70
Australian Government Personnel Security Protocol Version 2.0 1 September 2014
Australian Government Personnel Management Security Protocol
Australian Government Personnel Security Protocol
Version 2.01 September 2014 Commonwealth of Australia 2013
All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence (Creative Commons Licenses).
For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence (Creative Commons Licenses).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour website.Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Commercial and Administrative Law BranchAttorney-Generals Department35 National CctBARTON ACT 2600
Call: 02 6141 6666
Email: [email protected] Document details
Security classification Unclassified
Dissemination limiting marking
Publicly available
Date of next reviewUnder review
AuthorityAttorney-General
Author
Protective Security Policy Section
Attorney-Generals Department
Document status
Version 2.0 approved 1 September 2014 replacesVersion 1
Table of contents11.Scope
11.1.Introduction
11.2.Status and applicability
21.3.Terms used in this Protocol
41.4.Agency responsibilities in personnel security
41.4.1.Agency heads
41.4.2.Line managers
41.4.3.Agency personnel
41.4.4.Need-to-know principle
51.5.Policy exceptions
51.5.1.Functional equivalents
51.6.Sharing personal information
72.Components of personnel security
93.Identifying personnel security risk
93.1.Personnel security risk review
104.Employment screening
104.1.Recommended employment screening
114.2.Agency-specific employment screening checks
114.3.Recording results of employment and additional agency specific screening
114.3.1.Additional information
135.Ongoing suitability for employment
135.1.Security awareness, training and education
135.2.Performance management
135.3.Conflict of interest
145.4.Incident investigation
145.5.Monitoring, evaluating and recording of ongoing personnel suitability
156.Agency security clearance requirements
156.1.Cooperation in the clearance process
156.2.Identifying and recording positions that require a security clearance
166.2.1.Security clearance levels
176.2.2.Caveat and codeword access
176.2.3.Contractors requiring security clearances
186.2.4.Persons employed under the Members of Parliament (Staff) Act 1984 (MoPS Act)
186.3.Australian office holders
196.4.Other access arrangements
196.4.1.Foreign Nationals with non-Australian Government security clearances
206.5.Eligibility waivers (citizenship and checkable background)
206.5.1.Eligibility waivers
216.5.2.Non-Australian citizens
216.5.3.Uncheckable backgrounds
226.5.4.Conditions for clearances subject to an eligibility waiver
226.6.Locally engaged staff
236.7.State or Territory government security clearances
247.Temporary access to classified information arrangements
247.1.Temporary access conditions
257.1.1.Types of temporary access
267.1.2.Short term access
277.1.3.Provisional access
277.2.Temporary access for MOPS Act staff
288.Vetting agency responsibilities
288.1.Authority to make clearance decisions
288.1.1.Confirming eligibility for a security clearance
288.2.Assessing Suitability
298.2.1.Supplementary checks and inquiries
298.2.2.Mitigation
298.2.3.Vetting agency consultation with sponsoring agencies
298.3.Vetting decisions
298.4.Failure to comply with the clearance process
308.5.Personnel security checks for initial clearances
318.5.1.Statutory declaration
318.5.2.ASIO Security Assessment
318.6.Reviews of security clearances
318.6.1.Periodic Revalidations
328.6.2.Reviews for cause
338.7.Adverse findings
338.8.ASIO-initiated review of ASIO Security Assessment
338.9.Reviews of security clearance processes and outcomes
348.10.Review of clearance decisions
348.11.Transfer of Personal Security Files
348.12.Recognition of clearances
358.13.Active and inactive clearances
358.14.Vetting staff training and qualifications
358.15.Vetting agencies management of outsourced vetting providers
369.Agency responsibilities for active monitoring of clearance holders
379.1.Security awareness training for clearance holders
379.2.Managing specific clearance maintenance requirements
379.3.Annual health check
389.4.Sharing of information
389.4.1.Reportable changes of personal circumstances
399.4.2.Contact reporting under the Australian Government Contact Reporting Scheme
399.4.3.Reporting security incidents to vetting agencies and other appropriate agencies
409.5.Change of sponsorship of security clearances
409.6.Personnel on temporary transfer or secondment
409.6.1.Clearance maintenance for personnel on secondment or temporary assignment
419.7.Personnel on extended leave
419.8.Clearance maintenance for contractors
429.8.1.Clearance sponsorship of contractors that are no longer actively engaged by an agency
4310.Agency separation actions
4310.1.Prior to separation
4310.2.On separation
4410.2.1.Separation of contractors
45Annex A: Request for variation of Special Minister of States Determination 2012/1 for a Ministers Electorate Officer
Amendments
No.DateLocationAmendment
1
2
3
4
1. Scope
Introduction
1. The core policies of the Protective Security Policy Framework (PSPF) provide the mandatory requirements for protective security in Australian Government agencies. The Australian Government Personnel Security Protocol provides more detailed advice for agencies to meet their mandatory personnel security requirements.
2. Personnel security is one element of good protective security management. The Australian Governments personnel security measures determine the suitability of personnel to access Australian Government resources. A suitable person demonstrates integrity and reliability and is not vulnerable to improper influence.
3. Effective personnel security facilitates the sharing of Australian government resources and is an essential mitigation tool to the threat posed by trusted insiders.
4. An agencys personnel security risk assessment should be incorporated into the agencys security risk management process and other agency risk management processes. Personnel security risk management may impact on, and/or complement, information and physical security controls.
Status and applicability
5. This Protocol forms part of the third level of the Australian Governments personnel security policy hierarchy, as shown in Figure 1. This protocol and its supporting guidelines will inform agency-specific personnel security policy and procedures.
Figure 1 - Personnel security policy hierarchy
6. The Personnel Security Protocol derives its authority from the PSPF Directive on the security of Government business, Governance arrangements, and the Personnel security core policy and mandatory requirements. It should be read in conjunction with:
the Australian Government information security management protocol
the Australian Government physical security management protocol
the Public Service Act 1999 (Cth) (PS Act)
the Privacy Act 1988 (Cth) any agency specific legislation and/or guidance, and
the Personnel Security Guidelines.
7. Positive Vetting (PV) security policy (developed by the Inter-Agency Security Forum) is detailed in the Sensitive Material Security Management Protocol (SMSMP). Distribution of the SMSMP is limited to agency security advisers with a need to know.
Terms used in this Protocol
8. In this Protocol the use of the terms:
need to refers to a legislative requirement that agencies must meet
are to or is to are controls that support compliance with the mandatory requirements of the personnel security core policy should refers to better practice. Agencies are expected to apply better practice unless the agency risk assessment has identified reasons to apply other controls, and required is used as common language and has no special meaning in this protocol.9. Unless otherwise stated, the use of:
personnel in this protocol refers to employees, contractors and service providers as well as anybody else who is given access to agency assets as part of agency sharing initiatives employment screening refers to screening undertaken by an agency prior to employment of staff or engagement of contractors Australian Government resources refers to the collective term used for Australian Government people, information and assets, and
vetting agency refers to the Australian Government Security Vetting Agency (AGSVA), authorised agencies and State and Territory vetting agencies. Financial statement provides a detailed summary of a clearance subjects assets, income, liabilities and expenditure.
Financial history check - provides an overview of a clearance subjects financial history.
