors or types of information. For example, the Health Information Privacy Code 2020 provides the definition, and specific conditions for the collection, handling and release of health information. A thorough consideration of all legislative requirements regarding personal information is important when responding to a Privacy Act request.

See also: Privacy Act 2020(external link)

The Public Records Act 2005 provides the legislative basis for the creation, disposal and management of government information and public records in all its forms. Through its provisions the PRA supports the accountability of the New Zealand government and provides the public with confidence in the integrity of the records of government.

Part 3 (Public Access) of the Act sets out the requirement to determine the access status of those public records which have been transferred to Archives New Zealand or are subject to mandatory transferral (that are 25 years or older). The Act determines that the status for these records should be open access unless there is good reason restrict public access. It also allows for appropriate access conditions to be set to govern access requests to restricted material.

See also: Public Records Act 2005(external link)