Protocol
Version 2.1
All material presented in this publication is provided under a Creative Commons Attribution 3.0
Australia licence (Creative Commons Licenses).
For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website as is the
full legal code for the CC BY 3.0 AU licence (Creative Commons Licenses).
Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Document details
Security classification Unclassified
Dissemination limiting marking Publicly available
i
Table of contents
Amendments ......................................................................................................................... v
1. Scope ............................................................................................................................ 1
1.1. Introduction .................................................................................................................. 1
1.2. Status and applicability ................................................................................................. 1
Figure 1 - Personnel security policy hierarchy............................................................................ 1
1.3. Terms used in this Protocol .......................................................................................... 2
1.4. Agency responsibilities in personnel security............................................................... 4
1.4.1. Agency heads ............................................................................................................ 4
1.4.2. Line managers .......................................................................................................... 4
1.4.3. Agency personnel...................................................................................................... 4
1.4.4. Need-to-know principle ............................................................................................ 5
1.5. Policy exceptions .......................................................................................................... 5
1.5.1. Functional equivalents .............................................................................................. 5
1.6. Sharing personal information ....................................................................................... 5
2. Components of personnel security ................................................................................. 7
3. Identifying personnel security risk .................................................................................. 9
3.1. Personnel security risk assessments ............................................................................. 9
4. Employment screening................................................................................................. 10
4.1. Recommended employment screening ...................................................................... 10
4.2. Agency-specific employment screening checks.......................................................... 11
4.3. Recording results of employment and additional agency specific screening............. 11
4.3.1. Additional information ........................................................................................... 11
5. Ongoing suitability for employment ............................................................................. 13
5.1. Security awareness, training and education............................................................... 13
5.2. Performance management ......................................................................................... 13
5.3. Conflict of interest ...................................................................................................... 13
5.4. Incident investigation ................................................................................................. 14
5.5. Monitoring, evaluating and recording of ongoing personnel suitability .................... 14
6. Agency security clearance requirements....................................................................... 15
6.1. Cooperation in the clearance process ........................................................................ 15
6.2. Identifying and recording positions that require a security clearance ....................... 15
6.2.1. Security clearance levels ......................................................................................... 16
6.2.2. Caveat and codeword access .................................................................................. 17
ii
6.2.3. Contractors requiring security clearances .............................................................. 17
6.2.4. Persons employed under the Members of Parliament (Staff) Act 1984 (Cth) ........ 18
6.3. Australian office holders ............................................................................................. 18
6.4. Other access arrangements ........................................................................................ 19
6.4.1. Foreign Nationals with non-Australian Government security clearances .............. 19
6.5. Eligibility waivers (citizenship and checkable background) ........................................ 20
6.5.1. Eligibility waivers .................................................................................................... 20
6.5.2. Non-Australian citizens ........................................................................................... 21
6.5.3. Uncheckable backgrounds ...................................................................................... 21
6.5.4. Conditions for clearances subject to an eligibility waiver....................................... 22
6.6. Locally engaged staff .................................................................................................. 22
6.7. State or Territory government security clearances .................................................... 23
7. Temporary access to classified information arrangements ............................................ 24
7.1. Temporary access conditions ..................................................................................... 24
7.1.1. Types of temporary access ..................................................................................... 25
7.1.2. Short term access.................................................................................................... 26
7.1.3. Provisional access ................................................................................................... 27
7.2. Temporary access for MOPS Act staff ........................................................................ 27
8. Vetting agency responsibilities ..................................................................................... 29
8.1. Authority to make clearance decisions....................................................................... 29
8.1.1. Confirming eligibility for a security clearance ........................................................ 29
8.2. Assessing Suitability .................................................................................................... 29
8.2.1. Supplementary checks and inquiries....................................................................... 30
8.2.2. Mitigation ............................................................................................................... 30
8.2.3. Vetting agency consultation with sponsoring agencies ......................................... 30
8.3. Vetting decisions ......................................................................................................... 30
8.4. Failure to comply with the clearance process ............................................................ 30
8.5. Personnel security checks for initial clearances ......................................................... 31
8.5.1. Statutory declaration .............................................................................................. 32
8.5.2. ASIO Security Assessment ....................................................................................... 32
8.6. Reviews of security clearances ................................................................................... 32
8.6.1. Periodic Revalidations............................................................................................. 32
8.6.2. Reviews for cause ................................................................................................... 33
8.7. Adverse findings.......................................................................................................... 34
iii
8.8. ASIO-initiated review of ASIO Security Assessment ................................................... 34
8.9. Reviews of security clearance processes and outcomes ............................................ 34
8.10. Review of clearance decisions .................................................................................... 34
8.11. Transfer of Personal Security Files.............................................................................. 35
8.12. Recognition of clearances ........................................................................................... 35
8.13. Active and inactive clearances .................................................................................... 35
8.14. Vetting staff training and qualifications ..................................................................... 36
8.15. Vetting agencies management of outsourced vetting providers .............................. 36
9. Agency responsibilities for active monitoring of clearance holders ................................ 37
9.1. Security awareness training for clearance holders..................................................... 38
9.2. Managing specific clearance maintenance requirements .......................................... 38
9.3. Annual health check ................................................................................................... 38
9.4. Sharing of information ................................................................................................ 39
9.4.1. Reportable changes of personal circumstances ..................................................... 39
9.4.2. Contact reporting under the Australian Government Contact Reporting
Scheme.................................................................................................................... 40
9.4.3. Reporting security incidents to vetting agencies and other appropriate
agencies .................................................................................................................. 40
9.5. Change of sponsorship of security clearances............................................................ 41
9.6. Personnel on temporary transfer or secondment ...................................................... 41
9.6.1. Clearance maintenance for personnel on secondment or temporary
assignment ............................................................................................................. 41
9.7. Personnel on extended leave ..................................................................................... 42
9.8. Clearance maintenance for contractors ..................................................................... 42
9.8.1. Clearance sponsorship of contractors that are no longer actively engaged
by an agency ........................................................................................................... 43
10. Agency separation actions............................................................................................ 44
10.1. Prior to separation ...................................................................................................... 44
10.2. On separation ............................................................................................................. 44
10.2.1. Separation of contractors ....................................................................................... 45
Annex A: Request for variation of Special Minister of States Determination 2012/1
for a Ministers Electorate Officer.......................................................................... 46
iv
Amendments
No. Date Location Amendment
1 April 2015 Section 1.3 Remove the term re-evaluation in regards to PV clearances
in the definition of inactive.
2 April 2015 Throughout Update PSPF links
3 April 2015 Annex A Update waiver request form to include phone numbers
4
v
1. Scope
1.1. Introduction
1. The core policies of the Protective Security Policy Framework (PSPF) provide the mandatory
requirements for protective security in Australian Government agencies. The Australian
Government Personnel Security Protocol provides more detailed advice for agencies to meet their
mandatory personnel security requirements.