10. Clearance decisions/status:
ineligible refers to a determination by a vetting agency that a clearance subject is not eligible for an Australian Government security clearance as they do not hold Australian citizenship and/or have a checkable background
deny refers to a determination by a vetting agency that a clearance subject is not eligible to hold a Australian Government security clearance at one or more clearance levels grant refers to a determination by a vetting agency that a clearance subject is eligible and suitable to hold an Australian Government security clearance grant conditional refers to a determination by a vetting agency that the clearance subject is eligible and suitable to hold an Australian Government security clearance with conditions and/or after care requirements are attached to the clearance cancel refers to a Security clearance initiated, but not completed by the vetting agency as the sponsorship of the clearance was removed at the request of the sponsoring agency, the sponsorship or clearance requirement could not be confirmed, or the clearance subject was non-compliant with the clearance process active refers to a maintained security clearance that is sponsored by an Australian Government agency, and being maintained by a clearance holder and sponsoring agency
inactive refers to a security clearance that is within the revalidation period, however the clearance:
is not sponsored by an Australian Government Agency
is not being maintained by the clearance holder for a period greater than six months due to long term absence from their role for the Positive Vetting level is within re-evaluation period but is unsponsored; however, an annual security check was completed within the last two years
can be reactivated or reinstated provided the clearance is sponsored by an Australian Government agency before the end of the revalidation period, and cannot be reactivated until all change of circumstances notifications covering the period of inactivity have been assessed by a vetting agency. expired refers to a security clearance that: is outside the revalidation period and is not sponsored by an Australian Government agency
is a PV clearance and did not have an annual security appraisal completed within a two year period
cannot be reactivated and reinstated, and
reverts to an initial security clearance assessment process if an Australian Government agency provides sponsorship after the end of the revalidation period. Ceased refers to a security clearance: that has been denied or revoked
that may have time-based conditions on when a clearance subject or holder can reapply for a security clearance, and
where the clearance subject or holder is ineligible to hold or maintain a security clearance.11. Additional terms used in this Protocol can be found in the PSPF Glossary of Terms.
Agency responsibilities in personnel security
12. Effective personnel security management is a responsibility of all agency personnel including, senior management, line managers, HR areas, and security areas.
Agency heads
13. Responsibility for development, implementation and maintenance of personnel security management ultimately rests with the agency head.14. Agency heads set:
leadership/vision and values
employment standards
the agencies risk tolerance, and
culture through policy, procedures and education.
Line managers
15. Line managers play a key role in personnel security. They are more likely than agency security staff to have a detailed and accurate knowledge of their employees and the duties of a position in their work area.
16. Line managers are responsible for:
positively influencing the protective security behaviour of their personnel monitoring employee behaviour, and reporting any concerns about a staff members suitability for access to official resources to the agency security section Agency personnel
17. All agency personnel are responsible for:
applying the need-to-know principle
being aware of the importance of their role in, and responsibility for, ensuring the maintenance of good personnel security practices throughout the agency reporting issues of concern complying with agency pre-engagement, ongoing suitability and security clearance processes, and complying with Australian Government-wide and agency-specific standards for the protection of Australian Government security classified resources.Need-to-know principle
18. Agencies are to limit access to, and dissemination of, Australian Government resources to those personnel who need the resources to do their work.19. Agencies are to limit access to, and dissemination of, Australian Government security classified resources to those who hold the appropriate level of clearance.20. Agencies are to provide information on the need-to-know principle to all personnel as part of their security awareness training.
Policy exceptions
21. Exceptional circumstances or emergencies may arise that prevent agencies from applying relevant controls identified in the PSPF. These may be either of an ongoing or of an emergency nature.
22. Policy exceptions can be made for an are to or is to statement. By making a policy exception, an agency head is acknowledging that the agency:
is not applying the specified control is aware of and willing to accept the risk posed to their agency, and will manage the risk in another way.23. Agencies cannot make policy exceptions to AUSTEO and Eyes Only access requirements. For further information see Foreign Nationals with non-Australian Government security clearances.24. Agencies are to document their policy exceptions, including the risk assessment, in accordance with their agency specific policies and procedures.25. Where appropriate, policy exceptions and risk assessments may cover policy decisions relating to types of activity, rather than individual instances.
Functional equivalents26. Where agencies use alternative personnel security measures that provide the same or better functionality than specified controls, a policy exception is not required.27. Before agreeing to the use of alternative protective security measures an agency head, or delegate, should seek expert advice to confirm that the technical performance requirements of the proposed measures meet or exceed those of the specified control.28. For further information see Governance arrangements Audit, reviews and reporting.
Sharing personal information
29. The Australian Government expects agencies and vetting agencies to share information relevant to the ongoing suitability of personnel to access Australian Government resources.
30. Agencies are to obtain written ongoing consent from all personnel (existing and potential) to share information with other agencies for the purposes of assessing their ongoing suitability. This includes employment screening and security clearance processes. A template informed consent form is provided at Annex C of the Personnel security guidelines Agency personnel security responsibilities and Annex H of the Personnel security guidelines Vetting practices31. Sharing relevant information does not breach an individuals privacy provided that informed consent is received and the information is used for the purpose for which consent is provided. For further information see Annex D of the Personnel security guidelines Agency personnel security .32. In order to prevent or minimise the impact of security concerns agencies may provide relevant information about personnel to:
law enforcement agencies
intelligence agencies
potential gaining agencies (prior to personnel transferring), and other agencies that are affected by a security concern.
33. Agencies are to include a contractual requirement for service providers and contracting companies to seek written consent to share information with the agency from all the service providers or contracting companys personnel who may access the agencies resources. The agency may then on behalf of the Commonwealth share this information with other agencies for the purposes of assessing suitability to access Australian Government resources. See Annex C of the Personnel security guidelines Agency responsibilities for a template informed consent form.
34. For further advice on protective security in contracting see Governance arrangements Contracting.2. Components of personnel security
35. Personnel security comprises three major components:
employment screening;
maintaining ongoing suitability, and
separation activities.
36. An agencys approach to personnel security is to be comprehensive and ongoing. The following table gives examples of measures at the various stages.
Table 1 Summary of personnel security components
StagePersonnel security measuresExamples of tools, techniques and services
Employment screeningEmployment checksIdentity proofing National Identity Proofing Guidelines including document verification
EligibilityAustralian Citizenship (or correct visa)
Qualification checks Certificate verification for mandatory qualifications
Previous employment checksReferee checks
Criminal records checkNo exclusion check under the spent conviction scheme unless agency has partial or full exemption,
Agency specific checksCredit checks, drug screening, etc.
Initial security clearancesSuitability assessments by vetting agencies
Maintaining ongoing suitabilityEducationCountering manipulationEmployee security awareness programs, contact reporting scheme
Security cultureUsing incentives to encourage the reporting of security issues
Monitoring & evaluationAccess controlsPhysical and logical access privilegesIT passwords, access passes, codes
Protective monitoringPhysical access and IT systems monitoringSystem audit processes
InvestigationsGather evidence about security breaches for possible Code of Conduct or criminal prosecution
Ongoing employment suitability checksChange of circumstancesPeriodic credit checks, drug screening, etc.
Agency specific screening
Security clearance maintenance Periodic revalidationsAnnual health check
Change of circumstances
Contact reporting
Reviews for cause
Separation activitiesOngoing obligations briefing Post-employment personnel security obligations under Crimes Act/ Criminal Code and other legislationSecurity clearance debrief
Exit interview
Withdrawal of accessCancelling ID passes and ICT access
Security clearance actionsAdvice to vetting agency of the separationAdvice to ASIO where security concerns are present
3. Identifying personnel security risk
37. An agencys protection against threats is only as good as the weakest element of its protective security (governance, information security, physical security and personnel security).
38. Adopting a comprehensive, risk-based approach to personnel security is important in the protection of an agencys resources because: it identifies an agencys vulnerability to a range of insider and other threats it allows appropriate mitigation strategies to be implemented to manage these risks, and it delivers a level of assurance about the credentials and integrity of the agencys workforce.39. Agencies are to have personnel security measures that:
meet other agencies expectations for information sharing arrangements, and
meet or exceed the minimum controls for the protection of Australian Government resources.
