Personnel Security Protocol

Version 1.2

Approved

September 2010 © Commonwealth of Australia

This work constitutes Commonwealth copyright and is intended to assist agencies and organisations providing services to the Commonwealth to meet their security requirements.

You may reproduce this work in unaltered form in whole or part for your personal, non-commercial use, commercial use or use within your organisation. You may distribute any copies of this work in unaltered, complete form only (retaining this copyright notice).

Requests for further authorisation and inquiries should be directed to:

Protective Security Policy Section Attorney-General’s Department 3-5 National Circuit BARTON ACT 2600 e-mail [email protected]

i Table of Contents Amendments...... iv

Australian Government Personnel Security Protocol...... i

Table of Contents...... i

Introduction...... 1

Discrimination...... 1 Components of personnel security...... 2

Selection of staff...... 2

Ongoing staff education...... 2

Monitoring and evaluation of staff...... 2

Summary of personnel security components...... 3

Personnel security risk review...... 4

Agency-specific character (fit and proper person) employment checks...... 5

Security clearances...... 6

Security clearance levels...... 6 Personnel security checks for initial clearances...... 6 Access provided by each clearance level...... 8 When should a security clearance be upgraded?...... 8 Recognition of security clearances...... 8 Who needs a security clearance?...... 8 Eligibility for a security clearance...... 9 Eligibility waivers...... 9

Uncheckable backgrounds...... 9

Conditions for clearances subject to an eligibility waiver...... 9

Special access arrangements...... 10

Foreign nationals...... 10 Office holders who do not require a security clearance...... 10 Persons employed under the Members of Parliament (Staff) Act 1984 (MoPS Act)...... 11 State or Territory authority employees...... 12

ii Security clearances for locally engaged staff at Australian missions overseas...... 12 Overview of personnel security clearance responsibilities...... 13

Temporary access to classified information arrangements...... 14

Approval of temporary access...... 14 Identifying Designated Security Assessment Positions (DSAPs)...... 15

Maintaining the agency DSAP register...... 15 Need-to-know principle...... 15 Caveat and codeword access...... 15 Contracted service providers requiring a security clearance...... 16 Agency responsibilities in personnel security...... 16

Agency heads...... 16 Managers...... 16 Agency employees and contracted service providers...... 16 Australian Government Security Vetting Agency (and exempt agencies) responsibilities...... 17

Documents required for security clearances...... 17 Supplementary checks and inquiries...... 18 Uncheckable backgrounds...... 18 Mitigation...... 18 Official Secrecy Acknowledgment form...... 18 Assessing officers training...... 18 ASIO Security Assessment process...... 18 Transfer of security clearance...... 19

AGSVA and exempt agencies’ management of outsourced vetting providers...... 20

Vetting decisions – assessment of whole person...... 20

Adverse findings...... 20 Review of clearance decisions...... 21 Reviews of security clearance processes and outcomes...... 22 Ongoing personnel security management (‘Aftercare’)...... 22

Security awareness training...... 22 Significant changes of personal circumstances...... 22 Contact reporting...... 23

iii Incident reporting...... 23 Revalidations of security clearances...... 23 Revalidation requirements...... 24

Review for cause...... 24 ASIO initiated review of ASIO Security Assessment...... 25 Action when a clearance subject leaves an agency...... 25 Attachment A Request for waiver of Special Minister of State’s Determination 2004-05/Part III/6 for a Minister’s Electorate Officer...... 28

iv Amendments No. Date Location Amendment 1 December Discrimination Move to introduction and clearly state that 2010 potential employees cannot be discriminated against if they do not hold a clearance where they agree to undergo a clearance process 2 January 2011 Personnel security Update insider threat link to new booklet ‘The risk review insider threat to business’ 3 22 March Persons employed Special Minister of State Determination 2012/1 has 2012 under the Members replaced Special Minister of State’s Determination of Parliament (Staff) 2004-05/Part III/6 Act 1984 (MoPS Act) and Attachment B

v Introduction This protocol was approved by the Attorney-General on the advice of the Protective Security Policy Committee. Queries can be directed to [email protected].

The core policies of the Protective Security Policy Framework provide the mandatory requirements for protective security in Australian Government agencies. This protocol provides more detailed advice to better enable agencies to meet the mandatory personnel security requirements.

This protocol applies to baseline and negative vetted security clearances. Positive vetted security clearance protocols are managed by the Australian Intelligence Community through the Inter- Agency Security Forum.

This protocol provides guidance on personnel security to staff with security, recruitment and line management responsibilities, and should be read in conjunction with:

 the Protective Security Policy Framework  the Public Service Act 1999 (PS Act). Agencies that employ staff under different legislation to the PS Act should refer to the relevant clauses of their enabling legislation when the PS Act is mentioned throughout this protocol and associated guidelines  any agency specific legislation, and  the personnel security guidelines: - Agency personnel security guidelines - Personnel security practitioners guidelines - Security clearance subjects guidelines. The use of “employee” or “staff” in this protocol refers to:

 ongoing and non-ongoing employees of agencies  employees of service providers requiring access to security classified information or resources, and  employees of other organisations to which an agency provides security classified information or resources.

Discrimination Agencies, or their contracted employment service provider, advertising employment vacancies are not to discriminate against those applicants who are not holders of a current security clearance where they indicate a willingness to undergo a clearance prior to employment.

The AGSVA and exempt agencies are to ensure that assessing officers are aware of the provisions of legislation relating to discrimination, and the impact of these decisions on the security clearance process.

See Federal discrimination law.

1 Components of personnel security Personnel security is the management of staff to assist in the protection of an agency’s people, information and assets.

To foster a security aware culture personnel security includes three major components:

 identification of suitable staff to access agency information, resources and assets  educating staff about their security responsibilities, and  monitoring and evaluation of staff’s continuing suitability. Personnel security arrangements within an agency are to be based on each agency’s security risk assessment.

Selection of staff Agency heads set the minimum suitability requirements for all new staff employed in their agencies based on the agency risk assessment. These requirements are normally conditions of engagement, or ongoing conditions of employment, and may include character checks and security clearances. See sections 22(6) and 22(7) of the Public Service Act 1999 and the APSC publication Conditions of engagement.

