FAQs

QUESTION 023

Please see Contact us.

The Protective Security Requirements team provides guidance and support for the adoption and implementation of the Protective Security Requirements.

If you would like to find out more about ways to implement the Protective Security Requirements in your organisation please contact us.

Agencies may be asked to perform a security self-assessment and submit a report to the Protective Security Requirements team.

Agencies will be advised well in advance.

All agencies are encouraged to complete the self-assessment and may choose to also submit reports.

You must report all security incidents to your Chief Security Officer (CSO). The CSO will assess the situation and identify the response, which may include advising the NZSIS or GSCB.

Types of incidents

• Security breach
• Infringement
• Violation

For more information, see Reporting incidents and conducting security investigations.

New Zealand government organisations should take a risk based approach to determining the security measures required to keep their customers, people, information and assets safe.

Key considerations

• Each organisation should make an assessment of threats and risks to determine their own needs.
• The level, and degree, of security measures required in an organisation depends on the size of the agency, the work conducted by the agency (such as whether the agency requires protectively marked material) and the risks they face.

The Protective Security Team is able to provide more advice if required.

More information can be found at the following pages

• Protective security roles and responsibilities
• Implementing a risk based approach to protective security
• Build security awareness

A security breach is an accidental or unintentional action that leads or could lead to, the compromise of safety to your people, the loss or damage of official information or resources.

Examples

• Access passes or identification documents lost or left insecure
• Protectively marked material left in UNCLASSIFIED waste bins
• Protectively marked material not properly secured or stored

Letting your Chief Security Officer (CSO) know

• You must report all security breaches to your CSO
• The CSO will assess the situation and identify the response, which may include advising the NZSIS or GSCB.

Further information about the process following a security breach can be found in New Zealand Government Protective Security Governance Requirements – Reporting incidents and conducting security investigations.

More information

• Protective security roles and responsibilities
• Physical security zones
• Physical security of your ICT assets and facilities
• Handling requirements for protectively marked information and equipment
• Security responsibilities for publicly accessible information systems in your organisation

Before going overseas, whether it’s for work or personal reasons, you need to be familiar with the following four considerations:

On-going eligibility for a security clearance

• Residing overseas may result in an uncheckable background and mean you are not eligible for a national security clearance in the future.

Security of your mobile electronic devices

• You must consider the risks posed if your device is lost, stolen or compromised.
• Government employees should avoid taking work-issued electronic media or devices overseas. If necessary, use specific agency-supplied devices for travel.
• Familiarise yourself with your agency’s overseas policies and procedures.

Reporting contact with foreign government officials

• All government employees should prepare to report any contact with foreign government officials that appear suspicious, persistent or unusual in any respect.
• Ensure you are familiar with the contact reporting form that you will have to complete.

Letting your Chief Security Officer (CSO) know

• Security clearance holders must discuss residence in, or visits to, foreign countries before they occur.

Anyone working for a government organisation, including employees, contractors and service providers, must report suspicious contacts and requests to access your agency’s information and resources to their Chief Security Officer. This is especially important for national security clearance holders.

Be aware of the possible sources of security threats

• foreign intelligence services
• foreign officials
• political groups
• criminal organisations
• commercial businesses
• issue-motivated groups or individuals.

Watch out for people who

• ask for information about other people who work in your agency.
• ask to meet you away from your work environment.
• encourage you to participate in a dodgy or illegal activity.
• offers you hospitality or gifts.
• pay you a lot of attention — flattering you or showing sexual interest.
• are unusually interested in your work or personal activities or some specific aspect of your activities.
• Introduces you to another person who shows the same unusual level of interest.

What do you need to do

When you experience contact that seems suspicious or unusual in any way, you must report it.

Your agency should have a contact reporting form that you can use. If not, please find a contact reporting form at the bottom of this page.

More information can be found on Reporting Incidents and Conducting Security Investigations.

The responsibility for protective security resides with agency heads across government.