Personnel security risk review
40. The use of appropriate personnel security measures can prevent or deter a wide variety of insider and other threats that may include:
the disclosure or altering of Australian Government information the use of Australian Government resources without authorisation
corruption, theft or fraud
sabotage, or unauthorised third party access to Australian Government resources.41. For further advice see Managing the Insider Threat to your Business.42. Based on their personnel security risk review, agencies are to determine what checks are required for employment screening, ongoing suitability to access agency resources and for separation from the agency. These may include agency specific employment screening checks or security clearances. For example, the Australian Federal Police have a program of random drug and alcohol testing.43. For further advice on undertaking a personnel security risk review, see the United Kingdom Centre for the Protection of National Infrastructure publication Personnel Security Risk Assessment: A guide.4. Employment screening
Mandatory Requirement
PERSEC 1: Agencies must ensure that their personnel who access Australian Government resources (people, information and assets): are eligible to have access
have had their identity established
are suitable to have access, and
agree to comply with the Governments policies, standards, protocols and guidelines that safeguard the agencys resources from harm.44. Agency heads set the minimum suitability requirements for all new staff employed in their agencies, based on the agency risk assessment, any agency-specific legislation and the Australian Governments expectation that agencies have in place measures to facilitate resource sharing. These requirements are normally conditions of engagement or ongoing conditions of employment and may include character checks and security clearances. For further advice see the Australian Public Service Commission publication Conditions of engagement.45. Agencies are to ensure all personnel agree that they are responsible for safeguarding against loss, misuse or compromise any Australian Government resources for which they are responsible by obtaining a signed confidentiality agreement.46. All personnel requiring ongoing access to Australian Government security classified information or resources are to have security clearances. This includes contractors and service providers; see Section 6 - Agency security clearance requirements.47. Agencies need to confirm that the person is an Australian Citizen or has a valid visa with work rights, by sighting the documents in support of citizenship or visa. For further information see the Department of Immigration and Border Protection.Recommended employment screening48. Agencies are to undertake employment screening for all new personnel. This screening will allow access to unclassified official resources.
49. Agencies should undertake employment screening that meets or exceeds the Australian Standard 4811-2006: Employment Screening. 50. Further details on assessing employment screening checks are in the Personnel security guidelinesAgency personnel security responsibilities.
51. Agencies should, based on their risk assessment, undertake periodic reassessments of suitability for employment.Agency-specific employment screening checks
52. Additional screening checks (e.g. drug and alcohol testing) are agency-specific and are separate from the security clearance process. 53. Additional screening may include: conducting a credit reference check
obtaining a conflict of interest declaration, or
obtaining a signed Statutory Declaration from the person declaring all information provided to the agency is truthful and complete.54. Agencies should advise applicants where additional screening is required as part of a condition of engagement or an ongoing condition of employment. Agencies should identify this requirement when advertising a vacancy or before offering employment.
55. While a prospective employee may meet the minimum requirements for an Australian Government security clearance, he or she may not meet the agencys screening requirements and vice-versa.
56. If agency-specific checks identify issues relevant to a clearance subjects suitability for a security clearance the agency is to share this information with the vetting agency.
57. If agency specific checks identify issues relevant to national security, the agency is to share this information with ASIO. 58. The vetting agency/ASIO may instigate supplementary security clearance assessments as a result of this information.
59. Agencies are responsible for reviews of their agency specific checks.Recording results of employment and additional agency specific screening
60. Agencies are to record the results of the employment screening for successful applicants and any additional agency specific screening relating to each person.61. Agencies should, based on their operating requirements, determine whether to create a separate Personal Security File for each employee or add the results to their personnel file.Additional information
62. Additional information on employment screening is available from:
AS4811-2006: Employment Screening HB 323-2007: Employment Screening Handbook AS 8001-2008: Fraud and Corruption Control Preventing, Detecting and Dealing with Fraud- Rule APS Conditions of engagement.5. Ongoing suitability for employment
63. An agencys policies and procedures to assess and manage the ongoing suitability for employment of their personnel will be determined by the agencys security risk assessment; see Section 3 -identifying personnel security risks.Security awareness, training and education
64. Security awareness, training and education provide personnel with information on their responsibilities under the PSPF and their agency specific responsibilities. Training may include induction sessions, attaining formal qualifications and professional development.
65. Agencies are to determine specific security training or briefings required by their personnel. This may include but is not limited to:
personal safety and security measures in agency facilities and in the field
confidentiality requirements for information, including intellectual property
self-managing risk information control measures (need-to-know)
overseas travel safety and security
contact reporting
incident reporting
unusual and suspicious behaviour, and
handling and security requirements for valuable assets.
66. For further advice see the Protective security governance guidelines Security awareness training.
Performance management
67. Agencies should include personnel security compliance as part of their personnel performance management.
Conflict of interest68. Public confidence in the integrity of personnel is vital to the proper operation of government. Confidence may be jeopardised if the community perceives a conflict of interest. Personnel need to be aware that their private interests, both financial and personal, could conflict with their official duties.69. Ultimately it is the agency head's responsibility to determine what actions are taken where there is a conflict. While it is best to avoid a conflict, it is not always practical. Agencies are to establish processes that deliver effective personnel security outcomes and that withstand scrutiny.Incident investigation70. Agencies are to investigate reports of a security incident in accordance with their agency specific policies and procedures.
71. Agencies are to consult with the AFP, jurisdictional police, ASIO and/or ASD where the security incident may have criminal or National Security implications. 72. For further details on undertaking an investigation see Protective security governance guidelinesReporting incidents and conducting security investigations and the Australian Government Investigation Standards .These guidelines also provide advice on referring matters to the appropriate law enforcement agencies, ASIO and the Australian Signals Directorate, depending on the nature of the incident.Monitoring, evaluating and recording of ongoing personnel suitability
73. Employment screening and subsequent employment checks provide only a snapshot of the employees suitability at a point in time.
74. Based on their personnel security risk assessments, agencies are to have policies and procedures in place to monitor ongoing suitability of staff. These may include:
requiring managers to monitor all personnels continuing suitability to access Australian Government resources advising personnel what personal behaviours or concerns that they are required to reporte.g. criminal arrests or convictions, change of circumstances, contacts that are suspicious, on-going, unusual or persistent and other significant incidents. For more information see Section 8 - Agency responsibilities for active monitoring of clearance holders providing guidance to personnel on reporting suspect conduct by other personnel, and
undertaking periodic employment re-screening.
75. Agencies should determine the period between original screening and any subsequent rescreening. The period will depend on the agencys risk profile and any specific risks associated with the position.
76. Agencies should record the outcomes of their monitoring and evaluations on the same file as any employment screening results.6. Agency security clearance requirements
77. Agency heads may require a security clearance as a condition of employment. A security clearance is a determination by a vetting agency that an individual is suitable to access security classified resources.
Cooperation in the clearance process
78. Agencies are to advise clearance subjects of their responsibilities to comply with the vetting process. Where possible, agencies should assist clearance subjects to provide accurate and complete information that is timely.
79. Clearance subjects are to cooperate with the vetting agency throughout the clearance process, including by providing within the timeframes advised:
a completed clearance pack
copies of any requested supporting documents, and
complete and truthful responses.
80. Vetting agencies are to cancel the clearance process for any failure to cooperate in the clearance process. Agencies are to remove any access to Australian Government security classified resources from clearance subjects, if advised by the vetting agency that the clearance has been revoked or the process cancelled.
81. Agencies are to apply this control to all personnel, irrespective of their position or duties.
82. Agencies are not to use temporary access provisions to provide access to Australian Government security classified resources to personnel that are not actively cooperating with the vetting process.
Identifying and recording positions that require a security clearance
83. Anyone requiring ongoing access to Australian Government security classified resources is to hold a security clearance at the appropriate level.
84. An agency head or their delegate is to decide if a role or position requires a security clearance.85. An agency head may require that all agency staff in a particular category be cleared to a specified level. Factors that may influence this decision include:
the nature of the agencys business an agencies risk assessment the need to access the agencys security classified information or resources or ICT systems, or
the need for increased levels of assurance of employees suitability to perform particular roles.
86. Agencies may use security clearances as an assurance measure in addition to their employment screening and agency specific controls for positions where the agency risk assessment deems the security clearance process is to apply.87. Positions that have a business impact level of high or above may include those:
whose occupants have access to aggregations of information or assets, or where the nature of the position requires greater assurance about a persons integrity; for example, a higher level of clearance with greater background checking to support fraud mitigation or as an anti-corruption measure.
88. Agencies should assess whether the checks undertaken for a security clearance provide the required level of assurance or whether agency-specific checks will better meet their needs.
89. Agencies are to maintain a register of positions that require a clearance. Before advertising a position, agencies are to identify:
if the position requires a security clearance
the level of clearance required
whether the clearance is for access to Australian Government security classified information or to give a level of assurance, and
when the requirement for a security clearance will be reassessed.90. Agencies should periodically reassess the security clearance requirement for positions, at least each time the position becomes vacant and before it is advertised.
