Australian Government Personnel Security Protocol
Version 2.1
Approved September 2014
Amended April 2015
© Commonwealth of Australia 2013
All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence (Creative Commons Licenses).
For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence (Creative Commons Licenses).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour website.
Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Commercial and Administrative Law Branch
Attorney-General’s Department
3–5 National Cct
BARTON ACT 2600
Call: 02 6141 6666
Email:
Document details /Security classification / Unclassified /
Dissemination limiting marking / Publicly available /
Date of next review / Under review /
Authority / Attorney-General /
Author / Protective Security Policy Section
Attorney-General’s Department /
Document status / Version 2.1 approved 1 September 2014 (replaces
Version 1), amended April 2015 /
Table of contents
Amendments v
1. Scope 1
1.1. Introduction 1
1.2. Status and applicability 1
Figure 1 - Personnel security policy hierarchy 1
1.3. Terms used in this Protocol 2
1.4. Agency responsibilities in personnel security 4
1.4.1. Agency heads 4
1.4.2. Line managers 4
1.4.3. Agency personnel 4
1.4.4. Need-to-know principle 5
1.5. Policy exceptions 5
1.5.1. Functional equivalents 5
1.6. Sharing personal information 5
2. Components of personnel security 7
3. Identifying personnel security risk 9
3.1. Personnel security risk assessments 9
4. Employment screening 10
4.1. Recommended employment screening 10
4.2. Agency-specific employment screening checks 11
4.3. Recording results of employment and additional agency specific screening 11
4.3.1. Additional information 11
5. Ongoing suitability for employment 13
5.1. Security awareness, training and education 13
5.2. Performance management 13
5.3. Conflict of interest 13
5.4. Incident investigation 14
5.5. Monitoring, evaluating and recording of ongoing personnel suitability 14
6. Agency security clearance requirements 15
6.1. Cooperation in the clearance process 15
6.2. Identifying and recording positions that require a security clearance 15
6.2.1. Security clearance levels 16
6.2.2. Caveat and codeword access 17
6.2.3. Contractors requiring security clearances 17
6.2.4. Persons employed under the Members of Parliament (Staff) Act 1984 (Cth) 18
6.3. Australian office holders 18
6.4. Other access arrangements 19
6.4.1. Foreign Nationals with non-Australian Government security clearances 19
6.5. Eligibility waivers (citizenship and checkable background) 20
6.5.1. Eligibility waivers 20
6.5.2. Non-Australian citizens 21
6.5.3. Uncheckable backgrounds 21
6.5.4. Conditions for clearances subject to an eligibility waiver 22
6.6. Locally engaged staff 22
6.7. State or Territory government security clearances 23
7. Temporary access to classified information arrangements 24
7.1. Temporary access conditions 24
7.1.1. Types of temporary access 25
7.1.2. Short term access 26
7.1.3. Provisional access 27
7.2. Temporary access for MOPS Act staff 27
8. Vetting agency responsibilities 29
8.1. Authority to make clearance decisions 29
8.1.1. Confirming eligibility for a security clearance 29
8.2. Assessing Suitability 29
8.2.1. Supplementary checks and inquiries 30
8.2.2. Mitigation 30
8.2.3. Vetting agency consultation with sponsoring agencies 30
8.3. Vetting decisions 30
8.4. Failure to comply with the clearance process 30
8.5. Personnel security checks for initial clearances 31
8.5.1. Statutory declaration 32
8.5.2. ASIO Security Assessment 32
8.6. Reviews of security clearances 32
8.6.1. Periodic Revalidations 32
8.6.2. Reviews for cause 33
8.7. Adverse findings 34
8.8. ASIO-initiated review of ASIO Security Assessment 34
8.9. Reviews of security clearance processes and outcomes 34
8.10. Review of clearance decisions 34
8.11. Transfer of Personal Security Files 35
8.12. Recognition of clearances 35
8.13. Active and inactive clearances 35
8.14. Vetting staff training and qualifications 36
8.15. Vetting agencies’ management of outsourced vetting providers 36
9. Agency responsibilities for active monitoring of clearance holders 37
9.1. Security awareness training for clearance holders 38
9.2. Managing specific clearance maintenance requirements 38
9.3. Annual health check 38
9.4. Sharing of information 39
9.4.1. Reportable changes of personal circumstances 39
9.4.2. Contact reporting under the Australian Government Contact Reporting
Scheme 40
9.4.3. Reporting security incidents to vetting agencies and other appropriate
agencies 40
9.5. Change of sponsorship of security clearances 41
9.6. Personnel on temporary transfer or secondment 41
9.6.1. Clearance maintenance for personnel on secondment or temporary
assignment 41
9.7. Personnel on extended leave 42
9.8. Clearance maintenance for contractors 42
9.8.1. Clearance sponsorship of contractors that are no longer actively engaged
by an agency 43
10. Agency separation actions 44
10.1. Prior to separation 44
10.2. On separation 44
10.2.1. Separation of contractors 45
Annex A: Request for variation of Special Minister of State’s Determination 2012/1
for a Minister’s Electorate Officer 46
Amendments
No. / Date / Location / Amendment1 / April 2015 / Section 1.3 / Remove the term re-evaluation in regards to PV clearances in the definition of ‘inactive’.
