Australian Government Personnel Security Protocol
Approved September 2014
Amended December 2017
Version 2.3
© Commonwealth of Australia 2016
All material presented in this publication is provided under a Creative Commons Attribution 4.0 International licence (
For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 4.0 licence (
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour website (
Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Attorney-General’s Department
3–5 National Cct
BARTON ACT 2600
Email:
Document detailsSecurity classification / Unclassified
Dissemination limiting marking / Publicly available
Date of next review / Under review
Authority / Attorney-General
Author / Protective Security Policy Section
Attorney-General’s Department
Document status / Version 2.1 approved 1 September 2014 (replaces
Version 1), amended April 2015
Amended December 2017
Contents
Amendments
1.Scope
1.1.Introduction
1.2.Status and applicability
Figure 1 - Personnel security policy hierarchy
1.3.Terms used in this Protocol
1.4.Agency responsibilities in personnel security
1.4.1.Agency heads
1.4.2.Line managers
1.4.3.Agency personnel
1.4.4.Need-to-know principle
1.5.Policy exceptions
1.5.1.Functional equivalents
1.6.Sharing personal information
2.Components of personnel security
3.Identifying personnel security risk
3.1.Personnel security risk assessments
4.Employment screening
4.1.Recommended employment screening
4.2.Agency-specific employment screening checks
4.3.Recording results of employment and additional agency specific screening
4.3.1.Additional information
5.Ongoing suitability for employment
5.1.Security awareness, training and education
5.2.Performance management
5.3.Conflict of interest
5.4.Incident investigation
5.5.Monitoring, evaluating and recording of ongoing personnel suitability
6.Agency security clearance requirements
6.1.Cooperation in the clearance process
6.2.Identifying and recording positions that require a security clearance
6.2.1.Security clearance levels
6.2.2.Caveat and codeword access
6.2.3.Contractors requiring security clearances
6.2.4.Persons employed under the Members of Parliament (Staff) Act 1984 (Cth)
6.3.Australian office holders
6.4.Other access arrangements
6.4.1.Foreign Nationals with non-Australian Government security clearances
6.5.Eligibility waivers (citizenship and checkable background)
6.5.1.Eligibility waivers
6.5.2.Non-Australian citizens
6.5.3.Uncheckable backgrounds
6.5.4.Conditions for clearances subject to an eligibility waiver
6.6.Locally engaged staff
6.7.State or Territory government security clearances
7.Temporary access to classified information arrangements
7.1.Temporary access conditions
7.1.1.Types of temporary access
7.1.2.Short term access
7.1.3.Provisional access
7.2.Temporary access for MOPS Act staff
8.Vetting agency responsibilities
8.1.Authority to make clearance decisions
8.1.1.Confirming eligibility for a security clearance
8.2.Assessing Suitability
8.2.1.Supplementary checks and inquiries
8.2.2.Mitigation
8.2.3.Vetting agency consultation with sponsoring agencies
8.3.Vetting decisions
8.4.Failure to comply with the clearance process
8.5.Personnel security checks for initial clearances
8.5.1.Statutory declaration
8.5.2.ASIO Security Assessment
8.6.Reviews of security clearances
8.6.1.Periodic Revalidations
8.6.2.Reviews for cause
8.7.Adverse findings
8.8.ASIO-initiated review of ASIO Security Assessment
8.9.Reviews of security clearance processes and outcomes
8.10.Review of clearance decisions
8.11.Transfer of Personal Security Files
8.12.Recognition of clearances
8.13.Active and inactive clearances
8.14.Vetting staff training and qualifications
8.15.Vetting agencies’ management of outsourced vetting providers
9.Agency responsibilities for active monitoring of clearance holders
9.1.Security awareness training for clearance holders
9.2.Managing specific clearance maintenance requirements
9.3.Annual health check
9.4.Sharing of information
9.4.1.Reportable changes of personal circumstances
9.4.2.Contact reporting under the Australian Government Contact Reporting
Scheme
9.4.3.Reporting security incidents to vetting agencies and other appropriate
agencies
9.5.Change of sponsorship of security clearances
9.6.Personnel on temporary transfer or secondment
9.6.1.Clearance maintenance for personnel on secondment or temporary
assignment
9.7.Personnel on extended leave
9.8.Clearance maintenance for contractors
9.8.1.Clearance sponsorship of contractors that are no longer actively engaged
by an agency
10.Agency separation actions
10.1.Prior to separation
10.2.On separation
10.2.1.Separation of contractors
Annex A: Request for variation of Special Minister of State’s Determination 2012/1
for a Minister’s Electorate Officer
Amendments
No. / Date / Location / Amendment1 / April 2015 / Section 1.3 / Remove the term re-evaluation in regards to PV clearances in the definition of ‘inactive’.