2. Personnel security is one element of good protective security management. The Australian
Governments personnel security measures determine the suitability of personnel to access
Australian Government resources. A suitable person demonstrates integrity and reliability and is
not vulnerable to improper influence.
3. Effective personnel security facilitates the sharing of Australian government resources and is an
essential mitigation tool to the threat posed by trusted insiders.
4. An agencys personnel security risk assessment should be incorporated into the agencys security
risk management process and other agency risk management processes. Personnel security risk
management may impact on, and/or complement, information and physical security controls.
1
6. The Australian Government personnel Security Protocol derives its authority from the PSPF
Directive on the security of Government business, Governance arrangements, and the Personnel
security core policy and mandatory requirements. It should be read in conjunction with:
7. Positive Vetting (PV) security policy (developed by the Inter-Agency Security Forum) is detailed in
the Sensitive Material Security Management Protocol (SMSMP). Distribution of the SMSMP is
limited to agency security advisers with a need to know.
Australian Government resources refers to the collective term used for Australian
Government people, information and assets, and
vetting agency refers to the Australian Government Security Vetting Agency (AGSVA),
authorised agencies and State and Territory vetting agencies.
Financial statement provides a detailed summary of a clearance subjects assets, income,
liabilities and expenditure.
Financial history check - provides an overview of a clearance subjects financial history.
2
ineligible refers to a determination by a vetting agency that a clearance subject is not
eligible for an Australian Government security clearance as they do not hold Australian
citizenship and/or have a checkable background
deny refers to a determination by a vetting agency that a clearance subject is not eligible to
hold a Australian Government security clearance at one or more clearance levels
grant refers to a determination by a vetting agency that a clearance subject is eligible and
suitable to hold an Australian Government security clearance
grant conditional refers to a determination by a vetting agency that the clearance
subject is eligible and suitable to hold an Australian Government security clearance with
conditions and/or after care requirements are attached to the clearance
cancel refers to a Security clearance initiated, but not completed by the vetting agency as
the sponsorship of the clearance was removed at the request of the sponsoring agency, the
sponsorship or clearance requirement could not be confirmed, or the clearance subject was
non-compliant with the clearance process
3
- where the clearance subject or holder is ineligible to hold or maintain a security
clearance.
11. Additional terms used in this Protocol can be found in the PSPF Glossary of Terms.
employment standards
the agencies risk tolerance, and
15. Line managers play a key role in personnel security. They are more likely than agency security staff
to have a detailed and accurate knowledge of their employees and the duties of a position in their
work area.
being aware of the importance of their role in, and responsibility for, ensuring the
maintenance of good personnel security practices throughout the agency
reporting issues of concern
4
1.4.4. Need-to-know principle
18. Agencies are to limit access to, and dissemination of, Australian Government resources to those
personnel who need the resources to do their work.
19. Agencies are to limit access to, and dissemination of, Australian Government security classified
resources to those who hold the appropriate level of clearance.
20. Agencies are to provide information on the need-to-know principle to all personnel as part of
their security awareness training.
22. Policy exceptions can be made for an are to or is to statement. By making a policy exception, an
agency head is acknowledging that the agency:
23. Agencies cannot make policy exceptions to AUSTEO and Eyes Only access requirements. For
further information see Foreign Nationals with non-Australian Government security clearances.
24. Agencies are to document their policy exceptions, including the risk assessment, in accordance
with their agency specific policies and procedures.
25. Where appropriate, policy exceptions and risk assessments may cover policy decisions relating to
types of activity, rather than individual instances.
26. Where agencies use alternative personnel security measures that provide the same or better
functionality than specified controls, a policy exception is not required.
27. Before agreeing to the use of alternative protective security measures an agency head, or
delegate, should seek expert advice to confirm that the technical performance requirements of
the proposed measures meet or exceed those of the specified control.
28. For further information see Governance arrangements Audit, reviews and reporting.
30. Agencies are to obtain written ongoing consent from all personnel (existing and potential) to
share information with other agencies for the purposes of assessing their ongoing suitability. This
5
includes employment screening and security clearance processes. A template informed consent
form is provided at Annex C of the Personnel security guidelines Agency personnel security
responsibilities and Annex H of the Personnel security guidelines Vetting practices.
31. Sharing relevant information does not breach an individuals privacy provided that informed
consent is received and the information is used for the purpose for which consent is provided.
For further information see Annex D of the Personnel security guidelines Agency personnel
security.
32. In order to prevent or minimise the impact of security concerns agencies may provide relevant
information about personnel to:
intelligence agencies
potential gaining agencies (prior to personnel transferring), and
33. Agencies are to include a contractual requirement for service providers and contracting
companies to seek written consent to share information with the agency from all the service
providers or contracting companys personnel who may access the agencies resources. The
agency may then on behalf of the Commonwealth share this information with other agencies for
the purposes of assessing suitability to access Australian Government resources. See Annex C of
the Personnel security guidelines Agency personnel security responsibilities for a template
informed consent form.
34. For further advice on protective security in contracting see Governance arrangements
Contracting.
6
2. Components of personnel security
35. Personnel security comprises three major components:
employment screening;
maintaining ongoing suitability, and
separation activities.
36. An agencys approach to personnel security is to be comprehensive and ongoing. The following
table gives examples of measures at the various stages.
7
Table 1 Summary of personnel security components
Stage Personnel security measures Examples of tools, techniques and
services
Employment checks Identity proofing National Identity Proofing Guidelines
including document verification
Eligibility Australian Citizenship (or correct visa)
Employment screening
Access controls Physical and logical access privileges IT passwords, access passes, codes
Protective monitoring Physical access and IT systems System audit processes
monitoring
Monitoring & evaluation
8
3. Identifying personnel security risk
Mandatory Requirement
GOV 6: Agencies must adopt a risk management approach to cover all areas of protective security activity across
their organisation, in accordance with the Australian Standard AS/NZS ISO 31000:2009 Risk Management
Principles and Guidelines and the Australian Standards HB 167:2006 Security risk management
37. An agencys protection against threats is only as good as the weakest element of its protective
security (governance, information security, physical security and personnel security).
it delivers a level of assurance about the credentials and integrity of the agencys workforce.
meet or exceed the minimum controls for the protection of Australian Government
resources.
41. For further advice see Managing the Insider Threat to your Business.
42. Based on their personnel security risk assessment, agencies are to determine what checks are
required for employment screening, ongoing suitability to access agency resources and for
separation from the agency. These may include agency specific employment screening checks or
security clearances. For example, the Australian Federal Police have a program of random drug
and alcohol testing.