Security clearance levels
91. There are four security clearance levels:
i. Baseline provides ongoing access to information or resources up to and including PROTECTED.ii. Negative Vetting Level 1 provides ongoing access to information or resources up to and including SECRET.iii. Negative Vetting Level 2 provides ongoing access to information or resources up to and including TOP SECRET.iv. Positive Vetting provides access to certain types of sensitive, caveated, compartmented and codeword information. PV is an additional process that is designed to ensure, beyond reasonable doubt, that a candidate is suitable to access the highest classification of security classified and caveated information. PV builds upon the requirements for the granting and maintenance of Negative Vetting Level 2. PV requirements are managed by the Inter-Agency Security Forum on behalf of the Australian Intelligence Community and are detailed in the Sensitive Material Security Management Protocol (SM SMP) which is only available to Agency Security Advisers.Table 2 Information access requirementsCertain Sensitive and
Compartmented Information 1TOP SECRETSECRETCONFIDENTIALPROTECTEDUNCLASSIFIED with a DISSEMINATION LIMITING MARKERUNCLASSIFIED
Positive vetting(((((((
Negative vetting level 2(2((((((
Negative vetting level 1(((((((
Baseline(((((((
Employment screening(((((((
Notes: 1. Access to Sensitive and Compartmented Information is detailed in the Sensitive Material Security Management Protocol (SMSMP) which is only available to those with a need to know.2. In certain limited circumstances Compartmented information is available at the NV2 level. For further information see the SMSMP.Caveat and codeword access
92. Agencies are to liaise with the agency responsible for administering a caveat or codeword to determine the personnel security measures required in addition to a security clearance. This could include but is not limited to:
specific compartment briefings, and
reporting or restrictions on overseas travel.
93. For further information on access to caveats and codewords, refer to the Australian Government Information Core Policy and supporting Protocol and guidelines; and the SMSMP.Contractors requiring security clearances
94. Agencies are to identify contractors requiring security clearances for access to security classified information and resources or those requiring a security clearance as a level of assurance, as part of the procurement process.95. Agencies engaging contractors who will require security clearances are to sponsor the contractors clearance. See Governance arrangements Contracting.
96. Contractors may work concurrently for a number of agencies. The agency that is to sponsor a contractor is the agency:
first engaging the contractor where a security clearance is required, or requiring the highest level of security clearance.
97. The lead agency for a contract is to sponsor all contractor clearances where a single contract covers a number of agenciese.g. as the result of a panel arrangement.98. The lead agency is to ensure that they have arrangements (policies and procedures) in place to ensure the ongoing suitability of contractors in accordance with this protocol. For further information see Section 8.8 clearance maintenance for contractors.99. Lead agencies are to ensure that ongoing suitability assessments of contractors are included in the contract.
100. If an interested party becomes aware of a contractors change in circumstances, the interested party is to inform the vetting agency. The vetting agency is to inform all other interested parties. For further information on sharing see Section 1.6 - Sharing Personal Information.Persons employed under the Members of Parliament (Staff) Act 1984 (Cth) (MoPS Act)
101. Special Minister of State Determination 2012/1 directs that Ministerial staff employed under PartIII of the Members of Parliament (Staff) Act 1984 (Cth) need to obtain and maintain a Negative Vetting Level 2 security clearance. This direction allows for variation in certain circumstances for electorate officers. For further information see Annex A: Request for variation of Special Minister of States Determination 2012/1 for a Ministers Electorate Officer.Australian office holders
102. The following Australian office holders are not required to hold a security clearance to access Australian Government security classified information while exercising the duties of the office: Members and Senators of the Commonwealth, State and Territory Parliaments
Judges of The High Court of Australia, The Supreme Court, Family Court of Australia, The Federal Circuit Court of Australia and Magistrates Royal Commissioners, and the Governor-General, State Governors, Northern Territory Administrator, and members of the Executive Council.103. Other appointed office holders may have enabling legislation which gives the same privileges as the people identified in the preceding paragraphe.g. Members of the Administrative Appeals Tribunal and Members of the Social Security Appeals Tribunal.
104. Personnel of the office holders in paragraphs 100 and 101 are not exempt from the requirements for a security clearance and are to be security cleared to the appropriate level if they require ongoing access to security classified information.105. An Australian officer holders exemption from the requirements of the PSPF is limited to the requirement for a security clearance. Agencies responsible for managing protective security for Australian office holders are to ensure that classified material in their possession is appropriately safeguarded at all times in accordance with the PSPF.Other access arrangements
Foreign Nationals with non-Australian Government security clearances
106. Foreign nationals routinely contribute to Australias National Interest through exchange, long-term posting and/or attachment to the Australian Government.
107. Foreign nationals can only access Australian Government security classified information and resources under an Agreement or Arrangement if they:
access the information in accordance with that Agreement or Arrangement, and
hold a security clearance granted by their national government which is recognised by the Australian Government in accordance with the Agreement or Arrangement.
108. Agencies are not to permit non-Australian citizens access to information caveated Australian Eyes Only (AUSTEO). Non-Australian citizens can only access other Eyes Only information if they are a citizen of a country included in the Eyes Only caveat.109. Agencies cannot make policy exceptions to AUSTEO and Eyes Only access requirements. For further details see Information security management core policy110. In limited circumstances foreign nationals may access information caveated Australian Government Access Only (AGAO). AGAO is used by the Department of Defence, ASIS and ASIO. These agencies may pass information marked with the AGAO caveat to appropriately cleared representatives of foreign governments.111. AGAO material received in other agencies is to be handled as if it were marked AUSTEO.
112. For further details see Information security management guidelinesAustralian Government security classification system.
Eligibility waivers (citizenship and checkable background)
113. Agencies are to include details in their annual PSPF compliance report stating numbers and levels of security clearances granted subject to:
citizenship waivers, and
uncheckable background waivers.
114. Only Australian citizens with a checkable background are eligible for an Australian Government security clearance, unless these eligibility requirements have been waived by the sponsoring agency head. Agency Heads need to be aware that granting an eligibility waiver, does not guarantee that a clearance will be granted by the vetting agency.115. Sponsoring agencies are to confirm all clearance subjects are eligible, by confirming citizenship and checkable background requirements, prior to requesting a security clearance.Eligibility waivers
116. An agency head may, under certain conditions waive the citizenship or checkable background requirements for a person to be eligible for a security clearance.117. An agency heads decision to waive an eligibility requirement is to be based on a thorough analysis of the risks to the Australian Government and the possible impact on the National Interest. For further information see Personnel security guidelinesAgency personnel security responsibilities.
118. Agency heads need to be aware of the inherent risks posed from a malicious trusted insider when granting eligibility waivers. Any decision to grant a waiver needs to be assessed against and linked to the agencys risks. Agency heads need to be aware that by granting a waiver, they are taking on a risk that may be detrimental to the Australian Government. If the documents supporting the waiver do not fully detail the risks to the National Interest, mitigations and any residual risks, the vetting agency may reject the request for security clearance.119. The vetting agency is to record, or place, the waiver on the clearance subjects Personal Security File.120. An eligibility waiver is role-specific, non-transferable, finite and subject to review. In other words, the waiver is to apply only while the clearance holder remains in the position for which the clearance was granted.121. The waiver is not to follow the clearance holder to any other position without review. An eligibility waiver is not open-ended and is to be subject to regular review to confirm that there is a continuing requirement for the waiver.122. Agencies are to reassess eligibility waivers yearly.
Non-Australian citizens
123. An agency is to only grant an eligibility (citizenship) waiver where:
it has been identified that there is no Australian citizen who could fill the position, and
the agency understands and agrees to manage the risk.
124. Permanent residence status is not an acceptable alternative to the citizenship requirement.
125. The vetting agency may decline the request for clearance if, notwithstanding the citizenship waiver, other minimum checks are unable to be made, or standards met. It may not be possible for the vetting agency to conduct the required checks overseas or, if checks can be conducted, to have confidence in the level of assurance provided by the checks.126. Non-Australian citizens are not to access information caveated Australian Eyes Only (AUSTEO). Foreign nationals can only access other Eyes Only information if they are a citizen of a country included in the Eyes Only caveat and have a need to know. Agencies cannot make policy exceptions to AUSTEO and Eyes Only access requirements.
Uncheckable backgrounds
127. A checkable background is established when a vetting agency has validated information provided by a clearance subject with respect to their background from independent and reliable sources.
128. A clearance subject has an uncheckable background when the vetting agency cannot complete the minimum checks and inquiries for the relevant checking period, or the checks and inquiries, where able to be made, do not provide adequate assurance about the clearance subjects life or background. In these circumstances, the vetting agency may decline the request for a clearance.129. Any clearance subject that has spent greater than 12 months (cumulative) out of Australia within the requisite background checking period is to be considered to have an uncheckable background (if their periods of time out of Australia cannot be verified from independent and reliable sources). If the clearance subjects periods of time out of Australia cannot be verified from independent and reliable sources, the subject is to be assessed by the vetting agency as ineligible to be considered for an Australian Government security clearance.
130. Vetting agencies are to consider the security risk to the Australian Government as the primary factor when assessing whether a person is considered to have a checkable background, and therefore whether they are eligible to be considered for an Australian Government security clearance.
131. For an individual to be eligible for an Australian Government security clearance, background checks should generally be able to be undertaken in Australia. It is expected that individuals sponsored by agencies for an Australian Government security clearance will have strong, established ties to Australia.
Conditions for clearances subject to an eligibility waiver
132. Clearances granted with eligibility waivers are to be subject to strict conditions. These may include conditions such as but not limited to:
the continuation of the eligibility waiver being conditional on the applicant taking Australian citizenship as soon as they are eligible where the subject has indicated they are actively seeking citizenship or do not have a valid reason not to seek citizenship the agency not allowing non-Australian citizens granted a waiver access to Eyes Only information unless it includes the persons country of citizenship and they have a need to know the agency not granting access to security classified information from a foreign government without the written agreement of that foreign government or as outlined in the provisions of any information sharing agreements, and the agency limiting access to security classified information to that required to perform the specific duty identified.133. Sponsoring agencies are to ensure a person subject to a waiver follow any conditions placed on the clearance. Sponsoring agencies are to advise vetting agencies of any non-compliance with conditions of the waiver.
134. The vetting agency is to cease a clearance where the clearance subject does not adhere to the conditions of the waiver.135. The sponsoring agency is to reassess the waiver and advise the vetting agency if the clearance subject changes duties.Locally engaged staff
136. Locally engaged staff who are not Australian citizens, may be granted a diplomatic mission clearance. Diplomatic mission clearances are recognised as clearances within the mission they are granted, they are role specific and are not portable. For information about locally engaged staff (LES) in diplomatic missions contact DFAT.137. The Australian Trade Commission (AUSTRADE) is a managing agency under the Guidelines for Management of the Australian Government Presence Overseas (February 2007). Accordingly, AUSTRADE conducts security screening for its LES, and for those of attached agencies where applicable.138. An agency may grant an eligibility (citizenship) waiver for LES where:
the preferred person for a position requiring a security clearance is not an Australian citizen, and
the agency understands and agrees to manage the risk.
State or Territory government security clearances139. The Australian Government recognises security clearances up to Negative Vetting 2 issued by the States and Territories if the clearance is undertaken for their own personnel and has been processed in accordance with the Australian Government Personnel Security Protocol and supporting guidelines. State and Territory clearances may be transferred between other State and Territory agencies and the Commonwealth. This is in accordance with the Memorandum of Understanding on the Protection of National Security Information between the Commonwealth and States and Territories (2007).
Note: The Australian Security Intelligence Organisation Act 1979 (Cth) restricts ASIO from passing Security Assessments directly to the States and Territories. Requests by the States and Territories for ASIO Security Assessments are facilitated through the Attorney Generals Department or the sponsoring Commonwealth agency.
7. Temporary access to classified information arrangements
140. Temporary access allows limited, supervised access to security classified resources.
141. Temporary access is not a security clearance.
142. Temporary access provisions are not to apply to positions where security clearances are used only as a measure of assurance, where there is no access to classified information.
Temporary access conditions143. Agencies are not to use temporary access provisions for routine business needs or as a substitute for sound personnel management (for temporary access provisions for MOPS personnel see section 7.2).144. Agencies are to base any decision to approve temporary access on a documented risk assessment. Agencies should consider any existing mitigating factors as part of the risk assessmente.g. holding a security clearance at a lower level, employment screening or any agency specific checks undertaken. For further details on undertaking a temporary access risk assessment, see the Personnel security guidelinesAgency personnel security responsibilities.145. Agency head written approval is to be sought and granted for any temporary access arrangements.146. Prior to granting temporary access the sponsoring agency is to confirm with the vetting agency that there are no known concerns about the person who may be given temporary access.147. The vetting agency is to advise the sponsoring agency of any existing or prior limitations on the person requiring access.
148. If advised of any concerns by the vetting agency, the sponsoring agency is to base any decision to remove the clearance subjects temporary access to security classified information and resources on a documented risk assessment.149. The sponsoring agency is to withdraw temporary access to security classified resources if concerns cannot be mitigated.
150. Agencies are not to use temporary access arrangements for access to: TOP SECRET classified resources unless the person requiring access holds a Negative Vetting Level 1 clearance.
caveat, compartmented or codeword information.151. Temporary access to TOP SECRET resources (where the person does not hold a Negative Vetting Level 1 clearance), or caveat, compartmented or codeword material may only be given after a policy exception is approved by the agency head. Agencies should seek agreement from the information owners and compartment controllers, prior to granting temporary access to TOP SECRET resources.152. Sponsoring agencies are to advise the vetting agency of any temporary access approved. The vetting agency is to record the access on the clearance subjects PSF and/or security records database.Types of temporary access
153. There are two types of temporary access arrangements:
i. short term access allows an employee access to Australian Government classified resources where they do not hold a clearance at the appropriate level and are not being assessed for a clearance or are yet to submit a completed clearance pack, and
ii. provisional access access to Australian Government classified resources while a clearance subject is undergoing a clearance after they have submitted a completed clearance pack.Table 3 Summary of temporary access requirements
Short term accessProvisional access
Period of accessMaximum of 3 months in one calendar year 2Until clearance granted or denied, or suitability concerns are identified by the vetting agency
Classified Resources allowedTSSCITS1S2, C2PTSSCITS 1S2, C2P
((((((((
Requirements: documented risk assessment Agency head written approval The person and their manager have signed an undertaking to protect official resources
Security briefing by home agency
Approval of information owner required
N/A Complete pack with vetting agency
Vetting agency advised there are no obvious suitability concerns
Risk mitigations may include: Employment screening
Agency specific checks
Clearance at a lower level
Knowledge of personal history
(TS TOP SECRET; S SECRET; C CONFIDENTIAL; P PROTECTED)
Notes:
1. Only allowed in exceptional circumstances with an existing NV1 clearance and agency head approval (for temporary access provisions for MOPS personnel see section 7.2).2. Only allowed in exceptional circumstances
Short term access
154. Short term access to Australian Government security classified resources may be allowed where there is an unforeseen requirement for access. Short term access is for a maximum of:
a continuous period of three months, or
an aggregation of shorter periods of no more than three months in one calendar year.155. Short term access to PROTECTED can be based on a business need.156. Agencies are to only approve short term access to CONFIDENTIAL or SECRET classified resources in exceptional circumstances where:
the exception is critical to the agency meeting its outcomes, and the risks to the agency can be mitigated or managed.157. Agencies are to only approve short term access to TOP SECRET classified resources in exceptional circumstances where:
the person requiring access holds a Negative Vetting Level 1 clearance
the exception is critical to the agency meeting its outcomes, and
the risks to any affected agency can be mitigated or managed.Provisional access
158. Sponsoring agencies may approve provisional access for up to SECRET security classified resources where there is a sound business case to support access during the clearance process.159. Agencies are to only approve provisional access to TOP SECRET classified resources in exceptional circumstances where:
the person requiring access holds a Negative Vetting Level 1 clearance
the exception is critical to the agency meeting its outcomes, and the risks to any affected agency can be mitigated or managed.