2 / April 2015 / Throughout / Update PSPF links
3 / April 2015 / Annex A / Update waiver request form to include phone numbers
4
v
1. Scope
1.1. Introduction
1. The core policies of the Protective Security Policy Framework (PSPF) provide the mandatory requirements for protective security in Australian Government agencies. The Australian Government Personnel Security Protocol provides more detailed advice for agencies to meet their mandatory personnel security requirements.
2. Personnel security is one element of good protective security management. The Australian Government’s personnel security measures determine the suitability of personnel to access Australian Government resources. A suitable person demonstrates integrity and reliability and is not vulnerable to improper influence.
3. Effective personnel security facilitates the sharing of Australian government resources and is an essential mitigation tool to the threat posed by trusted insiders.
4. An agency’s personnel security risk assessment should be incorporated into the agency’s security risk management process and other agency risk management processes. Personnel security risk management may impact on, and/or complement, information and physical security controls.
1.2. Status and applicability
5. This Protocol forms part of the third level of the Australian Government’s personnel security policy hierarchy, as shown in Figure 1. This protocol and its supporting guidelines will inform agency-specific personnel security policy and procedures.
Figure 1 - Personnel security policy hierarchy
6. The Australian Government personnel Security Protocol derives its authority from the PSPF – Directive on the security of Government business, Governance arrangements, and the Personnel security core policy and mandatory requirements. It should be read in conjunction with:
· the Australian Government information security management protocol
· the Australian Government physical security management protocol
· the Public Service Act 1999 (Cth) (PS Act)
· the Privacy Act 1988 (Cth)
· any agency specific legislation and/or guidance, and
· the Personnel security guidelines:
o Agency personnel security responsibilities, and
o Vetting practices.
7. Positive Vetting (PV) security policy (developed by the Inter-Agency Security Forum) is detailed in the Sensitive Material Security Management Protocol (SMSMP). Distribution of the SMSMP is limited to agency security advisers with a need to know.
1.3. Terms used in this Protocol
8. In this Protocol the use of the terms:
· ‘need to’ refers to a legislative requirement that agencies must meet
· ‘are to’ or ‘is to’ are controls that support compliance with the mandatory requirements of the personnel security core policy
· ‘should’ refers to better practice. Agencies are expected to apply better practice unless the agency risk assessment has identified reasons to apply other controls, and
· ‘required’ is used as common language and has no special meaning in this protocol.
9. Unless otherwise stated, the use of:
· ‘personnel’ in this protocol refers to employees, contractors and service providers as well as anybody else who is given access to agency assets as part of agency sharing initiatives
· ‘employment screening’ refers to screening undertaken by an agency prior to employment of staff or engagement of contractors
· ‘Australian Government resources’ refers to the collective term used for Australian Government people, information and assets, and
· ‘vetting agency’ refers to the Australian Government Security Vetting Agency (AGSVA), authorised agencies and State and Territory vetting agencies.
· Financial statement – provides a detailed summary of a clearance subject’s assets, income, liabilities and expenditure.