43. For further advice on undertaking a personnel security risk assessment, see the United Kingdom
Centre for the Protection of National Infrastructure publication Personnel Security Risk
Assessment: A guide.
9
4. Employment screening
Mandatory Requirement
PERSEC 1: Agencies must ensure that their personnel who access Australian Government resources
(people, information and assets):
are eligible 1 to have access
have had their identity established
are suitable 2 to have access, and
agree to comply with the Governments policies, standards, protocols and guidelines that safeguard
the agencys resources from harm.
44. Agency heads set the minimum suitability requirements for all new staff employed in their
agencies, based on the agency risk assessment, any agency-specific legislation and the Australian
Governments expectation that agencies have in place measures to facilitate resource sharing.
These requirements are normally conditions of engagement or ongoing conditions of employment
and may include character checks and security clearances. For further advice see the Australian
Public Service Commission publication Conditions of engagement.
45. Agencies are to ensure all personnel agree that they are responsible for safeguarding against loss,
misuse or compromise any Australian Government resources for which they are responsible by
obtaining a signed confidentiality agreement.
46. All personnel requiring ongoing access to Australian Government security classified information or
resources are to have security clearances. This includes contractors and service providers; see
Section 6 - Agency security clearance requirements.
47. Agencies need to confirm that the person is an Australian Citizen or has a valid visa with work
rights, by sighting the documents in support of citizenship or visa. For further information see the
Department of Immigration and Border Protection.
49. Agencies should undertake employment screening that meets or exceeds the Australian Standard
4811-2006: Employment Screening.
1
For agencies enabled by the Public Service Act 1999 eligibility refers to the requirements for engagement of
APS employees listed in section 22 of the Public Service Act 1999. Agencies not enabled by the Public Service
Act 1999 should refer to the requirements of engagement of personnel contained within their own enabling
legislation.
2
To be suitable personnel need to demonstrate qualifications and/or experience required of the position
including satisfaction of any agency specific requirements. Agency specific requirements may include
demonstration and compliance with relevant codes of conduct (e.g. APS Code of Conduct), behaviours and/or
values.
10
50. Further details on assessing employment screening checks are in the Australian Government
personnel security guidelinesAgency personnel security responsibilities.
51. Agencies should, based on their risk assessment, undertake periodic reassessments of suitability
for employment.
54. Agencies should advise applicants where additional screening is required as part of a condition of
engagement or an ongoing condition of employment. Agencies should identify this requirement
when advertising a vacancy or before offering employment.
55. While a prospective employee may meet the minimum requirements for an Australian
Government security clearance, he or she may not meet the agencys screening requirements and
vice-versa.
56. If agency-specific checks identify issues relevant to a clearance subjects suitability for a security
clearance the agency is to share this information with the vetting agency.
57. If agency specific checks identify issues relevant to national security, the agency is to share this
information with ASIO.
58. The vetting agency/ASIO may instigate supplementary security clearance assessments as a result
of this information.
59. Agencies are responsible for reviews of their agency specific checks.
61. Agencies should, based on their operating requirements, determine whether to create a separate
Personal Security File for each employee or add the results to their personnel file.
11
AS4811-2006: Employment Screening
HB 323-2007: Employment Screening Handbook
12
5. Ongoing suitability for employment
Mandatory Requirements
PERSEC 2: Agencies must have policies and procedures to assess and manage the ongoing suitability for
employment of their personnel.
GOV 1: Agencies must provide all staff, including contractors, with sufficient information and security
awareness training to ensure they are aware of, and meet the requirements of the PSPF.
63. An agencys policies and procedures to assess and manage the ongoing suitability for employment
of their personnel will be determined by the agencys security risk assessment; see Section 3 -
identifying personnel security risks.
65. Agencies are to determine specific security training or briefings required by their personnel. This
may include but is not limited to:
personal safety and security measures in agency facilities and in the field
confidentiality requirements for information, including intellectual property
self-managing risk
information control measures (need-to-know)
overseas travel safety and security
contact reporting
incident reporting
66. For further advice see the Australian Government personnel security guidelinesAgency personnel
security responsibilities, Section 8.2.
13
69. Ultimately it is the agency head's responsibility to determine what actions are taken where there
is a conflict. While it is best to avoid a conflict, it is not always practical. Agencies are to establish
processes that deliver effective personnel security outcomes and that withstand scrutiny.
71. Agencies are to consult with the AFP, jurisdictional police, ASIO and/or ASD where the security
incident may have criminal or National Security implications.
72. For further details on undertaking an investigation see Protective security governance guidelines
Reporting incidents and conducting security investigations and the Australian Government
Investigation Standards .These guidelines also provide advice on referring matters to the
appropriate law enforcement agencies, ASIO and the Australian Signals Directorate, depending on
the nature of the incident.
74. Based on their personnel security risk assessments, agencies are to have policies and procedures
in place to monitor ongoing suitability of staff. These may include:
requiring managers to monitor all personnels continuing suitability to access Australian
Government resources
advising personnel what personal behaviours or concerns that they are required to report
e.g. criminal arrests or convictions, change of circumstances, contacts that are suspicious,
on-going, unusual or persistent and other significant incidents. For more information see
Section 8 - Agency responsibilities for active monitoring of clearance holders
75. Agencies should determine the period between original screening and any subsequent
re-screening. The period will depend on the agencys risk profile and any specific risks associated
with the position.
76. Agencies should record the outcomes of their monitoring and evaluations on the same file as any
employment screening results.
14
6. Agency security clearance requirements
77. Agency heads may require a security clearance as a condition of employment. A security clearance
is a determination by a vetting agency that an individual is suitable to access security classified
resources.
79. Clearance subjects are to cooperate with the vetting agency throughout the clearance process,
including by providing within the timeframes advised:
a completed clearance pack
80. Vetting agencies are to cancel the clearance process for any failure to cooperate in the clearance
process. Agencies are to remove any access to Australian Government security classified resources
from clearance subjects, if advised by the vetting agency that the clearance has been revoked or
the process cancelled.
81. Agencies are to apply this control to all personnel, irrespective of their position or duties.
82. Agencies are not to use temporary access provisions to provide access to Australian Government
security classified resources to personnel that are not actively cooperating with the vetting
process.
Mandatory Requirements
PERSEC 3: Agencies must identify, record and review positions that require a security clearance, including
the level of clearance required.
PERSEC 4: Agencies must ensure their personnel with ongoing access to Australian Government security
classified resources hold a security clearance at the appropriate level, sponsored by an Australian
Government agency.
83. Anyone requiring ongoing access to Australian Government security classified resources is to hold
a security clearance at the appropriate level.
84. An agency head or their delegate is to decide if a role or position requires a security clearance.
85. An agency head may require that all agency staff in a particular category be cleared to a specified
level. Factors that may influence this decision include:
15
the nature of the agencys business
an agencies risk assessment
the need to access the agencys security classified information or resources or ICT systems,
or
the need for increased levels of assurance of employees suitability to perform particular
roles.