160. Before granting provisional access, sponsoring agencies are to confirm with the vetting agency that:
the clearance applicant has submitted a completed clearance pack and required documents, and
there are no readily identifiable suitability concerns.
161. Agencies may approve provisional access until the clearance process is complete. Agencies may change the type of temporary access from short term to provisional once the vetting agency has confirmed it has received the completed pack and advises there are no concerns.
Temporary access for MOPS Act staff
162. It is reasonable to expect that some staff employed by an Australian Government Minister under the MOPS Act will require temporary access. This is particularly relevant following any change of Government.
163. MOPS Act Staff may be given temporary access to TOP SECRET information, where there is a need to know, without the requirement to hold a Negative Vetting Level 1 clearance, subject to:
a detailed risk assessment
consultation with the information originators, and the risks to any affected agency can be mitigated or managed.
164. MOPs Staff are not to be given temporary access to sensitive compartmented, codeword or caveat information
165. A Ministers Portfolio Department should approve short term access for new MOPS Act staff for the Departments Minister until their security clearances are granted unless advised to withdraw the access due to concerns including non-compliance with the clearance process.166. The vetting agency is to notify the Portfolio Department and the Department of Finance of any concerns or non-compliance with the security clearance process.167. The Department of Finance is to advise Portfolio Departments of any Ministerial staff whose clearance process has been cancelled for non-compliance with the security clearance process.168. The Portfolio Department is to withdraw any temporary access to security classified information for MOPS staff whose clearance process has been cancelled. For more information see Section 6.1 - Cooperation in the clearance process8. Vetting agency responsibilities
Authority to make clearance decisions169. Only vetting agencies are authorised to make clearance decisions.Confirming eligibility for a security clearance
170. Vetting agencies are to confirm citizenship and checkable background eligibility for all clearance subjects.171. If citizenship cannot be confirmed or there is an uncheckable background, the vetting agency is to advise the sponsoring agency that the eligibility criteria have not been met and the clearance request is cancelled.172. Vetting agencies may impose an exclusion period that precludes the clearance subject from re-applying until the eligibility criteria is satisfied.
173. Sponsoring agencies may choose to consult with the vetting agency to initiate an eligibility waiver.Assessing Suitability
174. Vetting agencies are to:
conduct all minimum mandatory checks, as detailed in Table 4, and any appropriate supplementary checks, and collect all relevant, reliable and independently verified information before assessing a clearance subjects suitability to hold a security clearance
take into account the result of all checks and inquiries as the basis for determining suitability assess clearance subjects against common factor areas in accordance with the Adjudicative Guidelines, as detailed in Section 5 of the Personnel security guidelines - Vetting practices resolve any doubts about suitability for access to security classified resources in favour of the National Interest, and
identify any risk management or specific clearance maintenance conditions relating to the clearance.175. Vetting agencies should consider any information they become aware of, that is relevant to suitability, even if the matters falls outside of the minimum checking period.
176. The vetting agency is to deny a security clearance where any reasonable doubts about the clearance subjects suitability that cannot be resolved. Reasonable doubt exists when concerns regarding the suitability of a clearance subject remain after all minimum and any supplementary checks are completed.
Supplementary checks and inquiries
177. Vetting agencies are to conduct appropriate supplementary checks and inquiries if the minimum checks are insufficient to clearly establish the clearance subjects suitability or unsuitability. For further details on supplementary checks see Personnel security guidelinesVetting practices.
Mitigation
178. Where the background assessment, including supplementary checks, identifies a personal vulnerability, the vetting agency is to determine if there are any mitigating factors. Mitigating factors are detailed in section 5 of the Personnel security guidelines - Vetting practicesVetting agency consultation with sponsoring agencies
179. Vetting agencies are to advise sponsoring agencies of any information provided as part of the vetting process or ongoing clearance maintenance that may impact on a persons suitability to access Australian Government resources or where risk mitigation measures are required.
180. Vetting agencies are to consult with sponsoring agencies before granting a security clearance that imposes additional clearance maintenance conditions.
181. If mitigation is not satisfied by agreement to additional clearance maintenance conditions by either the clearance subject or sponsoring agency, the vetting agency is to deny the clearance.
Vetting decisions
182. Vetting agencies are to base all vetting on an assessment of the whole personSee the Adjudicative Guidelines.
183. The vetting agency is to advise the clearance subject and sponsoring agency in writing of the decision to grant including any risk mitigations, deny, deem ineligible or cancel a security clearance and any conditions imposed.
Failure to comply with the clearance process
184. The vetting agency is to cancel a clearance process and notify the sponsoring agency where a clearance holder does not comply with the clearance process requirements.
Personnel security checks for initial clearances
Table 4 Minimum personnel security checks and requirements for initial clearances1
Postive Vetting
Psychological assessment
Negative Vetting 2Financial probity check
Negative Vetting 1Security interviewSecurity interview
Digital footprint checksDigital footprint checksDigital footprint checks
Financial statement 3Financial statement 3Financial statement 3 and supporting documents
Suitability screening questionnaire Suitability screening questionnaireSuitability screening questionnaire
Baseline VettingASIO assessment ASIO assessmentASIO assessment
Qualification verification 2Qualification verification 2Qualification verification 2Qualification and document verification
Professional referee check 4Referee checks (including 1 professional) 4Referee checks (including 1 professional and 1 un-nominated) 4Referee checks (including 1 professional and 1 un-nominated) 4
Police Records Check (No Exclusion) 5Police Records Check (Full Exclusion) 5Police Records Check (Full Exclusion) 5Police Records Check (Full Exclusion)
Financial history check8Financial history checkFinancial history checkFinancial history check
5 year background check 610 year background check 610 year background check 6Whole of life background check 7
Official secrets declarationOfficial secrets declarationOfficial secrets declarationOfficial secrets declaration
Statutory DeclarationStatutory DeclarationStatutory DeclarationStatutory Declaration
Identity verification 6Identity verification 6Identity verification 6Identity verification 6
Notes:
1. Suitability is assessed against the criteria contained in the Annex J of the Personnel security guidelines - Vetting practices2. Qualifications checks should be part of an agency employment screening process where qualifications are claimed and/or mandatory.
3. Financial statement provides a detailed summary of a clearance subjects assets, income, liabilities and expenditure. see section 4.6.2 of the Personnel security guidelinesVetting practices 4. Referees are to collectively cover the whole checking period. Professional checks are to cover at least the preceding 3 months. Additional referees may be required.
5. The application of spent convictions legislation will vary dependent on the jurisdiction in which the offence occurred.
6. Identity checked in accordance with the Australian Identity Proofing Guidelines (level 3 for baseline and NV1 and level 4 for NV2 and PV). In addition to documentation to confirm residential addresses, employment, supporting documentation is also required to confirm citizenship status, and if relevant overseas travel see Personnel security guidelinesVetting practices.7. For further details see the Sensitive Material Security Management Protocol8. Financial history check - provides an overview of a clearance subjects financial history. See section 4.6.2 of the Personnel security guidelinesVetting practices further details on financial history checks,185. Table 4 shows the hierarchy of checks and processes that reflects the level of assurance required for each level of security clearance.Statutory declaration
186. Clearance subjects are to sign a Statutory Declaration made under the Statutory Declarations Act 1959 (Cth) that confirms:
they have provided complete and truthful information to the vetting agency
they have not altered the original documents or the copies provided to the vetting agency, and
the original documents relate specifically to them.187. For further information on the requirements see Statutory Declarations.ASIO Security Assessment
188. Either the Commonwealth vetting agency, or the Commonwealth facilitating agency for State and Territory assessments, is to obtain an ASIO Security Assessment for all NV and PV clearance subjects. The only exception is where the vetting agency has already assessed that the person would be unsuitable for a security clearance regardless of any assessment ASIO might make. For further information see Personnel security guidelinesVetting practices.189. Vetting agencies are to provide ASIO with the details of any security concerns about the clearance subject.