It is recommended that all agencies use the Australian Standards:

 AS: 4811-2006: Employment screening, and  HB:323-2007: Employment screening handbook when developing an agency pre-employment checking program.

All personnel, including contractors, requiring ongoing access to Australian Government security classified information or resources need security clearances. The Australian Government Security Vetting Agency (AGSVA) processes and reviews security clearances for all Australian Government agencies, other than identified exempt agencies.

Ongoing staff education 1. Staff education provides new and existing staff with information on an agency head’s expectations for his or her staff. This can take various formats including face-to-face and on- line training, briefings pamphlets, etc. See Ongoing personnel security management (‘Aftercare’).

Monitoring and evaluation of staff Initial character checks and security clearances determine a person’s suitability to access agency facilities, control assets and/or access security classified information and resources at the time they are performed. Agencies need to monitor staff’s continued suitability to access resources and classified information. See Ongoing personnel security management (‘Aftercare’).

2 Summary of personnel security components An agency’s approach to personnel security should be comprehensive, encompassing a range of measures at various stages throughout an employee’s career, from pre-employment screening through to ongoing personnel security measures. The following table gives examples of measures at the various stages.

Stage Personnel security measures Examples of tools, techniques and services Pre-employment Identity verification Excerpt from gold standard checks identity verification t

n Eligibility Australian Citizenship (or e m

t correct visa) i u r

c Qualification checks Certificate verification for e r mandatory qualifications g n i r

u Previous employment Referee checks d

y checks t i r

u Criminal records check No exclusion check, unless c e s

agency has partial or full l e

n exemption, under the spent n

o conviction scheme s r e

P Other agency specific Credit checks, drug screening, checks etc Security clearances Background assessments by AGSVA or exempt agencies t n n e o i

m Countering Employee awareness programs, t y a o

c manipulation contact reporting scheme l u p d m E Security culture Using incentives to encourage e

g the reporting of security issues n i r n u o i d Access controls Physical and logical IT passwords, access passes,

t y a t

i access privileges codes u l r a u v c e

e Protective monitoring Physical access and IT System audit processes

s

& l

systems monitoring e g n n i n r

o Investigations Generation of evidence about o s t r i

e breaches of the Code of n P o Conduct or criminal behaviour M Modified with the permission of the Centre for the Protection of National Infrastructure (www.cpni.gov.uk)

3 Personnel security risk review An agency’s personnel security risk review may be incorporated into the agency’s security risk review or other agency risk review processes.

One of the most significant risks to an agency is from the ‘insider threat’ particularly with the increasing reliance on sophisticated ICT systems.

It is not enough to want to cause harm to an agency, a person also needs access. This is significantly easier for those with legitimate access to an organisation’s assets such as staff and contractors, ie. ‘insiders’. Their motivations are varied and can range from political or religious ideologies to revenge, status, financial gain and coercion.

See Insider threat: protecting the enterprise from sabotage, spying and theft by Eric Cole and Sandra Ring (ISBN: 1-59749-048-2) for further information.

Agencies are to undertake a personnel security risk review in accordance with:

 AS/NZS ISO 31000: Risk Management – Principles and Guidelines. The relationship of personnel security with physical security and information security is outlined in the Overview of security in an agency’s risk assessment and planning.

Agencies are to determine the need for any agency specific character (fit and proper person) checks and/or the need for security clearances based on their personnel security risk review.

For further guidance on security risk reviews see: Agency personnel security guidelines.

An assessment of the personnel security risks to the agency ‘from the top down’ will give a more cost effective management of personnel security risks:

 Agency requirements - the risks that affect all personnel in the agency may include: - access to the agency ICT network - the value of the agency’s information, resources and assets, and - agency outputs  Program, or sub program, requirement review - the risks that affect all personnel in a program and may include: - program outputs - physical location - program information, resources and assets, and - access to specialised or highly classified ICT networks Depending on the size or structure of an agency there may be a requirement to perform risk assessments at different levels down to Sections.

4  Individual position risk assessments - Some positions may have specific risks that differ from other positions within the agency. Where this is the case the position should have its individual risks identified. Agency-specific character (fit and proper person) employment checks Agencies may, based on their unique security and operational environments and subsequent security risk assessments, require potential employees to undergo specific checks separate from the requirements for an Australian Government security clearance. These checks may be required for employment across the whole of the agency, or in specific areas or positions within an agency.

Agencies may also require employees with access to valuable or attractive assets to undergo specific character checks, whether or not a security clearance is required.

Character checks are agency-specific and are separate from the security clearance process. The results of agency-specific character checks may bring up issues relevant to the security clearance vetting process which the agency needs to share with the AGSVA who in turn may instigate supplementary security clearance assessments.

Agencies should forewarn applicants when additional character checks will be conducted. Agencies should identify the requirement to meet additional agency-specific character checks as being in addition to, or instead of, the minimum clearance standards at the time of advertising a vacancy, or prior to offering employment.

Any review relating to decisions not to offer, or continue employment as a result of agency-specific character checks are through internal agency mechanisms. An agency considering imposing such additional requirements should obtain its own legal advice on the most appropriate means by which it might be achieved. Where relevant, agencies should also liaise with the Australian Public Service Commission and the Department of Education, Employment and Workplace Relations.

While a potential employee may meet the minimum requirements for an Australian Government security clearance, he or she may not meet the agency’s character check requirements and vice- versa.

Agencies should conduct qualification verification checks where positions have mandatory qualifications or where qualifications are claimed that would impact on a decision to employ a person.

Additional information is available from:

 AS4811-2006: Employment Screening  HB 323-2007: Employment Screening Handbook  AS 8001-2008: Fraud and Corruption Control, and  APS Conditions of engagement.

5 Security clearances A security clearance is an administrative determination by a competent authority that an individual is eligible and suitable, from a security stand-point, to access security classified resources. The responsibility for deciding whether to grant, deny, vary or revoke a clearance lies with the AGSVA, or an exempt agency.