86. Agencies may use security clearances as an assurance measure in addition to their employment
screening and agency specific controls for positions where the agency risk assessment deems the
security clearance process is to apply.
87. Positions that have a business impact level of high or above may include those:
whose occupants have access to aggregations of information or assets, or
where the nature of the position requires greater assurance about a persons integrity; for
example, a higher level of clearance with greater background checking to support fraud
mitigation or as an anti-corruption measure.
88. Agencies should assess whether the checks undertaken for a security clearance provide the
required level of assurance or whether agency-specific checks will better meet their needs.
89. Agencies are to maintain a register of positions that require a clearance. Before advertising a
position, agencies are to identify:
if the position requires a security clearance
the level of clearance required
whether the clearance is for access to Australian Government security classified information
or to give a level of assurance, and
when the requirement for a security clearance will be reassessed.
90. Agencies should periodically reassess the security clearance requirement for positions, at least
each time the position becomes vacant and before it is advertised.
16
maintenance of Negative Vetting Level 2. PV requirements are managed by the Inter-
Agency Security Forum on behalf of the Australian Intelligence Community and are detailed
in the Sensitive Material Security Management Protocol (SM SMP) which is only available to
Agency Security Advisers.
UNCLASSIFIED with a
LIMITING MARKER
Compartmented
DISSEMINATION
CONFIDENTIAL
UNCLASSIFIED
1
Information
TOP SECRET
PROTECTED
SECRET
Positive vetting
Negative vetting level 2 2
Negative vetting level 1
Baseline
Employment screening
Notes:
1. Access to Sensitive and Compartmented Information is detailed in the Sensitive Material Security
Management Protocol (SMSMP) which is only available to those with a need to know.
2. In certain limited circumstances Compartmented information is available at the NV2 level. For further
information see the SMSMP.
92. Agencies are to liaise with the agency responsible for administering a caveat or codeword to
determine the personnel security measures required in addition to a security clearance. This could
include but is not limited to:
specific compartment briefings, and
reporting or restrictions on overseas travel.
93. For further information on access to caveats and codewords, refer to the Australian Government
Information Core Policy and supporting Protocol and guidelines; and the SMSMP.
94. Agencies are to identify contractors requiring security clearances for access to security classified
information and resources or those requiring a security clearance as a level of assurance, as part
of the procurement process.
95. Agencies engaging contractors who will require security clearances are to sponsor the contractors
clearance. See PSPFGovernance arrangementsContracting.
96. Contractors may work concurrently for a number of agencies. The agency that is to sponsor a
contractor is the agency:
17
requiring the highest level of security clearance.
97. The lead agency for a contract is to sponsor all contractor clearances where a single contract
covers a number of agenciese.g. as the result of a panel arrangement.
98. The lead agency is to ensure that they have arrangements (policies and procedures) in place to
ensure the ongoing suitability of contractors in accordance with this protocol. For further
information see Section 8.8 clearance maintenance for contractors.
99. Lead agencies are to ensure that ongoing suitability assessments of contractors are included in the
contract.
100. If an interested party becomes aware of a contractors change in circumstances, the interested
party is to inform the vetting agency. The vetting agency is to inform all other interested parties.
For further information on sharing see Section 1.6 - Sharing Personal Information.
101. Special Minister of State Determination 2012/1 directs that Ministerial staff employed
under Part III of the Members of Parliament (Staff) Act 1984 (Cth) need to obtain and maintain a
Negative Vetting Level 2 security clearance. This direction allows for variation in certain
circumstances for electorate officers. For further information see Annex A: Request for variation
of Special Minister of States Determination 2012/1 for a Ministers Electorate Officer.
103. Other appointed office holders may have enabling legislation which gives the same privileges as
the people identified in the preceding paragraphe.g. Members of the Administrative Appeals
Tribunal and Members of the Social Security Appeals Tribunal.
104. Personnel of the office holders in paragraphs 100 and 101 are not exempt from the requirements
for a security clearance and are to be security cleared to the appropriate level if they require
ongoing access to security classified information.
105. An Australian officer holders exemption from the requirements of the PSPF is limited to the
requirement for a security clearance. Agencies responsible for managing protective security for
18
Australian office holders are to ensure that classified material in their possession is appropriately
safeguarded at all times in accordance with the PSPF.
Mandatory Requirement
GOV 10: Agencies must adhere to any provisions concerning the security of people, information and assets
contained in multilateral or bilateral agreements and arrangements to which Australia is a party.
106. Foreign nationals routinely contribute to Australias National Interest through exchange, long-
term posting and/or attachment to the Australian Government.
107. Foreign nationals can only access Australian Government security classified information and
resources under an Agreement or Arrangement 3 if they:
108. Agencies are not to permit non-Australian citizens access to information caveated Australian Eyes
Only (AUSTEO). Non-Australian citizens can only access other Eyes Only information if they are a
citizen of a country included in the Eyes Only caveat.
109. Agencies cannot make policy exceptions to AUSTEO and Eyes Only access requirements. For
further details see Information security management core policy.
110. In limited circumstances foreign nationals may access information caveated Australian
Government Access Only (AGAO). AGAO is used by the Department of Defence, ASIS and ASIO.
These agencies may pass information marked with the AGAO caveat to appropriately cleared
representatives of foreign governments.
111. AGAO material received in other agencies is to be handled as if it were marked AUSTEO.
112. For further details see the Australian Government information security management guidelines
Australian Government security classification system.
3
An agreement or an arrangement includes treaties, security of information agreements and memorandums
of understanding.
19
6.5. Eligibility waivers (citizenship and checkable background)
Mandatory Requirements
PERSEC 5: Before issuing an eligibility waiver (citizenship or checkable background) and prior to
requesting an Australian Government security clearance an agency must:
justify an exceptional business requirement
conduct and document a risk assessment
113. Agencies are to include details in their annual PSPF compliance report stating numbers and levels
of security clearances granted subject to:
citizenship waivers, and
114. Only Australian citizens with a checkable background are eligible for an Australian Government
security clearance, unless these eligibility requirements have been waived by the sponsoring
agency head. Agency Heads need to be aware that granting an eligibility waiver, does not
guarantee that a clearance will be granted by the vetting agency.
115. Sponsoring agencies are to confirm all clearance subjects are eligible, by confirming citizenship
and checkable background requirements, prior to requesting a security clearance.
116. An agency head may, under certain conditions waive the citizenship or checkable background
requirements for a person to be eligible for a security clearance.
117. An agency heads decision to waive an eligibility requirement is to be based on a thorough analysis
of the risks to the Australian Government and the possible impact on the National Interest. For
further information see Personnel security guidelinesAgency personnel security responsibilities.