However, all individuals working for government are responsible for protective security, particularly clearance holders and those who have security responsibilities relevant to their individual role.

Best practice advice is available advice from:

• New Zealand Security Intelligence Service(external link) (NZSIS)
• Government Communications Security Bureau(external link) (GCSB)

All government organisations must keep New Zealand Government information and resources safe. They need to know they can trust you with access to information or resources that could affect New Zealand’s security.

You need a national security clearance (clearance) if you work for or with a government organisation and need to use information or resources or access locations with a security classification of CONFIDENTIAL or higher. The government organisation decides what clearance level your role needs.

If you require a national security clearance you’ll be vetted by the New Zealand Security Intelligence Service (NZSIS).

When the NZSIS vets you, they check and assess your background. The NZSIS will only do this if they have your consent. The higher the clearance level, the more in depth their checks are.

Once the government organisation you are working for receives a recommendation from NZSIS they will decide whether or not to grant you a national security clearance.

For further information, see New Zealand Personnel Security – National Security Clearances and the New Zealand Government Security Classification System.

If you are transferring directly to another government organisation, your national security clearance may transfer with you.

The transfer process will be managed from one government organisation to another.

Conditions for transferring a clearance

• your original clearance is less than five years old
• your new role requires access to protectively marked information or resources or locations
• the transferred national security clearance is at the same level or at a lower level than the clearance originally granted
• you move directly from one government organisation to another without an intervening period with no security oversight (for example, overseas residence or extensive travel)
• your chief executive, or their delegate, obtains from the clearance holder’s old organisation:
  • a copy of the NZSIS’s vetting recommendation
  • written assurance of your continuing suitability to hold a national security clearance
  • notification of any relevant changes in your personal circumstance since being initially assessed.

Other considerations

• If your original clearance is more that four years old at the time of transfer the new organisation should immediately begin the process to renew your clearance.

Agencies must know and understand the Management protocol for personnel security and follow the guidance for this process contained in the Recruiting and managing national security clearance holders and Manage their departure.

Some changes in your personal circumstances can affect your trustworthiness because they:

• put you under stress
• affect your judgement
• cause conflicts of loyalty
• make it easier for people or groups to influence you or use your access.

Changes in circumstances you need to report

• You start or end a close personal relationship
• You visit a foreign country
• Any of your close relatives move to a foreign country
• You plan to change your citizenship or country of residence
• Your financial circumstances change
• Your health or medical circumstances change
• You are involved in criminal activity, accidentally or deliberately
• You become involved with people or groups that may affect security
• You are in a disciplinary process
• You have breached security or caused a security incident
• You have other changes in personal circumstances that your agency has told you to report.

For further information on these circumstances, see New Zealand Government Personnel Security Management Requirements – Maintaining your national security clearance.

Yes. New Zealand government agencies should recognise your security clearance and you should be able to participate in meetings discussing protectively marked information with employees from other agencies when there is a 'need-to-know'.

Your agency will consider the NZSIS vetting recommendation, and the results of any checks they have done themselves, to help them decide whether to grant you a clearance. The Chief Executive, or head of your agency must approve that decision to make it final.

When your agency’s Chief Executive, or head, has approved the decision, you will be notified.

If the vetting recommendation from the NZSIS contained specific recommendations to manage specific concerns your agency will work with you to establish a security risk management plan. Following the plan is an important part of staying eligible to hold a clearance. As part of this process the recommendation may be discussed with your manager.

Once your clearance is granted you should receive from your agency:

• a briefing on your responsibilities as a national security clearance holder
• other specific briefings relevant to your role
• information on protective security awareness.

For more information please see Build security awareness.

Holding a clearance may be an essential requirement for your role or a condition of your employment. It’s in the best interests of you and your organisation that you remain suitable to hold a clearance.

Your responsibilities as a clearance holder

• Respect the ‘need-to-know principle’
• Report changes in your personal circumstances
• Report concerns about other people
• Report suspicious contacts and requests
• Discuss overseas travel plans with your agency
• Minimise risks from your social media use
• Understand and comply with legislation and policy
• Participate in regular reviews
• Meet the requirements of any security risk management plan.

