On this page
To protect government-held resources, your organisation must ensure that access to information and assets is only given to suitable people. Your personnel security measures should start at the pre-employment stage and continue throughout the personnel lifecycle.
Although people can be an organisation’s greatest asset, they can also be a weakness. Personnel security protects people, information, and assets by enabling an organisation to:
- reduce the risk of harm to its people, customers, and partners
- reduce the risk of your information or assets being lost, damaged, or compromised
- have greater trust in people who access official or important information and assets
- deliver services and operate more effectively.
Robust security practices are required to protect an organisation’s people, information, and assets. When an organisation’s personnel security measures are well designed and implemented, it reduces the risk of insider threat.
An organisation needs to understand and effectively manage personnel security risks across the personnel security risk management cycle [PDF, 115 KB] to reduce the risk of insider threat. The ongoing cycle consists of three key activities:
- assess personnel security risks
- manage personnel security risks, and
- evaluate how effectively personnel security risks are managed.
The PERSEC mandatory requirements are the core personnel security requirements that mandated government agencies must follow, and other organisations should adopt as best practice. Additionally, all public sector agencies and statutory Crown entities are required to follow PERSEC 1 under the Public Service Commission’s Workforce Assurance Model Standard (publicservice.govt.nz)(external link). The standard outlines additional expectations on organisations when recruiting staff, investigating serious misconduct, and use of settlement agreements (including confidentiality and non-disclosure statements).
PSR Policy Framework — PERSEC
This section provides a high-level overview of the PSR PERSEC mandatory requirements. To understand, implement, and comply with the PSR PERSEC mandatory requirements, please refer to the following documents:
PERSEC 1
Recruit the right person
Ensure that all people working for your organisation (employees, contractors, and temporary staff) who access New Zealand Government information and assets:
- have had their identity established
- have the right to work in New Zealand
- are suitable for having access
- agree to comply with government policies, standards, protocols, and requirements that safeguard people, information, and assets from harm.
Pre-employment checks are the foundation of good personnel security. They reduce the risk of a trusted person harming an organisation. Pre-employment checks allow an organisation to:
- confirm the identity, eligibility, suitability, and capability of a person being recruited, and
- find out if an applicant has concealed important information or misrepresented themselves.
PERSEC 1 includes the following requirements:
PERSEC 1.1 Carry out baseline checks for all roles
An organisation needs to ensure that pre-employment checks are carried out on personnel it is considering directly employing or otherwise engaging, including contractors, temporary staff, secondees, and existing employees moving between roles (herein referred to as ‘personnel’.)
- Confirm identify and nationality
- Confirm the right to work in New Zealand
- Check references with former employers
- Conduct a criminal record check
PERSEC 1.2 Conduct additional checks where an increased security risk is identified
Additional checks may be required to manage the additional risks individuals in specific roles may present. The additional pre-employment checks conducted will depend on various factors such as the organisation’s security context and culture, legislated requirements, and operating environment. Identify the roles requiring additional pre-employment checks and have policies and procedures for undertaking these. For example, the following additional checks may be required:
- Psychometric testing
- Checks of qualifications and/or occupational registrations
- Credit checks
- New Zealand Police check
- Drug and alcohol checks
PERSEC 1.3 Address any concerns from pre-employment checks
Organisations need to be alert to warning signs from pre-employment checks. Factors that on their own, or together, may raise concerns about a person’s integrity and suitability to work in an organisation. See the policy framework for more information.
- Create a risk management plan if necessary
- Record what is discovered
PERSEC 1.4 Set the right expectations
Organisations need to set clear expectations about security and ensure personnel are informed of security policies and practices as soon as possible.
Note: Higher-risk roles requiring a National Security Clearance have a different set of personnel security requirements as set out at PERSEC 4.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the PERSEC 1 mandatory requirement.
Guidance and resources
PERSEC 2
Ensure their ongoing suitability
Ensure the ongoing suitability of all people working for your organisation. This responsibility includes addressing any concerns that may affect the person’s suitability for continued access to government information and assets.
People and their circumstances can change over time or suddenly as a reaction to an event. It is important to monitor your personnel’s ongoing suitability. Managers and co-workers are in the best position to notice changes in a person’s behaviour or attitude.
PERSEC 2 includes the following requirements:
PERSEC 2.1 Carry out minimum requirements to ensure ongoing suitability
Organisations need to ensure the ongoing suitability of their personnel and consider adoption of measures such as:
- Ensure personnel report personnel security concerns and incidents
- Assess and respond to personnel security concerns and incidents
- Provide ongoing security awareness training and updates
- Manage personnel suitability and integrity concerns
- Provide support for managers when staff display concerning behaviours
- Set up internal wellbeing support and/or employee assistance programme
- Establish an insider threat programme.
PERSEC 2.2 Carry out ongoing suitability checks for higher risk roles
When an organisation identifies an increased security risk related to a role or the nature of its work, it may be necessary for an organisation to carry out additional ongoing checks. The checks applied will depend on a range of factors, including organisational security context and culture, and operating environment.
- Ensure significant changes in personal circumstances are reported
- Ensure suspicious contacts are reported
- Brief people on the risks related to international travel
PERSEC 2.3 Manage role changes
It is common for people to enter an organisation in one role then move to another role with different responsibilities and/or a higher risk profile.
- Undertake appropriate checks on personnel changing roles
PERSEC 2.4 Manage contractors
Contractor access to information and assets comes with the same security risks as for permanent employees, as well as additional risks associated with their temporary appointment, potential conflicts of interest, and primary relationship to a third party.