· Financial history check - provides an overview of a clearance subject’s financial history.
10. Clearance decisions/status:
· ‘ineligible’ refers to a determination by a vetting agency that a clearance subject is not eligible for an Australian Government security clearance as they do not hold Australian citizenship and/or have a checkable background
· ‘deny’ refers to a determination by a vetting agency that a clearance subject is not eligible to hold a Australian Government security clearance at one or more clearance levels
· ‘grant’ refers to a determination by a vetting agency that a clearance subject is eligible and suitable to hold an Australian Government security clearance
· ‘grant – conditional’ refers to a determination by a vetting agency that the clearance subject is eligible and suitable to hold an Australian Government security clearance with conditions and/or after care requirements are attached to the clearance
· ‘cancel’ refers to a Security clearance initiated, but not completed by the vetting agency as the sponsorship of the clearance was removed at the request of the sponsoring agency, the sponsorship or clearance requirement could not be confirmed, or the clearance subject was non-compliant with the clearance process
· ‘active’ refers to a maintained security clearance that is sponsored by an Australian Government agency, and being maintained by a clearance holder and sponsoring agency
· ‘inactive’ refers to a security clearance that is within the revalidation period, however the clearance:
- is not sponsored by an Australian Government Agency
- is not being maintained by the clearance holder for a period greater than six months due to long term absence from their role
- for the Positive Vetting level an annual security check was completed within the last two years
- can be reactivated or reinstated provided the clearance is sponsored by an Australian Government agency before the end of the revalidation period, and
- cannot be reactivated until all change of circumstances notifications covering the period of inactivity have been assessed by a vetting agency.
· ‘expired’ refers to a security clearance that:
- is outside the revalidation period and is not sponsored by an Australian Government agency
- is a PV clearance and did not have an annual security appraisal completed within a two year period
- cannot be reactivated and reinstated, and
- reverts to an initial security clearance assessment process if an Australian Government agency provides sponsorship after the end of the revalidation period.
· ‘Ceased’ refers to a security clearance:
- that has been denied or revoked
- that may have time-based conditions on when a clearance subject or holder can reapply for a security clearance, and
- where the clearance subject or holder is ineligible to hold or maintain a security clearance.
11. Additional terms used in this Protocol can be found in the PSPF – Glossary of Terms.
1.4. Agency responsibilities in personnel security
12. Effective personnel security management is a responsibility of all agency personnel including, senior management, line managers, HR areas, and security areas.
1.4.1. Agency heads
13. Responsibility for development, implementation and maintenance of personnel security management ultimately rests with the agency head.
14. Agency heads set:
· leadership/vision and values
· employment standards
· the agencies risk tolerance, and
· culture through policy, procedures and education.
1.4.2. Line managers
15. Line managers play a key role in personnel security. They are more likely than agency security staff to have a detailed and accurate knowledge of their employees and the duties of a position in their work area.
16. Line managers are responsible for:
· positively influencing the protective security behaviour of their personnel
· monitoring employee behaviour, and
· reporting any concerns about a staff member’s suitability for access to official resources to the agency security section.
1.4.3. Agency personnel
17. All agency personnel are responsible for:
· applying the ‘need-to-know’ principle
· being aware of the importance of their role in, and responsibility for, ensuring the maintenance of good personnel security practices throughout the agency
· reporting issues of concern
· complying with agency pre-engagement, ongoing suitability and security clearance processes, and
· complying with Australian Government-wide and agency-specific standards for the protection of Australian Government security classified resources.
1.4.4. Need-to-know principle
18. Agencies are to limit access to, and dissemination of, Australian Government resources to those personnel who need the resources to do their work.
19. Agencies are to limit access to, and dissemination of, Australian Government security classified resources to those who hold the appropriate level of clearance.
20. Agencies are to provide information on the ‘need-to-know’ principle to all personnel as part of their security awareness training.
1.5. Policy exceptions
21. Exceptional circumstances or emergencies may arise that prevent agencies from applying relevant controls identified in the PSPF. These may be either of an ongoing or of an emergency nature.
22. Policy exceptions can be made for an ‘are to’ or ‘is to’ statement. By making a policy exception, an agency head is acknowledging that the agency: