Personnel Security

PER009

Ensure their ongoing suitability

Effective pre-employment checks reduce the risk of threats to your people, information and assets. However, people and their circumstances can change. Changes can happen over time or suddenly as a reaction to a particular event. You need to make sure that people remain suitable for having access to your information and assets.

PERSEC2 - Ensure their ongoing suitability

Ensure the ongoing suitability of all people working for your organisation. This responsibility includes addressing any concerns that may affect the person’s suitability for continued access to government information and assets.

Because people and their circumstances can change over time, you must monitor changes and events that can affect people.

Ongoing security education helps to keep your people, information, and assets safe from harm.

Baseline checks to ensure ongoing suitability

Report and respond to security incidents

You must have a system in place for reporting and responding to potential and actual security incidents. Managing incidents well helps your organisation to:

  • contain the effects
  • manage the consequences
  • recover as quickly as possible
  • learn from what is found.

At a minimum you must:

  • establish a formal security incident reporting and response procedure
  • report all personnel security incidents to the appropriate people in your organisation
  • make all people aware of their responsibilities and the procedure for reporting security incidents.

Good communication between managers and employees, along with clear security expectations and procedures makes it easy for people to raise concerns, and report changes and incidents.

Provide ongoing security awareness

Your organisation must provide ongoing security education to ensure the ongoing safety and security of staff and to enhance the security culture of your organisation.

  • Make security everyone’s responsibility by increasing people's understanding of security practices and processes.
  • Managers and co-workers are in the best position to notice changes in a person’s behaviour or attitude.
  • Encourage your people to report what they notice and make it easy for them to do so confidentially.

Carry out additional checks for higher risk roles

When you identify an increased security risk related to a specific role or the nature of your organisation’s work, additional checks could be necessary. The checks that you apply will depend on a range of factors including your organisation’s operating environment, security context and culture.

Additional checks you can consider to ensure ongoing suitability include:

  • requiring people to report any significant change in personal circumstances (e.g. a divorce, new partner, bankruptcy, foreign citizenship)
  • requiring people to report any suspicious contacts
  • encouraging people to report any suspicion of ‘insider threat’
  • carrying out an engagement survey to understand people’s satisfaction and level of engagement
  • briefing people on the risks related to international travel
  • carrying out regular New Zealand Police vetting
  • carrying out regular financial or credit checks
  • carrying out drug and alcohol testing.

Report significant changes in personal circumstances

Significant changes in personal circumstances can arise from many different areas: relationships, finances, health, work issues, substance abuse, or new interests and contacts.

These changes can put people under pressure to act irrationally or inappropriately or make them more vulnerable to exploitation by others.

Reporting significant changes in circumstances will help you to manage any risk that an individual could intentionally or unintentional breach your security or be coerced by an external party.

Your people should know which changes of circumstances they need to report and who they should report them to. 

Report suspicious contacts or behaviour

Commercial, political or issue-motivated groups, foreign officials, and foreign intelligence services can devote considerable energy into accessing political, economic, scientific, technological, military, and other information.

Small pieces of information can all contribute to a valuable picture. Make sure your people understand that a seemingly innocent conversation or contact (e.g. email) may be part of an intelligence gathering exercise. Contacts can be official, as part of a person’s role, social or incidental and could take place in a wide variety of contexts.

Your people should complete a contact report when a contact has occurred that appears suspicious, persistent or unusual in any respect, or becomes on going (whether in an official or social capacity) with:

  • embassy or foreign government officials within New Zealand
  • foreign officials or nationals outside New Zealand, including trade or business representatives
  • any individual or group, regardless of nationality, that seeks to obtain official or commercially sensitive information they do not have a valid ‘need-to-know’. This may include various types of social engineering such as phishing or tailgating.

Brief people on the risks related to international travel

When your people travel overseas, for work or personal reasons, there is a risk they could be targeted by foreign intelligence services aiming to get access to confidential information.

To protect your organisation and New Zealand’s interests, brief your people on the risks and the security measures they need to take.

Your people should:

  • consult your chief security officer, or their delegate, before travelling to check if a security briefing is necessary
  • know what methods foreign agents may use to gather information
  • understand how to protect your organisation’s information
  • know what information they must protect
  • know what information they can share and trade
  • be aware of how to manage electronic equipment.

For more information refer to Security advice for New Zealand Government officials travelling overseas

Checks for national security clearance holders

For people who hold a national security clearance, you must:

  • provide annual security awareness updates
  • conduct security briefings
  • ensure they report any change in their personal circumstances
  • ensure they report any suspicious contacts
  • manage emergency access to classified material
  • report changes to their security clearance level
  • review their security clearances.

For more information refer to Recruiting and managing national security clearance holders and Guide to managing national security clearance holders

Manage role changes

It is common for people to enter an organisation in one role then move to another role with greater responsibilities and a higher risk profile. Not completing the appropriate checks for the new role because the person is ‘known’ to the organisation increases the risk of problems.

Make sure that all required pre-employment checks and/or on-going suitability checks have been completed to the level required for the new role before they are confirmed in the role.

Page last modified: 6/06/2019

Supporting documents