An agency head imposes conditions of employment on APS employees that may include “security and character clearances” (see section 22(6)(d) of the PS Act).

Security clearance levels There are four security clearance levels:

 Baseline Vetting – ongoing access to information or resources classified PROTECTED, or other situations where an agency might determine it needs a high level of assurance of a person’s suitability to perform a particular role  Designated Security Assessment Positions - Negative Vetting Level 1– ongoing access to information or resources classified PROTECTED, CONFIDENTIAL and SECRET, or other situations where an agency might determine it needs a higher level of assurance of a person’s suitability to perform a particular role - Negative Vetting Level 2 – ongoing access to information or resources classified PROTECTED, CONFIDENTIAL, SECRET and TOP SECRET, or other situations where an agency might determine it needs the highest level of assurance of a person’s suitability to perform a particular role, and - Positive Vetting – permits access to information or resources at all classification levels including certain types of caveated, compartmented and codeword information. Positive vetting requirements are managed by the Inter-Agency Security Forum on behalf of the Australian Intelligence Community and are not dealt with in this protocol. An agency’s decision on the level of assurance it requires should be linked to the agency’s risk assessment.

Personnel security checks for initial clearances The hierarchy of checks and processes that reflects the level of assurance required for each level of security clearance is shown in the following table.

6 Personnel security checks for initial clearances

Background investigation Whole of life checks as determined by the Inter- Security Interview Agency Security Forum Financial Statement3

Bankruptcy Check

Suitability assessment

Financial Declaration2 Financial Declaration2

Suitability Screening Questionnaire Suitability Screening Questionnaire

ASIO Assessment ASIO Assessment

Qualification Verification1 Qualification Verification1 Qualification Verification1 Referee Check (Professional)4 2 Referee Checks (including one (1) 3 Referee Checks (including one (1) Professional) 4 Professional) 4 Police Records Check Police Records Check (Full Exclusion) Police Records Check (Full Exclusion) 5 year Background Check 10 year Background Check 10 year Background Check Identity Check (Excerpt from gold Identity Check (Excerpt from gold Identity Check (Excerpt from gold standard identity verification) standard identity verification) standard identity verification) Baseline Vetting Negative Vetting Level 1 : Negative Vetting Level 2: Positive vetting See AS4811:2006 Designated Security Assessment Positions 1 Qualification verification is required where questions or concerns arise. Qualifications checks should be part of an agency employment screening process where qualifications are claimed and/or mandatory. 2 Financial declaration – a declaration by the clearance subject that he or she does not have any financial concerns, see Personnel security practitioners guidelines.

7 3 Financial statement – detailed summary of the clearance subject’s assets, income and expenditure, see Personnel security practitioners guidelines. 4 Referees’ checks are to cover the whole checking period. Professional checks are to cover at least the preceding three months.

8 Access provided by each clearance level The following table summarises the access permitted by each clearance level: L T T D D G E E A E E I N I R R I T T F T C C I C I N E E S E E S S S T M

I D A P O I L L

R F R O C E N P N T K N O O I R U C T A

A ) M N n I o i M t E a S m S r I o D f n i

t e L n i E Negati Y Y Y Y Y Y b V a E C L

ve e e d E n C

vettin a s s N ( A

R g level A E

L 2 C

Negati N Y Y Y Y Y ve e e vettin s s g level 1

Baseli N N N Y Y Y ne e e vettin s s g

Pre- N N N Lim A Y engagement ited g acc staff ess e screening if n scr c een ed y to d AS: i 481 1- s 200 c 6* r e t i o

9 n * Limited access is access under supervision to information or resources needed to perform the person’s duties for periods not exceeding three months.

When should a security clearance be upgraded? If the tasks or duties of a job change to the extent that it requires an individual to have ongoing access to resources classified higher than accessible with his or her current security clearance and the provisions for temporary access are inappropriate, the individual may need to undergo a clearance at a higher level.

Recognition of security clearances The AGSVA, exempt agencies and States and Territories are to recognise each other’s clearances unless one of the conditions listed in Transfer of security clearance exists.

Who needs a security clearance? Employees who are responsible for the ongoing creation, use, handling, storage and disposal of security classified information and resources are to hold a security clearance at the appropriate level.

Individuals do not require a security clearance for ongoing access to unclassified information and resources below PROTECTED unless the agency’s risk assessment indicates otherwise.

All employees are to acknowledge that they are responsible for safeguarding any information or resources for which they are responsible against loss, misuse or compromise.

Eligibility for a security clearance Only Australian citizens with a checkable background are eligible to be granted a security clearance, unless these eligibility requirements are waived. Permanent residence status is not an acceptable alternative to the citizenship requirement.

Eligibility waivers The granting of an eligibility waiver is separate from the clearance process. An agency head may waive the requirement for a person to be eligible for a security clearance. An agency should finalise the waiver prior to requesting a clearance. The AGSVA may deny a clearance on suitability grounds where there are significant concerns, including the eligibility condition that was waived.

Prior to granting an eligibility waiver the agency is to consult with AGSVA as to whether there are other pre-existing concerns regarding the clearance subject.

Written advice from the agency’s security executive and/or the agency security adviser (ASA) is to inform the agency head’s decision to waive the eligibility requirement. This advice is to address all relevant aspects of the matter and include a thorough analysis of the risks to the Australian Government and possible impact on national security and the national interest.

See the Agency personnel security guidelines for more details on preparing eligibility waivers.

10 The agency is to notify the AGSVA of any eligibility waivers. The record is to be retained on the clearance subject’s Personal Security File (PSF).

The AGSVA may, at its discretion, not accept the request for security clearance if the documents supporting the waiver do not fully detail the risks to the national interest, mitigations and any residual risks. The AGSVA may also decline the request for clearance if, notwithstanding the waiver, there is no chance of a clearance being granted.

Uncheckable backgrounds A clearance subject has an uncheckable background when the AGSVA or exempt agency cannot complete the minimum checks and inquiries for the requisite checking period.

The AGSVA or exempt agency will only notify the sponsoring agency of uncheckable backgrounds when there are no other significant concerns that would preclude the granting of a security clearance to allow limited access to classified information. In this circumstance the agency head may grant an eligibility waiver as detailed above.