Reviews of security clearances
190. Vetting agencies are to undertake:
periodic revalidations of security clearances, and
reviews for cause for all clearances where concerns about a clearance holders suitability to hold a clearance are identified. For further information see Section 10.6.2 - Reviews for cause.191. The vetting agency is to advise the clearance subjects sponsoring agency of any review/investigation being undertaken by the vetting agency, to allow the sponsoring agency to assess whether to deny access pending the outcome of the review.Periodic Revalidations
192. Vetting agencies are to periodically initiate revalidations of all Baseline, Negative and Positive Vetting security clearances.
193. The requirements for the revalidation of security clearances are listed in Table 5. The table shows the hierarchy of checks and processes that reflect the level of assurance required for each level of security clearance. Vetting agencies are to undertake additional checks to resolve concerns on a case-by-case basis.
Table 5: Summary of minimum revalidation requirements
BaselineNegative vetting level 1Negative vetting level 2Positive vetting
To be undertaken by vetting agencies at least every 15 years.To be undertaken by vetting agencies at least every 10 years.To be undertaken by vetting agencies at least every 5 years.To be undertaken by vetting agencies at least every 5 years.
Updated personal particulars covering period since previous vettingUpdated personal particulars covering period since previous vetting Updated personal particulars covering period since previous vettingUpdated personal particulars covering period since previous vetting
Police records check
(No exclusion)Police records check
(Full exclusion)Police records check
(Full exclusion)Police records check
(Full exclusion)
Financial history checkFinancial history checkFinancial history checkFinancial history check
1 professional referee check1 professional referee check2 referee checks (including 1 professional and 1 un-nominated)3 Referee checks (including 1 professional and 1 un-nominated)
ASIO checkASIO checkASIO check
Financial statementFinancial statementFinancial statement and supporting documents
InterviewInterview
Psychological assessment
Reviews for cause
194. A review for cause may be initiated whenever a security concern regarding a clearance subject arises.195. Upon receipt of information raising concerns about the suitability of a clearances holder, vetting agencies are to assess if a review for cause is warranted.196. Prior to initiating a review for cause the vetting agency is to advise the sponsoring agency and interested parties (for contractors). If the sponsoring agency or interested parties (for contractors) advises of any ongoing investigation that might be compromised by the review for cause the vetting agency should not commence the review until the investigation is complete.197. Vetting agencies should advise the clearance subject prior to starting any reviews for cause, and the reasons for the review.
198. Sponsoring agencies should advise the clearance subject of their responsibility to comply with the review for cause process.
199. Vetting agencies are to undertake any checks required to resolve the concern(s) that led to the initiation of the review for cause. This may include:
targeted checks to resolve an issue, or
a full revalidation if the concerns are wide ranging.
200. Vetting agencies are to advise both the clearance subject and the sponsoring agency including interested parties (for contractors) of the review for cause outcome.
Adverse findings
201. Decisions and actions taken during a security clearance could be subject to judicial review. Vetting agencies will need to demonstrate that they have met the requirements of procedural fairness. For further information see section 6.2 of the Personnel security guidelines Vetting practices.202. Where a decision is made to deny a clearance, the vetting agency is to inform the clearance subject of the procedures for seeking a review of the decision.203. The vetting agency is to also advise the sponsoring agency of the decision to deny the clearance.204. Vetting agencies are to report any denial of NV and PV security clearances, including any exclusion periods, to ASIO.
ASIO-initiated review of ASIO Security Assessment
205. ASIO may provide preliminary advice to a Commonwealth agency regarding the subject of an ASIO security assessment pending the issuing of a new ASIO security assessment.
206. Section 39 of the ASIO Act permits Commonwealth agencies to take appropriate action (such as suspending a persons security clearance and preventing ongoing access to classified information) if the Commonwealth agency is satisfied, on the preliminary advice from ASIO, that it is necessary to take that action as a matter of urgency due to the requirements of security. Any action taken is to be temporary pending receipt of a new ASIO Security Assessment. Section 39(1) prevents Commonwealth agencies from taking other prescribed kinds of action on the basis of preliminary advice from ASIO.
207. ASIO will normally liaise with the Commonwealth agency and the relevant vetting agency in these circumstances.Reviews of security clearance processes and outcomes
208. Vetting agencies are to have procedures to resolve any grievances and are to advise the clearance subject of these procedures as part of the clearance process.
209. Vetting agencies are to resolve any grievances raised by the clearance subject regarding:
the security clearance process, and
the manner in which the vetting agency conducted the clearance, or the decision made.
210. Vetting agencies are to advise the clearance subject of these procedures as part of the clearance process.
Review of clearance decisions
211. Clearance subjects or sponsoring agencies may seek a review of any security clearance decision. The initial review is to be carried out by the vetting agency responsible for denying or varying a clearance.
212. An application by a clearance subject for a review does not change the original decision. A review may determine that the process was flawed and a new process should be undertaken.
213. Clearance subjects may also seek external review. The avenue for review will vary. Some examples are:
APS employees may seek review through the Australian Public Service Commissioner or the Commonwealth Ombudsman, and
contractors may seek review through the Office of the Commonwealth Ombudsman.
214. Any person may seek review through the Federal Court.
215. The delegate for the purposes of the review should be independent from the original decision maker.
216. The Public Service Regulations 1999 (Cth) provides guidance on review processes for APS employees.
217. The vetting agency and the clearance subject seeking the review are to co-operate fully with the review process.
Transfer of Personal Security Files
218. Vetting agencies are to transfer PSFsto the extent that their enabling legislation allowsto the new vetting agency when a clearance holder transfers to another agency covered by a different vetting agency. For further information see Personnel security guidelinesVetting practices. 219. The receiving vetting agency is to address any anomalies within the incoming clearance subjects PSF at the time of transfer.
220. Vetting agencies are to advise sponsoring agencies of any concerns with the transferring clearance holder's PSF. The sponsoring agency can then make a risk based decision on continuing access by the clearance subject to security classified resources. For further information see Personnel security guidelines - Vetting practices.
Recognition of clearances
221. Vetting agencies are to recognise the security clearances granted by another vetting agency, unless:
the clearance has exceeded its revalidation period
the clearance was granted with an eligibility waiver, or
the vetting agency has concerns that the incoming clearance subject is no longer suitable to access Australian Government security classified resources at that clearance level.
Active and inactive clearances
222. An active clearance is a security clearance that is sponsored by an Australian Government agency, and being maintained by a clearance holder and sponsoring agency.223. An inactive clearance is a security clearance that is within the revalidation period, however the clearance:
is not sponsored by an Australian Government Agency
is not being maintained by the clearance holder for a period greater than six months due to long term absence from their role, and
for the Positive Vetting level is unsponsored; however, an annual security check was completed within the last two years.224. Security clearances without sponsorship, but still within the revalidation period, are considered inactivei.e. the clearance is not in use but has not been cancelled as a result of a review for cause. 225. Upon notification of change of sponsorship for a clearance within the revalidation period, the vetting agency is to identify the security clearances as active, only once the vetting agency has assessed any changes of circumstances.
226. Vetting agencies are to identify security clearances as active upon notification of sponsorship by a new agency, where the clearance is within the revalidation period subject to the vetting agencys assessment of any changes of circumstances. For further information see the Personnel security guidelines - Vetting practices.
Vetting staff training and qualifications
227. Vetting agencies are to use qualified personnel in the vetting process.
228. Vetting agencies are to: provide appropriate initial and supplementary training to assessing officers, and
assess, and periodically reassess, the competency of assessing officers.
229. See the Personnel security guidelines - Vetting practices for details of qualifications, competencies and training requirements for vetting staff.
Vetting agencies management of outsourced vetting providers
230. Vetting agencies are to ensure contractors engaged in vetting meet the requirements of the PSPF and any agency specific polices or procedures. For further information see Personnel security guidelines - Vetting practices.9. Agency responsibilities for active monitoring of clearance holders
231. Clearance maintenance is a joint responsibility of vetting agencies, sponsoring agencies and the individual clearance holder. The purpose of clearance maintenance is to provide continuing mitigation to the risk from the malicious trusted insider. It is an ongoing process throughout the life of a security clearance.