For more information see National security clearances - Maintaining your national security clearance

If your application for employment is successful, the employing organisation will be responsible for initiating and managing your security vetting and security clearance.

The clearance level you need depends on the highest classification of the information, resources or locations you need to access to do your work.

Are you eligible for a national security clearance?

To be eligible for vetting, you must meet the following three criteria:

• You are a New Zealand citizen or hold a Residence class visa
• NZSIS can check your background details (how far back depends on the clearance level you’re being vetted for).
• You are likely to pass NZSIS and agency checks (your agency must be confident you will pass the NZSIS vetting checks).

Security vetting checks

• When the NZSIS vets you, they check and assess your background.
• The NZSIS will only do this if they have your consent.
• The higher the clearance level, the more in depth their checks are.

Are there specific areas that NZSIS look at?

The NZSIS assesses whether there is a risk you may decide (or be convinced) to use your access inappropriately. They look at the following areas of your life.

• Organisations or people:
  • you are loyal to
  • who may have influence over you
  • you are associated with.
• Personal relationships and conduct
• Financial situation
• Alcohol and drug use
• Criminal history and conduct
• Security attitudes and violations
• Mental health situation.

What about once I get a clearance?

Holding a national security clearance comes with some obligations. As a security clearance holder you must:

• Comply with the New Zealand Government’s rules for protecting classified information
• Comply with your employer’s standards of conduct
• Report any security breaches
• Report changes in personal circumstances (e.g. divorce, a new partner, bankruptcy, foreign citizenship, etc.)
• Report any suspicious contacts or enquiries
• Discuss overseas travel plans with your agency
• Minimise risks from your social media use
• Be ‘security aware’

Your agency will explain your responsibilities in more detail when you are granted a clearance.

You cannot be issued with a temporary national security clearance.

Government organisations must not grant ‘waivers’, ‘interim’ or ‘temporary’ security clearances while waiting for a recommendation from the NZSIS.

What can be done to meet an urgent need?

• Government organisations can submit urgent clearance requests. Agencies should contact the NZSIS to discuss this prior to sending a request.
• During an emergency, a clearance holder’s chief executive, or their delegate, has the authority to grant a clearance holder temporary supervised access to protectively marked information or resources one level above their current national security clearance level.
• Non-clearance holders must not be granted emergency access to material protectively marked CONFIDENTIAL or higher.

Organisations must not use emergency access to grant a clearance holder access:

• for administrative or management purposes (such as helping them gain a position)
• when they are on reassigned duties while waiting for a security vetting recommendation (including a reclassification)
• to protectively marked information or resources that carry an endorsement or compartmented marking.

More detail about urgent vetting requests and emergency access to protectively marked information can be found in New Zealand Government Personnel Security Management Requirements -  National Security Clearances - Manage their security clearance.

The Classification System policy has been strengthened to drive wider systems and culture change across government in support of achieving the objectives for the classification system.​

The areas that have been strengthened in the policy:  ​

• Introduced policy principles and expected behaviours in line with current legislation​
• Greater emphasis on enabling secure sharing of information and systematic declassification.​
• Strengthened and clarified existing requirements under each of the principles.​
• Simplified / updated requirements and guidance to resolve gaps in content and to better integrate with modern ICT systems and practices. ​

What about simplification of the System? Why didn’t you simplify the System? Are you planning to? 