118. Agency heads need to be aware of the inherent risks posed from a malicious trusted insider when
granting eligibility waivers. Any decision to grant a waiver needs to be assessed against and linked
to the agencys risks. Agency heads need to be aware that by granting a waiver, they are taking on
a risk that may be detrimental to the Australian Government. If the documents supporting the
waiver do not fully detail the risks to the National Interest, mitigations and any residual risks, the
vetting agency may reject the request for security clearance.
119. The vetting agency is to record, or place, the waiver on the clearance subjects Personal Security
File.
20
120. An eligibility waiver is role-specific, non-transferable, finite and subject to review. In other words,
the waiver is to apply only while the clearance holder remains in the position for which the
clearance was granted.
121. The waiver is not to follow the clearance holder to any other position without review. An eligibility
waiver is not open-ended and is to be subject to regular review to confirm that there is a
continuing requirement for the waiver.
124. Permanent residence status is not an acceptable alternative to the citizenship requirement.
125. The vetting agency may decline the request for clearance if, notwithstanding the citizenship
waiver, other minimum checks are unable to be made, or standards met. It may not be possible
for the vetting agency to conduct the required checks overseas or, if checks can be conducted, to
have confidence in the level of assurance provided by the checks.
126. Non-Australian citizens are not to access information caveated Australian Eyes Only (AUSTEO).
Foreign nationals can only access other Eyes Only information if they are a citizen of a country
included in the Eyes Only caveat and have a need to know. Agencies cannot make policy
exceptions to AUSTEO and Eyes Only access requirements.
127. A checkable background is established when a vetting agency has validated information provided
by a clearance subject with respect to their background from independent and reliable sources.
128. A clearance subject has an uncheckable background when the vetting agency cannot complete the
minimum checks and inquiries for the relevant checking period, or the checks and inquiries, where
able to be made, do not provide adequate assurance about the clearance subjects life or
background. In these circumstances, the vetting agency may decline the request for a clearance.
129. Any clearance subject that has spent greater than 12 months (cumulative) out of Australia within
the requisite background checking period is to be considered to have an uncheckable background
(if their periods of time out of Australia cannot be verified from independent and reliable sources).
If the clearance subjects periods of time out of Australia cannot be verified from independent and
reliable sources, the subject is to be assessed by the vetting agency as ineligible to be considered
for an Australian Government security clearance.
130. Vetting agencies are to consider the security risk to the Australian Government as the primary
factor when assessing whether a person is considered to have a checkable background, and
therefore whether they are eligible to be considered for an Australian Government security
clearance.
21
131. For an individual to be eligible for an Australian Government security clearance, background
checks should generally be able to be undertaken in Australia. It is expected that individuals
sponsored by agencies for an Australian Government security clearance will have strong,
established ties to Australia.
132. Clearances granted with eligibility waivers are to be subject to strict conditions. These may include
conditions such as but not limited to:
the continuation of the eligibility waiver being conditional on the applicant taking Australian
citizenship as soon as they are eligible where the subject has indicated they are actively
seeking citizenship or do not have a valid reason not to seek citizenship
the agency not allowing non-Australian citizens granted a waiver access to Eyes Only
information unless it includes the persons country of citizenship and they have a need to
know
the agency not granting access to security classified information from a foreign government
without the written agreement of that foreign government or as outlined in the provisions
of any information sharing agreements, and
the agency limiting access to security classified information to that required to perform the
specific duty identified.
133. Sponsoring agencies are to ensure a person subject to a waiver follow any conditions placed on
the clearance. Sponsoring agencies are to advise vetting agencies of any non-compliance with
conditions of the waiver.
134. The vetting agency is to cease a clearance where the clearance subject does not adhere to the
conditions of the waiver.
135. The sponsoring agency is to reassess the waiver and advise the vetting agency if the clearance
subject changes duties.
137. The Australian Trade Commission (AUSTRADE) is a managing agency under the Guidelines for
Management of the Australian Government Presence Overseas (February 2007). Accordingly,
AUSTRADE conducts security screening for its LES, and for those of attached agencies where
applicable.
138. An agency may grant an eligibility (citizenship) waiver for LES where:
the preferred person for a position requiring a security clearance is not an Australian citizen,
and
the agency understands and agrees to manage the risk.
22
6.7. State or Territory government security clearances
139. The Australian Government recognises security clearances up to Negative Vetting 2 issued by the
States and Territories if the clearance is undertaken for their own personnel and has been
processed in accordance with the Australian Government Personnel Security Protocol and
supporting guidelines. State and Territory clearances may be transferred between other State and
Territory agencies and the Commonwealth. This is in accordance with the Memorandum of
Understanding on the Protection of National Security Information between the Commonwealth
and States and Territories (2007).
Note: The Australian Security Intelligence Organisation Act 1979 (Cth) restricts ASIO from passing
Security Assessments directly to the States and Territories. Requests by the States and Territories
for ASIO Security Assessments are facilitated through the Attorney Generals Department or the
sponsoring Commonwealth agency.
23
7. Temporary access to classified information arrangements
Mandatory Requirements
PERSEC 4: Agencies must ensure their personnel with ongoing access to Australian Government security
classified resources hold a security clearance at the appropriate level, sponsored by an Australian
Government agency.
GOV 6: Agencies must adopt a risk management approach to cover all areas of protective security
activity across their organisation, in accordance with the Australian Standard for Risk Management
AS/NZS ISO 31000:2009 and the Australian Standards HB 167:2006 Security risk management.
140. Temporary access allows limited, supervised access to security classified resources.
142. Temporary access provisions are not to apply to positions where security clearances are used only
as a measure of assurance, where there is no access to classified information.
144. Agencies are to base any decision to approve temporary access on a documented risk assessment.
Agencies should consider any existing mitigating factors as part of the risk assessmente.g.
holding a security clearance at a lower level, employment screening or any agency specific checks
undertaken. For further details on undertaking a temporary access risk assessment, see the
Australian Government personnel security guidelinesAgency personnel security responsibilities.
145. Agency head written approval is to be sought and granted for any temporary access
arrangements.
146. Prior to granting temporary access the sponsoring agency is to confirm with the vetting agency
that there are no known concerns about the person who may be given temporary access.
147. The vetting agency is to advise the sponsoring agency of any existing or prior limitations on the
person requiring access.
148. If advised of any concerns by the vetting agency, the sponsoring agency is to base any decision to
remove the clearance subjects temporary access to security classified information and resources
on a documented risk assessment.
149. The sponsoring agency is to withdraw temporary access to security classified resources if concerns
cannot be mitigated.
24
150. Agencies are not to use temporary access arrangements for access to:
TOP SECRET classified resources unless the person requiring access holds a Negative Vetting
Level 1 clearance.
151. Temporary access to TOP SECRET resources (where the person does not hold a Negative Vetting
Level 1 clearance), or caveat, compartmented or codeword material may only be given after a
policy exception is approved by the agency head. Agencies should seek agreement from the
information owners and compartment controllers, prior to granting temporary access to TOP
SECRET resources.
152. Sponsoring agencies are to advise the vetting agency of any temporary access approved. The
vetting agency is to record the access on the clearance subjects PSF and/or security records
database.
25
Table 3 Summary of temporary access requirements
Short term access Provisional access
Period of access Maximum of 3 months in one calendar Until clearance granted or denied, or
year 2 suitability concerns are identified by
the vetting agency
Classified Resources allowed TS TS1 S2, C2 P TS TS 1 S2, C2 P
SCI SCI
154. Short term access to Australian Government security classified resources may be allowed where
there is an unforeseen requirement for access. Short term access is for a maximum of:
a continuous period of three months, or
an aggregation of shorter periods of no more than three months in one calendar year.
156. Agencies are to only approve short term access to CONFIDENTIAL or SECRET classified resources in
exceptional circumstances where:
the exception is critical to the agency meeting its outcomes, and
the risks to the agency can be mitigated or managed.
157. Agencies are to only approve short term access to TOP SECRET classified resources in exceptional
circumstances where:
26
7.1.3. Provisional access
158. Sponsoring agencies may approve provisional access for up to SECRET security classified resources
where there is a sound business case to support access during the clearance process.
159. Agencies are to only approve provisional access to TOP SECRET classified resources in exceptional
circumstances where:
the person requiring access holds a Negative Vetting Level 1 clearance
160. Before granting provisional access, sponsoring agencies are to confirm with the vetting agency
that:
the clearance applicant has submitted a completed clearance pack and required documents,
and
161. Agencies may approve provisional access until the clearance process is complete. Agencies may
change the type of temporary access from short term to provisional once the vetting agency has
confirmed it has received the completed pack and advises there are no concerns.
163. MOPS Act Staff may be given temporary access to TOP SECRET information, where there is a need
to know, without the requirement to hold a Negative Vetting Level 1 clearance, subject to:
a detailed risk assessment
consultation with the information originators, and
the risks to any affected agency can be mitigated or managed.
164. MOPs Staff are not to be given temporary access to sensitive compartmented, codeword or
caveat information
165. A Ministers Portfolio Department should approve short term access for new MOPS Act staff for
the Departments Minister until their security clearances are granted unless advised to withdraw
the access due to concerns including non-compliance with the clearance process.
166. The vetting agency is to notify the Portfolio Department and the Department of Finance of any
concerns or non-compliance with the security clearance process.
167. The Department of Finance is to advise Portfolio Departments of any Ministerial staff whose
clearance process has been cancelled for non-compliance with the security clearance process.
27
168. The Portfolio Department is to withdraw any temporary access to security classified information
for MOPS staff whose clearance process has been cancelled. For more information see Section 6.1
Cooperation in the clearance process.
28
8. Vetting agency responsibilities
Mandatory Requirements
PERSEC 6: Agencies other than authorised vetting agencies must use the Australian Government Security
Vetting Agency to conduct initial vetting and reviews.
PERSEC 8: Sponsoring and vetting agencies must share information that may impact on an individuals
ongoing suitability to hold a security clearance.
170. Vetting agencies are to confirm citizenship and checkable background eligibility for all clearance
subjects.
171. If citizenship cannot be confirmed or there is an uncheckable background, the vetting agency is to
advise the sponsoring agency that the eligibility criteria have not been met and the clearance
request is cancelled.
172. Vetting agencies may impose an exclusion period that precludes the clearance subject from re-
applying until the eligibility criteria is satisfied.
173. Sponsoring agencies may choose to consult with the vetting agency to initiate an eligibility waiver.
resolve any doubts about suitability for access to security classified resources in favour of
the National Interest, and
identify any risk management or specific clearance maintenance conditions relating to the
clearance.
175. Vetting agencies should consider any information they become aware of, that is relevant to
suitability, even if the matters falls outside of the minimum checking period.
29
176. The vetting agency is to deny a security clearance where any reasonable doubts about the
clearance subjects suitability that cannot be resolved. Reasonable doubt exists when concerns
regarding the suitability of a clearance subject remain after all minimum and any supplementary
checks are completed.
177. Vetting agencies are to conduct appropriate supplementary checks and inquiries if the minimum
checks are insufficient to clearly establish the clearance subjects suitability or unsuitability. For
further details on supplementary checks see Australian Government personnel security guidelines -
Vetting practices.
8.2.2. Mitigation
178. Where the background assessment, including supplementary checks, identifies a personal
vulnerability, the vetting agency is to determine if there are any mitigating factors. Mitigating
factors are detailed in section 5 of the Personnel security guidelines - Vetting practices.
179. Vetting agencies are to advise sponsoring agencies of any information provided as part of the
vetting process or ongoing clearance maintenance that may impact on a persons suitability to
access Australian Government resources or where risk mitigation measures are required.
180. Vetting agencies are to consult with sponsoring agencies before granting a security clearance that
imposes additional clearance maintenance conditions.
183. The vetting agency is to advise the clearance subject and sponsoring agency in writing of the
decision to grant including any risk mitigations, deny, deem ineligible or cancel a security
clearance and any conditions imposed.
30
8.5. Personnel security checks for initial clearances
Table 4 Minimum personnel security checks and requirements for initial clearances1
Postive Vetting
Psychological assessment
Negative Vetting 2 Financial probity check
4 4
Professional referee check Referee checks (including 1 professional) Referee checks (including 1 professional Referee checks (including 1 professional
4 4
and 1 un-nominated) and 1 un-nominated)
5 5 5
Police Records Check (No Exclusion) Police Records Check (Full Exclusion) Police Records Check (Full Exclusion) Police Records Check (Full Exclusion)
8
Financial history check Financial history check Financial history check Financial history check
6 6 6 7
5 year background check 10 year background check 10 year background check Whole of life background check
Official secrets declaration Official secrets declaration Official secrets declaration Official secrets declaration
Statutory Declaration Statutory Declaration Statutory Declaration Statutory Declaration
6 6 6 6
Identity verification Identity verification Identity verification Identity verification
Notes:
1. Suitability is assessed against the criteria contained in the Australian Government personnel security guidelines - Vetting practices section 5 (Adjudicative guidelines)
2. Qualifications checks should be part of an agency employment screening process where qualifications are claimed and/or mandatory.
3. Financial statement provides a detailed summary of a clearance subjects assets, income, liabilities and expenditure, see the Australian Government personnel security guidelines - Vetting practices section 4.6.2.
4. Referees are to collectively cover the whole checking period. Professional checks are to cover at least the preceding 3 months. Additional referees may be required.