Note: Higher-risk roles requiring a National Security Clearance have a different set of personnel security requirements as set out at PERSEC 4.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the PERSEC 2 mandatory requirement.
Guidance and resources
- Change of circumstance form [PDF, 275 KB]
- Contact reporting form [PDF, 202 KB]
- Guide to security when hiring and managing contractors [PDF, 965 KB]
- PERSEC lifecycle [PDF, 87 KB]
- Travelling overseas on business – pocket guide [PDF, 320 KB]
- Travelling overseas on business – Protective security guidance for New Zealand travellers [PDF, 1.1 MB]
PERSEC 3
Manage their departure
Manage people’s departure to limit any risk to people, information and assets arising from people leaving your organisation. This responsibility includes ensuring that any access rights, security passes, and assets are returned, and that people understand their ongoing obligations.
When a person leaves your organisation, they retain their knowledge of your business operations, intellectual property, official information, and security vulnerabilities. Managing their departure well will reduce the risk of this knowledge being misused.
Whether a person is leaving by choice or not, a positive exit experience reduces the risk they will misuse their knowledge of business operations, intellectual property, official information, or any security vulnerabilities.
PERSEC 3 includes the following requirements:
PERSEC 3.1 Remove access and collect assets
PERSEC 3.2 Conduct debriefs and confidentiality agreements
Note: Higher-risk roles requiring a National Security Clearance have a different set of personnel security requirements as set out at PERSEC 4.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the PERSEC 3 mandatory requirement.
Guidance and resources
PERSEC 4
Manage national security clearances
Ensure people have the appropriate level of national security clearance before they are granted access to CONFIDENTIAL, SECRET and TOP SECRET information, assets or work locations.
Manage the ongoing suitability of all national security clearance holders to hold a clearance and notify NZSIS of any changes regarding their clearance.
The process of gaining a national security clearance ensures your people can be trusted to safeguard classified information, assets, or work locations. Once cleared, your organisation is responsible for managing their ongoing suitability to hold a clearance.
Government organisations can sponsor personnel to hold a national security clearance to enable the granting of access to CONFIDENTIAL, SECRET, and TOP SECRET information, assets or work locations. Once granted, the government organisation becomes the sponsor of the clearance and is responsible for managing the clearance holder in accordance with PERSEC 4.
PERSEC 4 includes the following requirements:
PERSEC 4.1 Determine the clearance level needed
Based on the duties and responsibilities of the role being filled, organisations need to assess and consider the requirements for the level of security clearance including the classification of the information, assets, and work locations they will need access to, the duration of the access, and if they will need access to sensitive compartmented information. Refer to PERSEC Appendix A Security Clearance Levels for more information.
- Considerations for determining the required clearance level
- Considerations for access to classified and sensitive compartmented information
- Considerations for short term or temporary access
PERSEC 4.2 Determine eligibility and suitability for a national security clearance
Organisations need to ensure that candidates are eligible and suitable for holding a national security clearance. You should share information with the candidate about the type of information that they will need to disclose to NZSIS in the vetting questionnaire.
- Be transparent with applicants on requirements for a national security clearance
- Check eligibility for vetting
- Check suitability for holding a clearance
- Request NZSIS vetting for a clearance
- Decide whether to grant a clearance
- Advise vetting applicants about clearance decisions
PERSEC 4.3 Ensure the ongoing suitability of clearance holders
Organisations needs to consider personnel security throughout a national security clearance holder’s employment or sponsorship. While recruitment and departure processes offer clear opportunities to manage the risks associated with a clearance holder, the most challenging and critical stage of the personnel security lifecycle is managing the clearance holder throughout their employment.
- Provide security policies and practices for clearance holders
- Provide specific security awareness training for clearance holders
- Conduct security briefings for clearance holders
- Prepare clearance holders for international travel
- Ensure clearance holders report changes in personal circumstances
- Conduct an annual security appraisal process
- Ensure clearance holders report concerns about other people
- Ensure clearance holders report suspicious contacts
- Ensure clearance holders minimise risks from social media use
PERSEC 4.4 Manage security clearances
Managing a national security clearance holder includes monitoring any concerning behaviour, reporting and responding to security incidents involving them, managing their emergency access to information, assets, or work locations, and managing changes to their security clearance level (including renewing, extending, transferring, sharing, upgrading, downgrading, or cancelling a clearance).
- Monitor for concerning behaviour and incidents
- Respond to security breaches
- Manage changes to security clearances
- Manage emergency access to classified information, assets, or work locations
PERSEC 4.5 Manage the clearance holder’s departure
When a national security clearance holder leaves an organisation, they retain their knowledge of the organisation’s business operations, intellectual property, classified information, and security vulnerabilities. Managing clearance holders’ departure well will help to reduce the risk of this knowledge being misused. When a clearance holder leaves the organisation, organisations need to undertake baseline PERSEC 3 activities and:
- Remind the clearance holder of their ongoing obligations
- Cancel their security clearance
- Debrief access from sensitive compartmented information.
Refer to the PSR Policy Framework documents for details on the required and recommended measures to comply with the PERSEC 4 mandatory requirement.
Guidance and resources
- Assessing and acting on changes in circumstances (infographic) [PDF, 141 KB]
- Contact reporting form [PDF, 202 KB]
- Guide to managing national security clearance holders [PDF, 683 KB]
- PERSEC lifecycle [PDF, 87 KB]
- Personnel security risk management lifecycle [PDF, 115 KB]
- Travelling overseas on business – pocket guide [PDF, 320 KB]
- Travelling overseas on business – protective security guidance for New Zealand travellers [PDF, 1.1 MB]