• Table of Contents:
• Title Page
• Chapter 1: Security Policy
• Chapter 2: Security Organisation
• Chapter 3: Information Classification
• Chapter 4: Control of Classified Material
• Chapter 5: Personnel Security
• Chapter 6: Contractors and Other Third-Party Access
• Chapter 7: Physical and Environmental Security
• Chapter 8: Communications and Systems Security Management
• Chapter 9: Control of Access to Information Systems
• Cross-Reference to AS/NZ ISO/IEC 17799:2001
• Glossary of Abbreviations

Chapter 5: Personnel Security

1. Personnel security has three major elements, which depend on or complement one another:

• personnel screening, for suitability for employment in government departments or agencies where there is routine access to official information

• granting specific authority to access official and classified material or sensitive sites

• the security clearance system.

Security in Job Definition and Resourcing

Security in Job Descriptions

2. Security roles and responsibilities should be defined in the organisation's security policy and stated in job descriptions. The job descriptions should explain:

• general responsibilities to implement or maintain security policy

• specific responsibilities to protect official information.

Management Responsibilities

3. Managers' responsibilities should include:

• ensuring that official information is protected

• ensuring that there are appropriate levels of assurance about the trustworthiness of people whose posts require access to, knowledge of or custody of classified material

• consulting line managers when post-holders change or the security clearances are due for review about whether the levels of assurance, or security clearances, are still required.

Terms and Conditions of Employment

4. Terms and conditions of employment should include:

• the employee's responsibility for information security

• action to be taken if the employee disregards security requirements

• the employee's legal rights and responsibilities.

5. Where appropriate, these responsibilities should continue for a defined period after employment ends.

Confidentiality Agreements

6. Confidentiality and non-disclosure agreements, signed by employees as part of their terms and conditions of employment, can specify the need to protect information.

7. Casual staff and third-party users, not already covered by a contract that includes the confidentiality agreement, may be required to sign a confidentiality agreement before being given access to official information.

Personnel Screening

8. When a person is first employed, transferred or promoted, and the new job requires access to official information, the organisation must determine whether the initial appointment checks provide enough assurance that the employee can be entrusted with that information.

9. Screening does not, on its own, provide a guarantee of integrity and trustworthiness. Since individuals and their circumstances change, personnel screening is only as good as the investigations done at the time.

10. Personnel security must continue after initial approval. Any new information or concerns that may affect an employee's reliability must be advised promptly to the appropriate authority. Continuing personnel security includes after-care and review.

Pre-Employment Checking

11. When a person applies for a permanent staff position, checks should include:

• the availability of satisfactory character referees

• the completeness and accuracy of the curriculum vitae, including qualifications.

12. When a candidate is selected, but not yet appointed, additional checks should be conducted:

• confirmation of both identity and character through referees

• a criminal history check with either NZ Police or the Department for Courts.

13. Temporary staff should be similarly checked. When temporary staff come through an agency, the agency contracts should clearly specify responsibilities for screening, and for notification procedures to be followed if screening is not complete or reveals cause for concern.

Authority to Access

14. Access to some official information is needed for most government jobs. Chief Executives or heads would normally obtain sufficient assurance about their permanent staff through:

• pre-employment checks

• periodic reviews

• approval procedures

• sound terms and conditions of employment.

15. The "need to know" rule must still apply.

Access to "Sensitive" Sites

16. Some sites are "sensitive" because of the type, quantity and level of material handled or stored or discussed there. Examples include defence establishments, police stations and the parliamentary complex. There may be a higher chance of staff or visitors having indirect or inadvertent exposure to classified information or equipment.

17. The organisation controlling the site makes the decision to grant regular access. It is usually effected by the issue of a pass or access or identity card.

18. A "Basic Check" may give a level of assurance, beyond that of normal pre-employment checking, about staff or contractors who require regular access to sensitive sites.

Basic Check

19. The subject of a basic check must be informed that it is to be done. The originating organisation then:

• arranges a criminal history check through Police or Courts, unless one has already been completed within the last 12 months

• forwards a request to the NZSIS for checking against NZSIS records, after the criminal history check is complete.

20. The NZSIS response to a basic check will be endorsed on the original request as a marking to the effect of either:

• "No Comment" or

• "Separate Reply to Follow", which means the written response to be provided later will be qualified or adverse, or more information is required.

21. NZSIS will not, except in rare circumstances, refer to or base a qualified or adverse response on a candidate's criminal history or other information which is already known to the originating organisation.