5. The application of spent convictions legislation will vary dependent on the jurisdiction in which the offence occurred.
6. Identity checked in accordance with the Australian Identity Proofing Guidelines (level 3 for baseline and NV1 and level 4 for NV2 and PV). In addition to documentation to confirm residential addresses, employment, supporting
documentation is also required to confirm citizenship status, and if relevant overseas travel see Australian Government personnel security guidelines - Vetting practices
7. For further details see the Sensitive Material Security Management Protocol
8. Financial history check - provides an overview of a clearance subjects financial history. See the Australian Government personnel security guidelines - Vetting practices section 4.6.2 for further details on financial history checks.
31
185. Table 4 shows the hierarchy of checks and processes that reflects the level of assurance required
for each level of security clearance.
186. Clearance subjects are to sign a Statutory Declaration made under the Statutory Declarations Act
1959 (Cth) that confirms:
they have provided complete and truthful information to the vetting agency
they have not altered the original documents or the copies provided to the vetting agency,
and
188. Either the Commonwealth vetting agency, or the Commonwealth facilitating agency for State and
Territory assessments, is to obtain an ASIO Security Assessment for all NV and PV clearance
subjects. The only exception is where the vetting agency has already assessed that the person
would be unsuitable for a security clearance regardless of any assessment ASIO might make. For
further information see the Australian Government personnel security guidelinesVetting
practices.
189. Vetting agencies are to provide ASIO with the details of any security concerns about the clearance
subject.
191. The vetting agency is to advise the clearance subjects sponsoring agency of any
review/investigation being undertaken by the vetting agency, to allow the sponsoring agency to
assess whether to deny access pending the outcome of the review.
192. Vetting agencies are to periodically initiate revalidations of all Baseline, Negative and Positive
Vetting security clearances.
193. The requirements for the revalidation of security clearances are listed in Table 5. The table shows
the hierarchy of checks and processes that reflect the level of assurance required for each level of
security clearance. Vetting agencies are to undertake additional checks to resolve concerns on a
case-by-case basis.
32
Table 5: Summary of minimum revalidation requirements
Baseline Negative vetting Negative vetting Positive vetting
level 1 level 2
To be undertaken by To be undertaken by To be undertaken by To be undertaken by
vetting agencies at least vetting agencies at least vetting agencies at least vetting agencies at least
every 15 years. every 10 years. every 5 years. every 5 years.
Updated personal Updated personal Updated personal Updated personal
particulars covering particulars covering period particulars covering period particulars covering
period since previous since previous vetting since previous vetting period since previous
vetting vetting
Police records check Police records check Police records check Police records check
(No exclusion) (Full exclusion) (Full exclusion) (Full exclusion)
Financial history check Financial history check Financial history check Financial history check
1 professional referee 1 professional referee 2 referee checks 3 Referee checks
check check (including 1 professional (including 1 professional
and 1 un-nominated) and 1 un-nominated)
ASIO check ASIO check ASIO check
Financial statement Financial statement Financial statement and
supporting documents
Interview Interview
Psychological
assessment
194. A review for cause may be initiated whenever a security concern regarding a clearance subject
arises.
195. Upon receipt of information raising concerns about the suitability of a clearances holder, vetting
agencies are to assess if a review for cause is warranted.
196. Prior to initiating a review for cause the vetting agency is to advise the sponsoring agency and
interested parties (for contractors). If the sponsoring agency or interested parties (for contractors)
advises of any ongoing investigation that might be compromised by the review for cause the
vetting agency should not commence the review until the investigation is complete.
197. Vetting agencies should advise the clearance subject prior to starting any reviews for cause, and
the reasons for the review.
198. Sponsoring agencies should advise the clearance subject of their responsibility to comply with the
review for cause process.
199. Vetting agencies are to undertake any checks required to resolve the concern(s) that led to the
initiation of the review for cause. This may include:
200. Vetting agencies are to advise both the clearance subject and the sponsoring agency including
interested parties (for contractors) of the review for cause outcome.
33
8.7. Adverse findings
201. Decisions and actions taken during a security clearance could be subject to judicial review. Vetting
agencies will need to demonstrate that they have met the requirements of procedural fairness.
For further information see section 6.2 of the Australian Government personnel security guidelines
Vetting practices.
202. Where a decision is made to deny a clearance, the vetting agency is to inform the clearance
subject of the procedures for seeking a review of the decision.
203. The vetting agency is to also advise the sponsoring agency of the decision to deny the clearance.
204. Vetting agencies are to report any denial of NV and PV security clearances, including any exclusion
periods, to ASIO.
206. Section 39 of the ASIO Act permits Commonwealth agencies to take appropriate action (such as
suspending a persons security clearance and preventing ongoing access to classified information)
if the Commonwealth agency is satisfied, on the preliminary advice from ASIO, that it is necessary
to take that action as a matter of urgency due to the requirements of security. Any action taken is
to be temporary pending receipt of a new ASIO Security Assessment. Section 39(1) prevents
Commonwealth agencies from taking other prescribed kinds of action on the basis of preliminary
advice from ASIO.
207. ASIO will normally liaise with the Commonwealth agency and the relevant vetting agency in these
circumstances.
209. Vetting agencies are to resolve any grievances raised by the clearance subject regarding:
210. Vetting agencies are to advise the clearance subject of these procedures as part of the clearance
process.
34
212. An application by a clearance subject for a review does not change the original decision. A review
may determine that the process was flawed and a new process should be undertaken.
213. Clearance subjects may also seek external review. The avenue for review will vary. Some examples
are:
APS employees may seek review through the Australian Public Service Commissioner or the
Commonwealth Ombudsman, and
contractors may seek review through the Office of the Commonwealth Ombudsman.
214. Any person may seek review through the Federal Court.
215. The delegate for the purposes of the review should be independent from the original decision
maker.
216. The Public Service Regulations 1999 (Cth) provides guidance on review processes for APS
employees.
217. The vetting agency and the clearance subject seeking the review are to co-operate fully with the
review process.
219. The receiving vetting agency is to address any anomalies within the incoming clearance subjects
PSF at the time of transfer.
220. Vetting agencies are to advise sponsoring agencies of any concerns with the transferring clearance
holder's PSF. The sponsoring agency can then make a risk based decision on continuing access by
the clearance subject to security classified resources. For further information see the Australian
Government personnel security guidelinesVetting practices.
the vetting agency has concerns that the incoming clearance subject is no longer suitable to
access Australian Government security classified resources at that clearance level.
35
223. An inactive clearance is a security clearance that is within the revalidation period, however the
clearance:
is not sponsored by an Australian Government Agency
is not being maintained by the clearance holder for a period greater than six months due to
long term absence from their role, and
for the Positive Vetting level is unsponsored; however, an annual security check was
completed within the last two years.