2 / April 2015 / Throughout / Update PSPF links
3 / April 2015 / Annex A / Update waiver request form to include phone numbers
4 / May 2015 / Paragraph 260 / Reword to remove confusion about reporting security incidents.
5 / October 2016 / Throughout / Updated template, copyright and hyperlinks
6 / December 2017 / Section 8.5 Table 4
Section 8.6.1 Table 5 / Updated policies agreed Feb 2016:
- Increase the revalidation period of NV2 and PV security clearances from 5 years to a period from 5-7 years.
- Decreasethe period of checking for PV security clearances from whole of life to 10 years or 16 years of age, whichever is greater.
1
1.Scope
1.1.Introduction
1.The core policies of the Protective Security Policy Framework (PSPF) provide the mandatory requirements for protective security in Australian Government agencies. The Australian Government Personnel Security Protocol provides more detailed advice for agencies to meet their mandatory personnel security requirements.
2.Personnel security is one element of good protective security management. The Australian Government’s personnel security measures determine the suitability of personnel to access Australian Government resources. A suitable person demonstrates integrity and reliability and is not vulnerable to improper influence.
3.Effective personnel security facilitates the sharing of Australian government resources and is an essential mitigation tool to the threat posed by trusted insiders.
4.An agency’s personnel security risk assessment should be incorporated into the agency’s security risk management process and other agency risk management processes. Personnel security risk management may impact on, and/or complement, information and physical security controls.
1.2.Status and applicability
5.This Protocol forms part of the third level of the Australian Government’s personnel security policy hierarchy, as shown in Figure 1. This protocol and its supporting guidelines will inform agency-specific personnel security policy and procedures.
Figure 1 - Personnel security policy hierarchy
6.The Australian Government personnel Security Protocol derives its authority from the PSPF – Directive on the security of Government business, Governance arrangements, and the Personnel security core policy and mandatory requirements. It should be read in conjunction with:
- the Australian Government information security management protocol
- the Australian Government physical security management protocol
- the Public Service Act 1999 (Cth) (PS Act)
- the Privacy Act 1988 (Cth)
- any agency specific legislation and/or guidance, and
- the Personnel security guidelines:
- Agency personnel security responsibilities, and
- Vetting practices.
7.Positive Vetting (PV) security policy (developed by the Inter-Agency Security Forum) is detailed in the Sensitive Material Security Management Protocol (SMSMP). Distribution of the SMSMP is limited to agency security advisers with a need to know.
1.3.Terms used in this Protocol
8.In this Protocol the use of the terms:
- ‘need to’ refers to a legislative requirement that agencies must meet
- ‘are to’ or ‘is to’ are controls that support compliance with the mandatory requirements of the personnel security core policy
- ‘should’ refers to better practice. Agencies are expected to apply better practice unless the agency risk assessment has identified reasons to apply other controls, and
- ‘required’ is used as common language and has no special meaning in this protocol.
9.Unless otherwise stated, the use of:
- ‘personnel’ in this protocol refers to employees, contractors and service providers as well as anybody else who is given access to agency assets as part of agency sharing initiatives
- ‘employment screening’ refers to screening undertaken by an agency prior to employment of staff or engagement of contractors
- ‘Australian Government resources’refers to the collective term used for Australian Government people, information and assets, and
- ‘vetting agency’ refers to the Australian Government Security Vetting Agency (AGSVA), authorised agencies and State and Territory vetting agencies.
- Financial statement – provides a detailed summary of a clearance subject’s assets, income, liabilities and expenditure.