Conditions for clearances subject to an eligibility waiver Clearances granted subject to eligibility waivers will be subject to strict conditions which will include, but are not limited to:

 the agency is not to allow non-Australian citizens granted a waiver access to ‘Eyes Only’ information unless it includes the person’s country of citizenship (see Foreign nationals below)  subject to the provisions of any information sharing agreements, the agency is not to grant access to security classified information from a foreign government without the written agreement of that foreign government  the agency is not to grant access to security classified information from other agencies without consultation with those agencies, and  the agency is to limit access to security classified information to that required to perform the specific duty identified and which could not be performed by an eligible person as detailed in the waiver.

The waiver should be reassessed and AGSVA advised if the clearance subject changes duties.

The agency is to reassess the eligibility waivers at least every two years as part of the review of the agency security risk and security plan. Special access arrangements Foreign nationals Foreign nationals can access Australian Government security classified information and resources if they hold a security clearance granted by their national government which is recognised by the Australian Government in accordance with the terms of an agreement. This may include a whole of government bilateral instrument or a bilateral instrument between individual Australian and foreign

11 government agencies. The instrument may include provision for the mutual recognition of security clearances and the handling and storage of security classified information and resources.

Agencies that are unsure whether a bilateral instrument is effective are to seek advice from DFAT.

Foreign nationals employed by an Australian agency outside of the provisions of a bilateral instrument are to be security cleared by the AGSVA or an exempt agency.

Foreign nationals are strictly prohibited from accessing information caveated ‘Australian Eyes Only’ (AUSTEO). Foreign nationals can only access Eyes Only information if they are a citizen of a country included in the Eyes Only caveat.

The foreign national’s employing agency is to seek approval from the originating agency prior to allowing access to ComSec or other Australian caveated or codeword information.

Subject to the provisions of any information sharing agreements a foreign national is not to access information from a third foreign government without the written agreement of that foreign government.

Office holders who do not require a security clearance By convention the members of:

 Parliament  the judiciary, and  the executive council are not required to hold security clearances.

However, they should handle security classified resources in accordance with the mandatory requirements of the Protective Security Policy Framework.

Staff of the above office holders who need to access security classified information are to be security cleared to the appropriate level.

Persons employed under the Members of Parliament (Staff) Act 1984 (MoPS Act) Special Minister of State Determination 2012/1 directs that the staff of Ministers employed under Part III of the MoPS Act are to obtain and maintain a Negative Vetting Level 2 security clearance.

Under this Determination, a Minister’s Chief of Staff may request a variation of the security clearance requirement from the Secretary Attorney-General’s Department where:

 the person is an electorate officer  the electorate officer is not required to access, and will not come into contact with security classified information or resources: - above PROTECTED for electorate officers employed by a National Security Committee of Cabinet (NSC) Minister, or

12 - above SECRET for electorate officers employed by a non-NSC Minister. The Secretary Attorney-General’s Department will approve the request to vary the requirement for a Negative Vetting Level 2 security clearance following a recommendation by the Portfolio Department that confirms the electorate officer will not access security classified information or resources above PROTECTED or SECRET as appropriate (see above).

The following security clearance levels are to apply:

 Negative Vetting Level 2: - electorate officers for NSC Ministers who access security classified information or resources above PROTECTED, and - electorate officers for Ministers who are not members of the NSC, and who access security classified information or resources at TOP SECRET  Negative Vetting Level 1: - electorate officers for Ministers who are not members of the NSC, and who access security classified information or resources at CONFIDENTIAL and/or SECRET  Baseline Vetting:

- electorate officers who access official information and security classified information or resources up to and including PROTECTED. See Request for variation of Special Minister of State’s Determination 2012/1 for a Minister’s Electorate Officer.

State or Territory authority employees

The Commonwealth expects State or Territory authority employees who require access to Australian Government security classified information and resources to undergo an appropriate security clearance process that meets the requirements of this Protocol.

The Memorandum of Understanding on the Protection of National Security Information between the Commonwealth and States and Territories, which entered the implementation phase in April 2007, enables those jurisdictions to issue security clearances.

Under the Australian Security Intelligence Organisation Act 1979 (ASIO Act), ASIO Security Assessments cannot be passed directly to the States or Territories. State and Territory agencies’ requests for ASIO Security Assessments will be coordinated by the Head of their First Minister’s Department and/or the Commissioner of Police or their delegates, and submitted through a Commonwealth sponsoring agency, in accordance with the Memorandum.

13 Security clearances for locally engaged staff at Australian missions overseas The Department of Foreign Affairs and Trade administers security clearances for all locally engaged staff at Australian missions overseas.

14 Overview of personnel security clearance responsibilities Employee responsibilities Agency responsibilities AGSVA or exempt agency responsibilities Determine whether a position requires access to classified information (DSAP or baseline)

Select employee (Normal HR) and advise AGSVA of clearance Commence clearance process Send employee clearance pack Complete and return pack by requirement due date

Provide security awareness Process clearance Attend security awareness training (SAT) before giving (advise if provisional access can training access to classified information be given only if PA requested)

Assist AGSVA to resolve issues Advise employee (if Advise agency and employee of (provide full and truthful commenced) any temporary any significant issues as soon as answers) access is revoked identified

Redeploy employee, cancel Advise agency and employee of Seek advice on review options offer of, or cease employment adverse decision and appeal (seek HR and legal advice) process

OR

Confirm access to classified information, finalise any SAT Advise agency and employee of and monitor performance decision to grant clearance

Advise AGSVA of CoPC or any Assess CoPC or concerns and Report any changes of personal security concerns initiate review action as circumstances (CoPC) appropriate

15 Temporary access to classified information arrangements There are three types of temporary access arrangements. They are:

 limited higher access – in exceptional circumstances allow an employee with a security clearance access to classified information or resources at one level above the clearance subject’s currently held clearance  emergency or short term one-off access – in exceptional circumstances allow an employee access to classified information or resources where a clearance is not held or suitability is not being assessed, and  provisional access – access to classified information or resources while a clearance subject is undergoing a clearance. Access to classified information or resources for longer than three months or regular access for shorter periods is ongoing access and requires a security clearance.