22. Basic checks should be repeated every five years.

23. A basic check is not needed and should not be requested unless the staff member or contractor does not have a security clearance and needs regular access to sensitive sites. The granting of access after a basic check is not a "security clearance".

24. For more on basic checks, see the NZSIS Protective Security Manual.

Access to Classified Material

25. Access to all classified material must be governed by the "need to know" rule.

26. The management of organisations decide which of their staff and contractors can access RESTRICTED, SENSITIVE and IN CONFIDENCE material. The granting of such access is not a "security clearance". The decision should be based on the employee's:

• suitability for employment

• any relevant performance assessments

• records of conduct.

27. Staff who need regular access to CONFIDENTIAL or higher national security material must be granted an appropriate security clearance from the Chief Executive or head of the organisation.

Security Vetting Procedures

28. Decisions to grant security clearances for access to higher level national security material are based at least in part on the outcome of the vetting process. It includes various checks and inquiries into the suitability of the staff member to have such access.

Legal Aspects to the Security Vetting Procedure

29. The Privacy Act 1993 exempts NZSIS from certain of its principles. NZSIS is entitled to collect personal information not only from vetting candidates themselves, but also from other people and organisations. Such disclosures by others of personal information about the candidate are not a breach of the Act.

30. Both the Privacy Act and the Official Information Act 1982 allow NZSIS to refuse to disclose, even to candidates, personal information which is evaluative material, if its disclosure would breach an undertaking of confidence. The information provided by referees is protected from disclosure.

31. The Human Rights Act 1993 recognises that for work involving national security, sometimes factors must be considered that might otherwise be discriminatory. The prohibition on discriminating in employment on the grounds listed below does not apply to employment in the area of national security:

• religious or ethical belief

• political opinion

• psychiatric illness

• intellectual or psychological disability

• particular marriage partners or relatives, and

• national origin.

32. Further, where a person is under age 20, it is not a breach of the Act to decline employment on the grounds of age if the work requires a high level security clearance.

33. However, it remains unlawful to discriminate on the grounds of:

• sex

• sexual orientation

• age other than as outlined above

• colour

• race

• physical disability or

• marital status.

Assessment of Required Security Clearance Levels

34. The security clearance vetting system must not be used by departments or agencies as a general character or trustworthiness check for current or potential employees.

35. Security clearances are required only for regular access to national security information classified CONFIDENTIAL or higher. They are not required for access to RESTRICTED material, or Policy and Privacy information classified SENSITIVE or IN CONFIDENCE.

36. Before starting the security vetting process, organisations should review what level if any of security clearance is needed for a particular job or individual.

37. Clearances match the classification of material to be regularly accessed. However, in an operational emergency, chief executives may authorise staff to access national security material classified above their current clearance. There are strict limits on this "emergency access".

38. For further guidelines on assessing security clearance requirements and emergency access, see the NZSIS Protective Security Manual.

Guidelines for Assessing Trustworthiness

39. A Chief Executive or head should not appoint or maintain people in posts with access to classified material unless satisfied that they are trustworthy. The decision should take into account a number of variables which make up the whole person. Available and reliable information, past and present, favourable and unfavourable, should be considered.

40. For detailed guidelines, see the NZSIS Protective Security Manual.

Pre-Vetting

41. After determining a person's need to access particular levels of classified material, there are several steps an organisation must take before forwarding a vetting request to NZSIS. These include checks to ensure that personal data is complete and accurate and that other relevant information has been considered.

42. If pre-vetting procedures reveal that an employee is unsuitable for access to classified material, the process should stop without a vetting request being forwarded to NZSIS.

43. For more advice on pre-vetting procedures, see the NZSIS Protective Security Manual.

Levels of Vetting and Clearances

44. Vetting and the resulting security clearances are on an escalating scale: the breadth, depth, time and resources for inquiries, assessment and recommendation increase significantly for each step up the scale. The higher the level of clearance sought, the more intrusive on privacy is the information requested of the candidate and the inquiries made. Care must be taken that the level of clearance sought is justified by the access needed.

45. To begin the vetting process, the originating department arranges for the candidate to complete the appropriate vetting form. The candidate must declare that the information given is true and complete, and acknowledge that any false statement or deliberate omission may be grounds to deny a security clearance.

46. The candidate must also consent, on a separate form, to the Police or other people or organisations disclosing personal information to the NZSIS.

47. Before forwarding the request to NZSIS, the DSO checks the candidate's form to confirm:

• the need for a clearance

• the level of clearance needed

• all relevant information known to the originating department is provided.