- Financial history check - provides an overview of a clearance subject’s financial history.
10.Clearance decisions/status:
- ‘ineligible’ refers to a determination by a vetting agency that a clearance subject is not eligible for an Australian Government security clearance as they do not hold Australian citizenship and/or have a checkable background
- ‘deny’ refers to adetermination by a vetting agency that a clearance subject is not eligible to hold a Australian Government security clearance at one or more clearance levels
- ‘grant’ refers to a determination by a vetting agency that a clearance subject is eligible and suitable to hold an Australian Government security clearance
- ‘grant – conditional’ refers to a determination by a vetting agency that the clearance subject is eligible and suitable to hold an Australian Government security clearance with conditions and/or after care requirements are attached to the clearance
- ‘cancel’ refers to a Security clearance initiated, but not completed by the vetting agency as thesponsorship of the clearance was removed at the request of the sponsoring agency, the sponsorship or clearance requirement could not be confirmed, or the clearance subject was non-compliant with the clearance process
- ‘active’ refers to a maintained security clearance that issponsored by an Australian Government agency, andbeing maintained by a clearance holder and sponsoring agency
- ‘inactive’ refers to a security clearance that is within the revalidation period, however the clearance:
-is not sponsored by an Australian Government Agency
-is not being maintained by the clearance holder for a period greater than six months due to long term absence from their role
-for the Positive Vetting level an annual security check was completed within the last two years
-can be reactivated or reinstated provided the clearance is sponsored by an Australian Government agency before the end of the revalidation period, and
-cannot be reactivated until all change of circumstances notifications covering the period of inactivity have been assessed by a vetting agency.
- ‘expired’ refers to a security clearance that:
-is outside the revalidation period and is not sponsored by an Australian Government agency
-is a PV clearance and did not have an annual security appraisal completed within a two year period
-cannot be reactivated and reinstated, and
-reverts to an initial security clearance assessment process if an Australian Government agency provides sponsorship after the end of the revalidation period.
- ‘Ceased’ refers to a security clearance:
-that has been denied or revoked
-that may have time-based conditions on when a clearance subject or holder can reapply for a security clearance, and
-where the clearance subject or holder is ineligible to hold or maintain a security clearance.
11.Additional terms used in this Protocol can be found in the PSPF – Glossary of Terms.
1.4.Agency responsibilities in personnel security
12.Effective personnel security management is a responsibility of all agency personnel including, senior management, line managers, HR areas, and security areas.
1.4.1.Agency heads
13.Responsibility for development, implementation and maintenance of personnel security management ultimately rests with the agency head.
14.Agency heads set:
- leadership/vision and values
- employment standards
- the agencies risk tolerance, and
- culture through policy, procedures and education.
1.4.2.Line managers
15.Line managers play a key role in personnel security. They are more likely than agency security staff to have a detailed and accurate knowledge of their employees and the duties of a position in their work area.
16.Line managers are responsible for:
- positively influencing the protective security behaviour of their personnel
- monitoring employee behaviour, and
- reporting any concerns about a staff member’s suitability for access to official resourcesto the agency security section.
1.4.3.Agency personnel
17.All agency personnel are responsible for:
- applying the ‘need-to-know’ principle
- being aware of the importance of their role in, and responsibility for, ensuring the maintenance of good personnel security practices throughout the agency
- reporting issues of concern
- complyingwith agency pre-engagement, ongoing suitability and security clearance processes,and
- complying with Australian Government-wide and agency-specific standards for the protection of Australian Government security classified resources.
1.4.4.Need-to-know principle
18.Agencies are to limit access to, and dissemination of, Australian Government resources to those personnel who need the resources to do their work.
19.Agencies are to limit access to, and dissemination of, Australian Government security classified resources to those who hold the appropriate level of clearance.
20.Agencies are to provide information on the ‘need-to-know’ principle to all personnel as part of their security awareness training.
1.5.Policy exceptions
21.Exceptional circumstances or emergencies may arise that prevent agencies from applying relevant controls identified in the PSPF. These may be either of an ongoing or of an emergency nature.