See Agency personnel security guidelines.

Approval of temporary access

Type of access Limited higher access Emergency or short term Provisional access (Maximum period 3 access (Maximum period (Access until clearance Access to months) 3 months) process is finalised) TOP SECRET Non-exempt agencies Non-exempt agencies are AGSVA or exempt are to consult AGSVA* to consult AGSVA* agency SECRET and Employee’s agency Employee’s agency AGSVA or exempt below agency * See Agency personnel security guidelines.

Agencies are not to use these arrangements for access to caveat, compartmented or codeword information.

Limited higher access and emergency or short term one-off access to security classified information or resources may be allowed where there is an unforeseen requirement for access. It is important that these forms of temporary access are only used in exceptional circumstances and agencies do not overuse the temporary access provisions, or use them as a substitute for sound personnel security management.

Agencies may request provisional access from AGSVA where there is a sound business case to support access during the clearance process.

AGSVA or an exempt agency may approve provisional access without a request from the sponsoring agency where there are unforseen delays with external checks in the clearance process and there are no identified areas of concern.

16 Non-exempt agencies are to seek advice from AGSVA on the suitability of employees prior to approving any temporary access to TOP SECRET information. Agencies should seek advice from AGSVA prior to approving temporary access to information at or below SECRET.

AGSVA will advise agencies of any existing or prior limitations put on the person requiring access.

Non-exempt agencies are to advise AGSVA of any temporary access approved at SECRET or below. AGSVA is to record the access on the clearance subject’s PSF and/or security records database. Identifying Designated Security Assessment Positions (DSAPs) DSAPs are defined in the Crimes Act 1914 as:

“a position in a Commonwealth authority which the head of the authority has determined to be a designated security assessment position whose duties are likely to involve access to national security information classified as secret or top secret.”

Agencies are to identify positions that require access to security classified resources as part of their Personnel security risk review.

Baseline Vetting Negative Vetting Level Negative Vetting Level Positive vetting 1 2 Designated Security Assessment Positions For further advice see Agency personnel security guidelines. Maintaining the agency DSAP register Agencies are to determine if a position will require access to security classified information or resources and is a DSAP when the position is established. Agencies should periodically review if the position justifies remaining a DSAP.

It is recommended that agencies reassess the DSAP requirement each time the position is vacant and prior to advertising a vacancy.

Need-to-know principle Agencies are to limit the access to and dissemination of security classified information or resources to employees who need to use or access the information or resources to do their work and, for ongoing access, hold the appropriate level of clearance.

Agencies are to ensure that all employees are aware of and implement the need-to-know principle.

Caveat and codeword access Agencies are to liaise with the agency that imposes a caveat or codeword to determine any additional personnel security requirements. For further information on access to certain caveats and codewords refer to the Australian Government Information Core Policy.

17 Contracted service providers requiring a security clearance Agencies are to identify and sponsor service providers requiring access to security classified information and resources, and are to ensure this requirement is identified during the procurement process, or as contracts are amended. See PSPF – Governance - Contracting.

The agency requesting the service providers’ clearances from AGSVA or an exempt agency is responsible for meeting the cost of the clearance. Any arrangements for cost recovery for the security clearances should be included in the contract documents. Agency responsibilities in personnel security Effective personnel security management imposes a series of responsibilities on all agency personnel including the clearance subject, management, recruitment areas and work colleagues.

Responsibility for development, implementation and maintenance of personnel security management rests with agency senior management.

Agency heads Agency heads, or authorised officers, make decisions about the requirement for a security clearance based on advice provided by the relevant manager and the ASA. On the basis of a risk assessment an agency head may require that all agency staff in a particular category be cleared to a predetermined level. Factors that may influence this decision include:

 the nature of the agency’s activities  access to the agency’s security classified information or resources, and/or  the need for increased levels of assurance of a group of employees’ suitability to perform particular roles. See Agency personnel security guidelines.

Managers Managers play a key role in personnel security. They are likely to have a more detailed and accurate knowledge of their employees and the duties of a position in their work area than agency security staff.

Managers are to monitor employee behaviour and report any concerns about a staff member’s suitability for access to security classified resources to the agency security section. Managers, with the assistance of the agency security section, are to ensure that all employees whom they supervise undertake and maintain an effective employee security awareness program. See Security awareness training guidelines and Agency personnel security guidelines.

Agency employees and contracted service providers Australian Government employees and contracted service providers requiring access to security classified resources are to accept, and comply with, Government-wide, and agency-specific, standards for the protection of these resources.

18 All agency employees and contracted service providers performing tasks for the agency who require access to security classified resources are to:

 apply the ‘need-to-know’ principle  be aware of the importance of their role in, and responsibility for, ensuring the maintenance of good personnel security practices throughout the agency, and  co-operate fully with the security vetting process.

Australian Government Security Vetting Agency (and exempt agencies) responsibilities The AGSVA and exempt agencies are responsible for:

 the decision to grant, continue, deny, revoke or vary a security clearance, and  appropriate handling and storing of personal information gained through the vetting process. The AGSVA and exempt agencies are to ensure that:

 all requisite checks and any appropriate supplementary checks are conducted and all relevant, reliable information is collected before assessing a clearance subject’s suitability to hold a security clearance  there is a consistency of approach for all security clearance subjects  the result of all checks and inquiries forms the basis of the determination of suitability  any doubts about suitability for access to security classified resources are resolved in favour of national security or the national interest, and  any risk management requirements are in place. Any reasonable doubts about the clearance subject’s suitability that cannot be resolved are sufficient for the AGSVA or exempt agency to deny, revoke or vary a security clearance. Reasonable doubt exists when all minimum and any supplementary checks are completed, and legitimate concerns remain regarding the suitability of a clearance subject.

See the Personnel security practitioners guidelines.

Documents required for security clearances AGSVA or exempt agencies are to sight personal identifying documents, or copies, as listed in Documents required for a security clearance.