• ​The 2022 changes did not simplify the classification system as recommended by the IGIS in their 2018 review of the classification system. The structure and levels of classification have not changed.
• We recognize that simplifying the System was identified as a high priority by all of the agencies involved in the review project in 2019 and 2020. That review found that simplifying the system will require significant resources across government to undertake. We did not receive approval from Cabinet to commit those resources at this time.  ​
• We will let these current changes run for a couple years and reassess how important simplification of the System still is for all of us after these changes are substantially embedded across Government.​

What has not changed as a result of the 2022 policy?​

• The structure, levels and definitions of the Classification System – the ones approved by Cabinet in 2000 still apply today.  However, we have added simple guidance and more examples to make it easier for agencies to understand them and apply them more consistently.​
• PSR mandatory requirements – though PSR CMM and self assessment has introduced some specific measures for Classification System performance​.
• Secure handling requirements have largely not changed​.
• Legislative requirements are unchanged. The policy has more closely aligned with the requirements under current law (OIA, Privacy Act, Public Records Act). We received substantial support from the Offices of the Ombudsman, Chief Archivist, and Privacy Commissioner to ensure the revised policy supports the current legislation and existing guidance provided by those offices.

 What new has been delivered?

• Revised Classification System Policy
• Updated Classification Guidance
• Online Training Modules (including Classification Handbook and updated Quick Guides)
• Declassification Guidance
• Information Sharing Guidance
• Measurement updates
• Change support

What is declassification?

• Declassification includes reassessing how information is protected and  – if appropriate – the release of that information. 
• For agencies who protectively mark information, e.g. with SECRET this results in a change to the protective marking.  Not many agencies do this.
• But everybody declassifies information (even if you don’t call it declassification), e.g. when responding to OIA requests. 

What feedback did we receive about declassification when defining the policy and guidance?

• We got lots of feedback that it isn’t helpful to think of declassification only in terms of national security information.
• Agencies were clear that all agencies already makes assessments about whether to release information as part of their obligations under the Privacy Act, Official Information Act and the Public Records Act.​
• The scope the declassification guidance document was broadened to consider all the key ways through which information can released.

What does it mean for my agency?

• If your agency doesn't hold highly classified information, you don’t need to do anything new.  However, the guidance may highlight some areas where you can improve your current practices around declassification and releasing information.
• If your agency holds archived classified information AND this information is of public interest, then you should consider establishing a declassification programme.  The guidance gives some suggestions for how you might go about this.  It also includes a policy template which agencies may find useful.  
• Note that not all archived classified information is of public value.  If something isn’t of public value there is no reason to proactively declassify it.

What resources are required to declassify?

• Setting up a declassification programme could be quite resource intensive if your agency hold large quantities of archived classified material. The programme resources allocated should be commensurate with the value that declassification will deliver to New Zealand.
• Agencies that are considering setting up a declassification programme may need to secure funding before they can proceed with a declassification programme.

Effective information sharing is about two things:

• Getting the right information to the right people at the right time
• Making sure we don't release information inappropriately or give it to the wrong people.

What has changed relating to information sharing?

• There have been no changes to key legislation, e.g. OIA, Privacy Act
• Information Sharing is established as a principle in the Classification System policy and agencies are expected to share information where appropriate to do so.

The changes to the Classification System haven't changed the legislation covering information sharing.  However, as a result of the RCOI it does place specific emphasis on information sharing and sets greater expectations that agencies should be proactive about sharing information – both to protect New Zealand and to deliver better public services more generally. 

What should my agency do?

To start with your agency will be sharing information today.  Improving information sharing is not about radical change but about a steady change in emphasis and expectations.  The information sharing guidance gives some suggestions about the actions that any agency can take. Ask yourself:

• Culture – do senior leaders promote information sharing or are people scared about the consequences of getting it wrong? Does the culture need to shift from a restricted need-to-know culture to an enabling need-to-share culture?
• Audiences - does your agecy understand what other audiences could benefit from use of your information who do not have access to it today?
• Education – do people who share information fully understand what they can and can’t do?
• Policy and procedures - does your agency have clear information sharing guidelines that inform your people on how they can share information securely and with confidence?

What resources are required?

• Information sharing is often a cultural issue that reflects years of engrained attitudes, policies and beliefs to restrict access rather than enable access.  Change needs leadership and support. 
• We acknowledge that barriers to effective information sharing can be a wider issue. For some agencies, their current systems, buildings, and technology can be a barrier to effective information sharing and we acknowledge that the changes to the Classification System will not address these.