232. Vetting agencies are responsible for the periodic review of clearance holders suitability (revalidations) and conducting any reviews for cause when specific issues or concerns arise that may affect a clearance holder's suitability. For more information see Sections 10.6 - Reviews of Security Clearance and10.6.2 - Reviews for Cause.233. Sponsoring agencies are responsible for their security clearance holders (including Contractors). Sponsoring agencies are to:
providing security awareness training and security clearance specific briefings
advise and remind clearance holders of their ongoing obligation to report changes of circumstances and contacts that are suspicious, on-going, unusual or persistent. For further information see the Personnel security guidelines Agency personnel security responsibilities. provide ongoing supervision and management of clearance subjects including their suitability to access official resources
notify the vetting agency of other issues of security concern relating to the ongoing suitability of clearance holders, including security incidents and any concerns relating to integrity manage any additional specific clearance maintenance requirements agreed by the vetting agency and the sponsoring agency as a condition of the security clearance, and additional agency responsibilities for the ongoing clearance maintenance of their contractors are detailed in Section 9.8 - Clearance maintenance for contractors.234. These responsibilities are in addition to the controls identified for all personnel contained in Section 5 Ongoing suitability for employment.Security awareness training for clearance holders
235. Agencies are to ensure that people who have access to Australian Government security classified resources, understand and accept their day-to-day security responsibilities.
236. In addition to a program of security briefings and training that directly responds to the agencys security risk assessment, agencies are to:
advise clearance holders and their managers of their day-to-day security responsibilities
advise clearance holders and their managers of their reporting requirementsfor example:
changes of circumstances, and
suspicious, on-going, unusual or persistent contacts. provide the clearance holder with a briefing and/or training reminding them of their clearance responsibilities, at least every five years or at clearance revalidation, whichever is the sooner.
237. Agencies may also need to coordinate additional training/ briefings for personnel with access to Sensitive Compartmented Information with the compartment owners.
Managing specific clearance maintenance requirements
238. Some concerns identified in the clearance process may be mitigated by applying additional specific clearance maintenance requirements, e.g. additional periodic drug screening for reformed drug users.
239. Agencies are to:
undertake any additional specific clearance maintenance requirements agreed to by the sponsoring agency and vetting agency, and are to report any results including any non-compliance with the additional requirements, to the vetting agency.240. Where compliance with additional requirements is not met by the clearance subject, the vetting agency is to undertake a review for cause into the clearance subjects ongoing suitability. The resultant action by the vetting agency may be the variation or withdrawal of a security clearance.Annual health check241. Agencies are to annually require:
clearance holders to confirm that they have reported to their agency security section:
all changes of circumstances, and
any suspicious, on-going, unusual or persistent contacts clearance holders to complete any required security awareness training, and
managers responsible for personnel to confirm they have reported any concerns about the clearance holders.
242. Agencies are to report any security concerns they have as to the ongoing suitability of their clearance subjects to their vetting agency.243. The annual health check does not replace an agencys ongoing responsibility for their performance management including code of conduct investigations.
For further information on the annual health check see section 14.1 of the Personnel security guidelines Agency personnel security responsibilities.Sharing of information
244. Agencies are to provide vetting agencies with any information about the suitability of a person to hold a security clearance. This includes but is not limited to:
negative results of agency specific checks
reportable changes of circumstances
suspicious, on-going, unusual or persistent contacts
incident and investigation results, and
where a breach of the code of conduct has been established or a security violation proven or personnel management concerns that may call into question the integrity of the person.
245. Agencies should not use the clearance review process to deal with personnel management problems (e.g. underperformance). However, if it is likely that such concerns could affect a persons suitability to hold a clearance, line managers should notify their agency security section who in turn may notify the vetting agency.
246. Vetting agencies are to advise sponsoring agencies of any suitability concerns raised about clearance subjects and any pending or active reviews for cause. In such cases and based on a risk assessment the sponsoring agency is to, determine whether to limit or suspend the clearance subjects access to security classified resources.
Reportable changes of personal circumstances
247. Agencies are to require their clearance holders to advise the agency security section of any reportable changes in personal circumstances. For further details on what is a reportable change of circumstance see Personnel security guidelines Agency personnel security responsibilities.248. Agencies are to also require agency personnel to advise the agency of changes in personal circumstances of other clearance holders if they have concerns that may be relevant to a clearance holders suitability.249. The agency is to then advise the vetting agency of any notified reportable changes in circumstances.
Contact reporting under the Australian Government Contact Reporting Scheme
250. Agencies are to require their personnel to report suspicious, on-going, unusual or persistent contacts with foreign officials and other foreign nationals to their agency security section.
251. Agencies are to:
collect Contact Reports from their personnel
acknowledge receipt of all reports
assess the reports, and
forward any reports of suspicious, ongoing, unusual or persistent nature to ASIO Contact Reporting.
252. For further information see Personnel security guidelines Agency personnel security responsibilities.Reporting security incidents to vetting agencies and other appropriate agencies253. Agencies are to advise the vetting agency of: any security violations attributed to particular security clearance holders as reasonably practicable, and the results of any investigations into security breaches attributed to particular security clearance holders and conduct or incidents that may indicate a disregard for security by clearance holderse.g. multiple infringements of agency security policies.
254. Agencies are to consult with the Australian Federal Police (AFP) and/or the Australian Security Intelligence Organisation (ASIO) in respect of investigations that may have potentially serious issues.255. Agencies are to also advise security incidents to: the Director, Australian Signals Directorate for matters relating to the Australian Government Information Security Manual (ISM)
the Director-General, Australian Security Intelligence Organisation for matters relating to national security, and
the heads of any agencies whose people, information or assets may be affected.256. Agencies are to withdraw all access to security classified resources for any person responsible for a security violation as soon as reasonably practicable after the violation is identified.
257. Agencies should make a risk based decision on whether to remove or restrict access for personnel directly responsible for security breaches or conduct that indicates a disregard for security.
258. Agencies should reassess any clearance holders access when an investigation into a violation or breach is finalised.
259. Agencies are to notify the vetting agency when a breach of the code of conduct or other disciplinary finding has been made against a clearance holder, including any cases where a breach is established following the clearance holders departure from the agency.
260. Agencies are to include security incidents as part of their compliance reporting requirements detailed in mandatory requirement GOV7.Change of sponsorship of security clearances
261. Where clearance holders are moving permanently from one agency to another and require a security clearance for their new role, the gaining agency is to request a transfer of the clearance sponsorship. Once transferred, the gaining agency has ongoing responsibility for the clearance maintenance.262. Gaining agencies are to only sponsor clearances at the level required for the position the person will be occupyinge.g. the gaining agency will only sponsor an NV1 clearance for an existing NV2 holder who moves to a position requiring an NV1 clearance.
263. Agencies should advise the change of agency to the vetting agency.
Personnel on temporary transfer or secondment
264. Agencies should, in consultation with the persons home agency, make a determination of whether the clearance sponsorship should stay with the home agency or be transferred for the duration of the transfer or secondment.265. Where temporary personnel have been granted a security clearance by a State or Territory in accordance with the PSPF, the clearance is to be recognised by the gaining agency for the period of the transfer or secondment. Agencies should request confirmation of the clearance from the vetting agency that granted the clearance.Clearance maintenance for personnel on secondment or temporary assignment
266. Agencies are to agree on the clearance maintenance arrangements before a secondment or temporary assignment commences.
267. Irrespective of the agreed clearance maintenance arrangements, agencies are to advise of any identified security concerns that arise during the secondment or temporary assignment to the home agency. This includes concerns identified after the secondment or temporary assignment concluded.
Personnel on extended leave
268. Agencies are to have procedures to notify their agency security staff of personnel planning to go on extended leave. The period will depend on the agencys risk profile and any specific risks associated with the position.269. Agencies are to, where possible, resolve any security issues before the leave is taken.Clearance maintenance for contractors
270. There are additional risks for the ongoing maintenance and management of security clearances for contractors.271. In addition to provisions outlined in Section 9 - Agency responsibilities for active monito