AGSVA and exempt agencies are to record the personal identifying documents as sighted then return original documents to the clearance subject and return or destroy copies once the clearance process is finalised.

19 Supplementary checks and inquiries AGSVA or exempt agencies are to conduct appropriate supplementary checks and inquiries if the minimum checks are insufficient to enable the assessing officer to make a confident whole person assessment.

Uncheckable backgrounds A clearance subject has an uncheckable background when the AGSVA or exempt agency cannot complete the minimum checks and inquiries for the requisite checking period.

Mitigation In the event that a personal vulnerability emerges in the course of the background assessment, an assessing officer is to assess whether any factors exist that mitigate the relevance of the vulnerability. Mitigating factors are detailed in the Adjudicative Guidelines.

Official Secrecy Acknowledgment form The AGSVA or exempt agency is to include an Official Secrecy Acknowledgement form as part of every security clearance.

The Official Secrecy Acknowledgment form is the acknowledgment by clearance subjects that they are not to disclose, publish or in any way communicate official information acquired by them in the course of their employment with, or on behalf of, the Australian Government, to any unauthorised person.

Assessing officers training Assessing officers are to be appropriately trained and be assessed competent to carry out security clearance vetting. See Personnel security practitioners guidelines.

ASIO Security Assessment process The AGSVA or exempt agency, or for State and Territory assessments the Commonwealth sponsoring agency, is to obtain an ASIO Security Assessment for all occupants, or proposed occupants, including contractors, of all DSAPs unless the AGSVA or exempt agency decides that the person would be unsuitable for a security clearance regardless of any assessment ASIO might make. See Personnel security practitioners guidelines.

The ASIO Security Assessment is not a substitute for evaluation of the clearance subject’s suitability for access to national security classified information.

ASIO Security Assessments provide further information and advice on national security issues to assist in determining whether to grant, continue, deny, revoke or vary a proposed or existing security clearance. This includes any information about:

 alleged or actual espionage  sabotage

20  politically motivated violence  the promotion of communal violence  acts of foreign interference  attacks on Australia’s defence systems, or  serious threats to Australia’s territorial and border integrity.

Transfer of security clearance The AGSVA or exempt agencies are to arrange the transfer of the Personal Security File (PSF) of any employee transferring into an agency covered by the AGSVA or an exempt agency where the employee continues to require access to security classified information or resources. The AGSVA or exempt agency, as the approving agency, will hold the PSF.

Some agencies have legal restrictions on the transfer of PSFs. This includes, but is not limited to:

 the Department of Defence which cannot transfer PSFs of Defence Force service personnel, and  ASIO which cannot transfer PSFs. AIC agencies should not transfer PSFS for positive vetting clearances to negative vetting agencies unless the clearance subject still requires a positive vetting clearance. Positive vetting agencies other than ASIO should only provide proof of clearance and copies of some personal documents. ASIO can only provide a statement of clearance.

The AGSVA or an exempt agency is to recognise the security clearance held by the incoming employee, unless one of the following conditions exists:

 the clearance has lapsed  the clearance was granted based on an eligibility waiver, or  the AGSVA or exempt agency has substantial prejudicial information that the incoming employee is no longer suitable to access security classified information at that clearance level. The AGSVA or exempt agency is to address any anomalies within the incoming employee’s PSF at the time of transfer.

The clearance subject is to be allowed access to security classified information or resources to the requisite clearance level while the AGSVA or exempt agency addresses any anomalies, unless the anomalies would warrant a review for cause. The existence of any of the above conditions will usually require the AGSVA or exempt agency to undertake additional vetting activity, which may include determining the appropriateness of any temporary access. See the Personnel security practitioners guidelines and Adjudicative Guidelines.

21 AGSVA and exempt agencies’ management of outsourced vetting providers Where the AGSVA or exempt agencies outsource elements of the security clearance process, the AGSVA or exempt agency is to ensure that:

 the service provider complies, where relevant, with the Privacy Act Information Privacy Principles(IPPs), the Public Service Code of Conduct and the official secrecy provisions of the Crimes Act 1914 (s70 and s79)  the service provider adheres to the requirements of the Protective Security Policy Framework  the AGSVA or exempt agency reviews any documents, eg. the interview aide-memoire, to ensure that the documents meet the standards identified in this Protocol and the Personnel security practitioners guidelines, and  information and physical security measures at the premises of the contracted service provider comply with the requirements of the Australian Government information security core policy and Australian Government physical security core policy. The AGSVA or exempt agencies are to ensure that any outsourced vetting providers’ assessing officers meet the training and competencies identified in the Personnel security practitioners guidelines. Vetting decisions – assessment of whole person All vetting decisions are based on an assessment of the whole person and at all stages are to be made in accordance with the Procedural fairness guidelines.

The AGSVA or exempt agency is to advise the clearance subject in writing of the decision to grant, continue, deny, revoke or vary a security clearance and any conditions imposed. The AGSVA is to notify this decision and any conditions imposed to the agency requesting the security clearance.

If a security clearance is not granted, the AGSVA or exempt agency is to provide the clearance subject with details of the reasons, and the avenues available for review of the decision. The AGSVA or exempt agency is to give the clearance subject the opportunity to respond in writing to the reasons cited. However, this might not be possible if the ASIO Security Assessment is subject to an Attorney-General’s certificate. (See the Personnel security practitioners guidelines.)

Adverse findings Before taking any adverse action against a clearance subject, the AGSVA or exempt agency is to ensure that information contained on the PSF is current and that information is relevant to the proposed action.

If the assessing officer is satisfied that the clearance subject is not suitable to be granted or continue to hold his or her level of security clearance, the assessing officer is to:

 advise the delegate of the concerns and expected delay in finalising the clearance assessment

22  advise the clearance subject of the concerns and give him/her an opportunity to respond in writing, and  forward the clearance subject’s response along with the assessing officer’s recommendation to the delegate for a decision. The recommendations could range from: - withdrawing or denying the security clearance - downgrading the security clearance, or - applying conditions to the security clearance. The AGSVA or exempt agency is to inform the clearance subject of the decision and any procedures for seeking a review of the decision.