We have introduced performance measures of the Classification System into the PSR Capability Maturity Model, Self-Assessment process, and moderation framework.  You may already be using these tools to measure your protective security performance today. There have been a few additional indicators added that you will use going forward.

Measurement for PSR mandated agencies 

• PSR mandated agencies will first be assessed against the changes in March 2024.  The table below shows the key actions required of PSR-mandated agencies. 
• Agencies will typically begin gathering evidence in around November each year to be ready to submit their self-assessment in March the following year.  By this assumption, PSR-mandated agencies will need to have made any required changes by the end of October 2023 in order for these to be captured in the March 2024 self-assessment.  
• This gives agencies about 16 months to make changes once the new policy is introduced.  Agencies will need to make their own assessment about how much change is realistic.  For example, an agency may choose to target a ‘basic’ maturity level, if it does not think it has the resources to meet all the requirements of a higher maturity level. 

Measurement for all others

• Agencies that are not PSR mandated are not required to complete the self-assessment process.  However, the PSR guidance and self-assessment requirements do give a clear indication of what best practice looks like. 
• All agencies are encouraged to consider these requirements against their own business needs and to consider what changes they may need to adopt to better manage their protective security.

Who are the modules for?

• Everybody – all staff, contractors, and suppliers
• Designed as an introductory course to be given during induction and then as refresher training as required
• The modules do not provide advanced content for security practitioners or agency-specific information.

Do people need to do all of the modules?

• We recommend everyone does the first three modules
• Modules 4 and 5 are specifically about national security information and only need to be done by agencies who deal with this type of information.

How long will the training take?

• We estimate it should take about 60 minutes to complete the first three modules.
• How can we run the modules & can we edit the modules?
• We are making the files available so that agencies can host them on their own Learning Management System and customise them
• All the modules will also be available on the PSR website as well for anyone to use.

Where do I get the files?

• Contact the PSR team. Refer to the 'How to deploy the user training modules' page linked below.

In normal circumstance people must only be given access to information, resources or locations up to their clearance level.

However, sometimes an emergency may give rise to an urgent operational need for a clearance holder to access protectively marked information or resources above their clearance level.

What does “emergency access” mean?

• access where an urgent and critical operational need for access to particular material is established and there is insufficient  time to complete vetting inquiries and grant a higher level clearance
• access only to specified material required for the particular emergency
• access for no longer than the duration of the emergency
• access governed by a very strict application of the need-to-know principle.

What can your organisation do?

• During an emergency, a clearance holder’s chief executive, or their delegate, has the authority to grant a clearance holder temporary supervised access to protectively marked information or resources one level above their current national security clearance level.
• Non-clearance holders must not be granted emergency access to material protectively marked CONFIDENTIAL or higher.

Organisations must not use emergency access to grant a clearance holder access:

• for administrative or management purposes (such as helping them gain a position)
• when they are on reassigned duties while waiting for a security vetting recommendation (including a reclassification)
• to protectively marked information or resources that carry an endorsement or compartmented marking.

More detail about emergency access to protectively marked information can be found in New Zealand Government Personnel Security Management Requirements -  National Security Clearances - Recruiting and managing their security clearance.

More information can be found on the following pages

• New Zealand Government Security Classification System
• Supply chain security

This page provides common questions users have on classifying and protectively marking. It provides links to where to find the information.

A Classification Handbook is available that provides a quick reference to the core information that users need to know when classifying and handling government information. This handbook supplements the Classification online training modules.

What protective marking do I use?

• Classification levels and definitions
• Endorsement markings and definitions

How do I assess harm and business impact?

• How to classify information

How do I protectively mark information?

• How to protectively mark information and equipment

How do I securely handle protectively marked information?

Agencies classification policies and procedures should detail the specific protections implemented in the environment. Generic guidance can also be found below:

• How to protect information
• Quick guides for secure handling of classified material [PDF, 342 KB]