22.Policy exceptions can be made for an ‘are to’ or ‘is to’ statement. By making a policy exception, an agency head is acknowledging that the agency:
- is not applying the specified control
- is aware of and willing to accept the risk posed to their agency, and
- will manage the risk in another way.
23.Agencies cannot make policy exceptions to AUSTEO and Eyes Only access requirements. For further information see Foreign Nationals with non-Australian Government securityclearances.
24.Agencies are todocument their policy exceptions, including the risk assessment, in accordance with their agency specific policies and procedures.
25.Where appropriate, policy exceptions and risk assessments may cover policy decisions relating to types of activity, rather than individual instances.
1.5.1.Functional equivalents
26.Where agencies use alternative personnel security measures that provide the same or better functionality than specified controls, a policy exception is not required.
27.Before agreeing to the use of alternative protective security measures an agency head, or delegate, should seek expert advice to confirm that the technical performance requirements of the proposed measures meet or exceed those of the specified control.
28.For further information see Governance arrangements – Audit, reviews and reporting.
1.6.Sharing personal information
29.The Australian Government expects agencies and vetting agencies to share information relevant to the ongoing suitability of personnel to access Australian Government resources.
30.Agencies are to obtain written ongoing consent from all personnel (existing and potential)to share information with other agencies for the purposes of assessing their ongoing suitability. This includes employment screening and security clearance processes. A template informed consent form is provided at Annex C of the Personnel security guidelines – Agency personnel security responsibilities and Annex H of the Personnel security guidelines – Vetting practices.
31.Sharing relevant information does not breach an individual’s privacy provided that informed consent is received and the information is used for the purpose for which consent is provided. For further information see Annex D of the Personnel security guidelines – Agency personnel security.
32.In order to prevent or minimise the impact of security concerns agencies may provide relevant information about personnel to:
- law enforcement agencies
- intelligence agencies
- potential gaining agencies (prior to personnel transferring), and
- other agencies that are affected by a security concern.
33.Agencies are to include a contractual requirement for service providers and contracting companies to seek written consent to share information with the agency from all the service provider’s or contracting company’s personnel who may access the agencies’ resources. The agency may then on behalf of the Commonwealth share this information with other agencies for the purposes of assessing suitability to access Australian Government resources. See Annex C of the Personnel security guidelines – Agency personnel security responsibilities for a template informed consent form.
34.For further advice on protective security in contracting see Governance arrangements – Contracting.
2.Components of personnel security
35.Personnel security comprises three major components:
- employment screening;
- maintaining ongoing suitability, and
- separation activities.
36.An agency’s approach to personnel securityis to be comprehensive and ongoing. The following table gives examples of measures at the various stages.
Table 1 – Summary of personnel security components
Stage / Personnel security measures / Examples of tools, techniques and servicesEmployment screening / Employment checks / Identity proofing / National Identity Proofing Guidelines including document verification
Eligibility / Australian Citizenship (or correct visa)
Qualification checks / Certificate verification for mandatory qualifications
Previous employment checks / Referee checks
Criminal records check / No exclusion check under the spent conviction scheme unless agency has partial or full exemption,
Agency specific checks / Credit checks, drug screening, etc.
Initial security clearances / Suitabilityassessments by vetting agencies
Maintaining ongoing suitability / Education / Countering manipulation / Employee security awareness programs, contact reporting scheme
Security culture / Using incentives to encourage the reporting of security issues
Monitoring & evaluation / Access controls / Physical and logical access privileges / IT passwords, access passes, codes
Protective monitoring / Physical access and IT systems monitoring / System audit processes
Investigations / Gather evidence about security breaches for possible Code of Conduct or criminal prosecution
Ongoing employment suitability checks / Change of circumstances / Periodic credit checks, drug screening, etc.
Agency specific screening
Security clearance maintenance / Periodic revalidations / Annual health check
Change of circumstances
Contact reporting
Reviews for cause
Separation activities / Ongoing obligations briefing / Post-employment personnel security obligations under Crimes Act/ Criminal Code and other legislation / Security clearance debrief
Exit interview
Withdrawal of access / Cancelling ID passes and ICT access
Security clearance actions / Advice to vetting agency of the separation
Advice to ASIO where security concerns are present