While the decision to withdraw or downgrade a security clearance is being considered, the AGSVA or exempt agency is to advise the clearance subject’s sponsoring agency. The sponsoring agency is to ensure that the clearance subject’s access to security classified information and resources is limited.

A security clearance review does not prevent the sponsoring agency taking disciplinary or other appropriate action in response to events that led to the withdrawal or downgrade of a clearance. However, these or any other personnel management actions are to be considered by the sponsoring agency on their merits and clearly distinguished from the security clearance process. See PSPF – Governance - Protective Security investigation.

Decisions and actions taken during a review for cause could be subject to judicial review. AGSVA and exempt agencies are to ensure they are able to demonstrate that they have met the requirements of procedural fairness. See Procedural fairness guidelines.

Review of clearance decisions APS employees may seek a review of any security clearance decision. The primary, or internal review, will be carried out by AGSVA or the exempt agency responsible for denying or varying a clearance. The employee may also seek review through the Australian Public Service Commissioner or the Commonwealth Ombudsman.

APS employees have similar review provisions through their employing agency for any decisions relating to their employment.

Non-APS Australian Government employees may have similar rights for review as APS employees through their agency's relevant legislation.

The delegate for the purposes of the review is to:

 have regard to the Public Service Regulations when determining the exact procedures for the review, and  rule on the review without seeking implicit or explicit approval from any person who was involved in making the initial decision. The AGSVA, or exempt agency, and the clearance subject seeking the review are to co-operate fully in the review process.

23 Making an application for review does not stay the original decision.

Reviews of security clearance processes and outcomes A clearance subject may feel aggrieved by either the security clearance process or the security clearance decision. Even where the decision is not adverse, the clearance subject may have concerns about the manner in which the AGSVA or exempt agency conducted the security clearance.

The AGSVA and exempt agencies are to have procedures in place to resolve any grievances. The AGSVA and exempt agencies are to advise the clearance subject of these procedures as part of the clearance process. Ongoing personnel security management (‘Aftercare’) If the AGSVA or exempt agency grants a security clearance, the sponsoring agency is to provide the clearance subject with either a security awareness briefing or documents that make clear his or her responsibilities, including the need to report any change of personal circumstances when the clearance is granted.

The sponsoring agency is to provide the clearance holder a briefing and/or training every five years or at revalidation, whichever is the sooner.

Agencies are to have an ongoing process of aftercare to monitor ongoing suitability throughout the life of the clearance.

Aftercare consists of:

 ongoing security awareness training. See Security awareness training guidelines  ongoing reporting requirements. See Changes of personal circumstances guidelines and Contact reporting guidelines  periodic review of clearance suitability (revalidations and reviews for cause)  managing any additional specific aftercare requirements imposed as a condition of a security clearance as advised by AGSVA, and  specific activities around employee separation from the agency and clearance debriefing. See Agency personnel security guidelines.

Security awareness training The agency security plan is to include a regime of security briefings and training programs that directly respond to the agency’s security risk assessment. See Developing a security culture.

Agencies are to ensure that people who have access to security classified resources and their managers, understand and accept their day-to-day security responsibilities. See Security awareness training guidelines

24 Significant changes of personal circumstances Clearance holders are to advise AGSVA or exempt agency of any changes in personal circumstances and should provide an information copy to their agency security section.

The agency security section should be advised as changes in personal circumstance may have conflict of interest or aftercare implications.

Managers and other employees may advise the agency security section of changes in personal circumstances of clearance holders. The agency security section is to advise AGSVA of these changes in circumstances.

The AGSVA or exempt agency is to:

 assess the change in circumstance to determine whether it is significant, and  update the PSF with details of the change in circumstance. If there is a significant change in circumstance the AGSVA or exempt agency is to determine whether to:

 revalidate the clearance, or  carry out a review for cause. See Changes of personal circumstances guidelines.

Contact reporting Employees are to report suspicious contacts with foreign officials and other foreign nationals.

Agencies are to:

 collect Contact Reports from their employees  assess the reports, and  forward any suspicious reports relating to national security to ASIO. See Contact reporting guidelines.

Incident reporting Some inappropriate contacts may be of a criminal nature or a business nature that involves a conflict of interest or giving unfair advantage. The agency should investigate these contacts and if appropriate advise the Australian Federal Police, or jurisdictional police for further investigation. See PSFS – Governance – Protective Security Investigations.

Revalidations of security clearances AGSVA and exempt agencies are to periodically initiate revalidations of all security clearances unless advised by an agency that:

 the employee is no longer in a position requiring a clearance, or

25  the employee has left Australian Government employment. The AGSVA can extend the revalidation period for a clearance issued at a higher level to the period for a lower level when the agency advises that access is now required at the lower level.

26 Revalidation requirements

Baseline vetting Negative vetting level 1 Negative vetting level 2 15 years period prior to 10 years period prior to 5 years period prior to revalidation revalidation revalidation Updated personnel particulars Updated personnel particulars Updated personnel particulars form covering period since form covering period since form covering period since previous process previous process previous process Police records check Police records check Police records check (No exclusion) (No exclusion if a full exclusion (No exclusion if a full exclusion is on the PSF) is on the PSF) One professional referee One professional referee Two referee checks - one check check professional and one personal ASIO check ASIO check Financial Declaration Financial Declaration Financial Statement

Review for cause A review for cause may be initiated whenever a security concern regarding a security clearance holder arises. A review for cause can be initiated by the AGSVA or exempt agency in response to information from:

 a clearance holder’s agency, colleagues or supervisors  the security clearance holder him/herself, or  any other individual who has reason to believe that the security clearance holder’s personal circumstances, attitudes or behaviour have changed. The head of AGSVA or an exempt agency is to authorise all reviews for cause. When a review for cause is authorised the AGSVA or exempt agency may initiate:

 a revalidation, or  an investigation into the specific issue. If the AGSVA or exempt agency is satisfied that the clearance subject remains suitable to hold a security clearance, the security clearance will continue and both the clearance subject and the employing agency are to be informed. In cases of revalidation the security clearance will then date from when the AGSVA or exempt agency makes the decision that it continue. The AGSVA will use this date to determine the dates of the ongoing cycle of review.