48. The type of inquiries that NZSIS makes depends on the level of vetting:

• for lower levels of clearance, candidates and their immediate family are checked against police criminal history and criminal intelligence records, and NZSIS records

• for higher levels of clearance, candidates must provide additional personal information and nominate referees to complete a questionnaire or be personally interviewed

• for the highest levels of clearance, credit checks are done.

49. Sometimes the NZSIS will need to interview additional non-nominated referees or the candidates themselves.

50. For details about security clearance vetting procedures, see the NZSIS Protective Security Manual.

Referees

51. The most common causes of difficulty and delay in completing vetting inquiries are the non-availability or unsuitability of referees nominated by the candidate. Referees:

• must have close personal knowledge of the candidate's private life and have had contact within the last 12 months

• must not be related to the candidate or to each other

• should be, if possible, from the candidate's own peer or age group

• preferably should not be listed elsewhere on the vetting request form (for example, flatmates)

• should include at most two work colleagues or professional acquaintances, and then only if they are also well-acquainted with the candidate outside work

• must be resident in New Zealand, unless there are exceptional circumstances

• should preferably be New Zealand citizens

• should be contactable for at least six weeks after the form is forwarded to the NZSIS.

Adverse or Qualified Replies

52. At the end of vetting, NZSIS forwards a reply to the originating department. If the reply includes an adverse or qualified recommendation, wherever possible reasons are provided.

Decision on Granting Security Clearances

53. The departmental head or Chief Executive considers the NZSIS vetting report and all other relevant information, both favourable and unfavourable, to form an opinion as to whether a candidate can be entrusted with access to classified material. The decision must be based on knowledge of the candidate at the time, and in relation to the specific position.

54. The decision should be conservative. If there are any grounds for concern, the Chief Executive must be satisfied that there are overriding reasons to grant the clearance. See the NZSIS Protective Security Manual.

55. The test of suitability escalates according to the level of clearance sought.

56. If a clearance is declined, or granted at a lower level, or with qualifying conditions, based in whole or in part on the NZSIS reply, the candidate should be told. Candidates should also be advised of their right to complain to the Inspector General of Intelligence and Security if they consider they have been adversely affected by any act, omission, practice, policy or procedure of the NZSIS.

57. The NZSIS must be advised when less than a full clearance is granted, or if a security clearance is declined or withdrawn.

Records of Security Clearances

58. Departments and agencies are responsible for maintaining records of security clearances issued to their staff and contractors.

59. Organisations should establish a reliable "bring up" system so that clearances do not lapse.

Lapses and Transfers of Security Clearances

60. A security clearance lapses after five years or when the holder leaves the organisation that granted it.

61. When an employee with a clearance transfers to another government organisation, the Chief Executive of the new organisation may grant a new clearance at the same or lower level, without further vetting, if:

• the previous clearance is less than 12 months old, and

• the employee's duties, for which access is required, are broadly comparable to those of the position in the previous organisation.

62. When transferring a clearance, the expiry date of the new clearance should be made the same as that of the original clearance from the former organisation.

63. For advice about confirming original clearance expiry dates and other information relevant to security clearance transfers, consult the NZSIS.

After-Care and Review

64. Personnel security should continue after initial access or security clearance is approved.

65. Any new information or concerns about a person's reliability must be brought to the attention of the appropriate authority. This requires after-care and review procedures to be in place.

66. Effective personnel security depends on the support of line managers who have an ongoing responsibility to maintain standards for protecting classified material under their control, and to brief staff about those standards.

67. Line managers should be alert to potential difficulties or conflicts of interest among staff. They should report any concerns as soon as possible to the appropriate authority.

68. Effective measures also require close co-operation between the departmental security and personnel branches, including the welfare section, to ensure that information about issues of possible security concern is passed to the DSO or security branch.

69. For more information, see the NZSIS Protective Security Manual.

Reviews of Security Clearances

70. A security clearance reflects only that a person was considered suitable to have access to classified material at the time of the vetting. It is no guarantee of continuing suitability. Security clearances are subject to review:

• if there is a change in the employee's personal circumstances; for example, a new relationship

• if the employee turns 20 years old, after having been granted a clearance under special circumstances

• at the end of a term specified when it was granted

• every five years in all cases.

71. Organisations should begin review procedures at least three months before clearance expires.

72. When a clearance expires, the entire pre-vetting and vetting process is repeated. Since one of the assessment criteria is consistency with known or previously supplied information, there can be no reliance on personal information already "on file." New vetting forms must be submitted, with full details supplied in all areas.

[ Previous | Next ]