Where considered appropriate AGSVA is to advise the clearance subject’s sponsoring agency to restrict the clearance subject’s access during the course of the review.

See Review for cause process.

27 ASIO initiated review of ASIO Security Assessment ASIO may also initiate advice to the AGSVA or exempt agency pending a new ASIO Security Assessment.

If the AGSVA or exempt agency is satisfied, based on the preliminary ASIO advice, that urgent action needs to be taken, the AGSVA or exempt agency is to advise the employing agency of the ASIO advice unless advised by ASIO that such advice is not to be given.

The employing agency is to temporarily prevent access by the clearance subject to security classified information or resources (under s. 39 of the ASIO Act). The agency should, pending finalisation of the assessment, assign the person affected to appropriate duties that do not require access to security classified information or resources.

Action when a clearance subject leaves an agency The agency is to take steps to manage the separation when a clearance subject is preparing to leave the agency.

Prior to separation Prior to separation an agency is to:

 remind the employee of his or her continuing personal obligations under the Crimes Act and other relevant legislation  seek the employee’s signed recognition of that continuing obligation, and  debrief separating staff who have access to: - SECRET or TOP SECRET information or resources - codeword information (and advise the agency providing the codeword information), and/or - caveat information. The agency should have similar procedures for contracted service providers. Debriefs may be either person-to-person or in writing.

On separation On separation an agency is to:

 advise AGSVA that: - an employee or contractor with a security clearance is leaving/has left, - if transferring to another agency or contracted service provider which agency or provider, if known, and  where completed forward a copy of the recognition of continuing obligation to AGVSA. Where staff or contractors leave prior to the above being completed the agency security staff are to conduct a review of the circumstances to ascertain whether there are any security related concerns. The agency is to report any such concerns to AGSVA who will advise ASIO.

28 ATTACHMENT A

Overview of security in an agency’s risk assessment and planning Security risk review summary

29 ATTACHMENT A

30 ATTACHMENT B

Request for variation of Special Minister of State’s Determination 2012/1 for a Minister’s Electorate Officer All staff employed by Ministers, including Parliamentary Secretaries, employed under Part III of the Members of Parliament (Staff) Act 1984 are required to be security cleared to Negative Vetting Level 2 unless:  the staff member: - is an electorate officer, and - does not require access to, and will not be exposed to, security classified material  the Minister’s Chief of Staff requests an exemption, and certifies the electorate officer will not access classified

Minister’smaterial Chief of Staff request for variation  the Minister’sName of electoratePortfolio officer Department endorsed the request for variation, AND Minister’s name I certify that is an electorate officer for  the variation is approved by the Secretary of the Attorney-General’s Department and is not required to access, and will not come into contact with, TOP SECRET security classified material. I request a variation of the requirement for the above electorate officer to hold a Negative Vetting Level 2 security clearance. Name of Chief of Staff Signature Date Forward request to the Agency Security Adviser of the Portfolio Department / / Portfolio Department endorsement of request Name of Portfolio Department

I endorse the request to vary the requirement for a Negative Vetting Level 2 security clearance for the above mentioned electorate officer. I confirm he/she will not have access to TOP SECRET material, and may have access to or come in contact with security classified material:  At or below PROTECTED  AT CONFIDENTIAL OR SECRET (Tick whichever is applicable)

Name and position of endorsing officer Signature Date

/ / Send to: Protective Security Policy Branch, Attorney-General’s Department, 3-5 National Circuit, BARTON ACT 2600 Approval of request As the delegate for Secretary, Attorney-General’s Department, I vary the requirement for the above mentioned electorate officer to be security cleared to Negative Vetting Level 2, subject to them undergoing:  Baseline Vetting  Negative Vetting Level 1  Variation not approved - Negative Vetting Level 2 required (Tick whichever is applicable). Name and position of approving officer Signature Date

/ / Send to: Ministerial and Parliamentary Services, Department of Finance and Deregulation, Parkes Place, PARKES ACT 2600

31 ATTACHMENT C Excerpt from gold standard identity verification PROOF OF IDENTITY FRAMEWORK

Objective Documents Satisfying the Objective A Evidence of  Birth certificates commencement of identity in  Record of Immigration Status: Australia - Foreign Passport & current Visa (Mandatory for all agencies) - Travel Document & current Australian Visa - Certificate of Evidence of Residence Status - Citizenship Certificate B Linkage between Identity  Australian Drivers Licence (current & and Person Original) (Photo & signature)  Australian Passport (current)  Firearms Licence (current & original)  Foreign Passport C Evidence of Identity  Medicare Card Operating in the Community (Could be another  Change of Name Certificate – Non Category A or B document) Standard Proof of Identity document – (for marriage or legal name change – showing link with previous name/s)  Credit or Account Card  Centrelink or Department of Veterans’ Affairs card  Security guard/Crowd control Licence  Marriage Certificate issued by Births Deaths and Marriages  Tertiary ID Card

32 ATTACHMENT D

Review for cause process Employee responsibilities Agency responsibilities AGSVA (or exempt agency) responsibilities Supervisor or colleague advises of security issue or agency security personnel identifies a security concern

Advise AGSVA of concern AGSVA to assess whether Clearance subject advises of review for cause is change of circumstance appropriate

Yes

Advise clearance subject that Y Clearance subject ceases Does the security concern put access will be withdrawn until E access to classified material review is finalised s at risk national security?

Assist AGSVA with If the security concern is the Clearance subject it to provide investigation result of a specific issue honest and full answers commence investigation

OR

Clearance subject completes Agency advises clearance If the security concern is the revalidation pack and returns subject of requirement for result of general concerns to AGSVA revalidation commence revalidation

Clearance subject advises of Agency (reinstates access and) AGSVA advises agency and any future changes of monitors clearance subject’s subject of positive outcome of circumstances security clearance review

OR

Agency removes access to AGSVA advises agency and Clearance subject seeks advice classified material and subject of negative outcome on appeal process commences any HR action of review and appeal process