224. Security clearances without sponsorship, but still within the revalidation period, are considered
inactivei.e. the clearance is not in use but has not been cancelled as a result of a review for
cause.
225. Upon notification of change of sponsorship for a clearance within the revalidation period, the
vetting agency is to identify the security clearances as active, only once the vetting agency has
assessed any changes of circumstances.
226. Vetting agencies are to identify security clearances as active upon notification of sponsorship by a
new agency, where the clearance is within the revalidation period subject to the vetting agencys
assessment of any changes of circumstances. For further information see the Australian
Government personnel security guidelinesVetting practices.
229. See the Australian Government personnel security guidelinesVetting practices for details of
qualifications, competencies and training requirements for vetting staff.
36
9. Agency responsibilities for active monitoring of clearance
holders
Mandatory Requirements
PERSEC 7: Agencies must establish, implement and maintain security clearance policies and procedures for
clearance maintenance in their agencies.
PERSEC 8: Agencies and vetting agencies must share information that may impact on an individuals ongoing
suitability to hold an Australian Government security clearance.
GOV 1: Agencies must provide all staff, including contractors, with sufficient information and security
awareness training to ensure they are aware of, and meet the requirements of the PSPF.
231. Clearance maintenance is a joint responsibility of vetting agencies, sponsoring agencies and the
individual clearance holder. The purpose of clearance maintenance is to provide continuing
mitigation to the risk from the malicious trusted insider. It is an ongoing process throughout the
life of a security clearance.
232. Vetting agencies are responsible for the periodic review of clearance holders suitability
(revalidations) and conducting any reviews for cause when specific issues or concerns arise that
may affect a clearance holder's suitability. For more information see Sections 10.6 - Reviews of
Security Clearance and 10.6.2 - Reviews for Cause.
233. Sponsoring agencies are responsible for their security clearance holders (including Contractors).
Sponsoring agencies are to:
notify the vetting agency of other issues of security concern relating to the ongoing
suitability of clearance holders, including security incidents and any concerns relating to
integrity
manage any additional specific clearance maintenance requirements agreed by the vetting
agency and the sponsoring agency as a condition of the security clearance, and
additional agency responsibilities for the ongoing clearance maintenance of their
contractors are detailed in Section 9.8 - Clearance maintenance for contractors.
234. These responsibilities are in addition to the controls identified for all personnel contained in
Section 5 Ongoing suitability for employment.
37
9.1. Security awareness training for clearance holders
235. Agencies are to ensure that people who have access to Australian Government security classified
resources, understand and accept their day-to-day security responsibilities.
236. In addition to a program of security briefings and training that directly responds to the agencys
security risk assessment, agencies are to:
advise clearance holders and their managers of their day-to-day security responsibilities
advise clearance holders and their managers of their reporting requirementsfor example:
- changes of circumstances, and
- suspicious, on-going, unusual or persistent contacts.
provide the clearance holder with a briefing and/or training reminding them of their
clearance responsibilities, at least every five years or at clearance revalidation, whichever is
the sooner.
237. Agencies may also need to coordinate additional training/ briefings for personnel with access to
Sensitive Compartmented Information with the compartment owners.
240. Where compliance with additional requirements is not met by the clearance subject, the vetting
agency is to undertake a review for cause into the clearance subjects ongoing suitability. The
resultant action by the vetting agency may be the variation or withdrawal of a security clearance.
managers responsible for personnel to confirm they have reported any concerns about the
clearance holders.
38
242. Agencies are to report any security concerns they have as to the ongoing suitability of their
clearance subjects to their vetting agency.
243. The annual health check does not replace an agencys ongoing responsibility for their performance
management including code of conduct investigations.
For further information on the annual health check see section 14.1 of the Australian
Government personnel security guidelines Agency personnel security responsibilities.
245. Agencies should not use the clearance review process to deal with personnel management
problems (e.g. underperformance). However, if it is likely that such concerns could affect a
persons suitability to hold a clearance, line managers should notify their agency security section
who in turn may notify the vetting agency.
246. Vetting agencies are to advise sponsoring agencies of any suitability concerns raised about
clearance subjects and any pending or active reviews for cause. In such cases and based on a risk
assessment the sponsoring agency is to, determine whether to limit or suspend the clearance
subjects access to security classified resources.
247. Agencies are to require their clearance holders to advise the agency security section of any
reportable changes in personal circumstances. For further details on what is a reportable change
of circumstance see Australian Government personnel security guidelines Agency personnel
security responsibilities.
248. Agencies are to also require agency personnel to advise the agency of changes in personal
circumstances of other clearance holders if they have concerns that may be relevant to a
clearance holders suitability.
249. The agency is to then advise the vetting agency of any notified reportable changes in
circumstances.
39
9.4.2. Contact reporting under the Australian Government Contact
Reporting Scheme
250. Agencies are to require their personnel to report suspicious, on-going, unusual or persistent
contacts with foreign officials and other foreign nationals to their agency security section.
252. For further information see Australian Government personnel security guidelines Agency
personnel security responsibilities.
the results of any investigations into security breaches attributed to particular security
clearance holders and conduct or incidents that may indicate a disregard for security by
clearance holderse.g. multiple infringements of agency security policies.
254. Agencies are to consult with the Australian Federal Police (AFP) and/or the Australian Security
Intelligence Organisation (ASIO) in respect of investigations that may have potentially serious
issues.
the heads of any agencies whose people, information or assets may be affected.
256. Agencies are to withdraw all access to security classified resources for any person responsible for
a security violation as soon as reasonably practicable after the violation is identified.
4Security violation a deliberate action that leads, or could lead, to the compromise of official resources; or an accidental failure that
leads to the compromise of CONFIDENTIAL or above material.
40
257. Agencies should make a risk based decision on whether to remove or restrict access for personnel
directly responsible for security breaches 5 or conduct that indicates a disregard for security.
258. Agencies should reassess any clearance holders access when an investigation into a violation or
breach is finalised.
259. Agencies are to notify the vetting agency when a breach of the code of conduct or other
disciplinary finding has been made against a clearance holder, including any cases where a breach
is established following the clearance holders departure from the agency.
260. Agencies are to include security incidents as part of their compliance reporting requirements
detailed in mandatory requirement GOV7.
262. Gaining agencies are to only sponsor clearances at the level required for the position the person
will be occupyinge.g. the gaining agency will only sponsor an NV1 clearance for an existing NV2
holder who moves to a position requiring an NV1 clearance.
263. Agencies should advise the change of agency to the vetting agency.
265. Where temporary personnel have been granted a security clearance by a State or Territory in
accordance with the PSPF, the clearance is to be recognised by the gaining agency for the period
of the transfer or secondment. Agencies should request confirmation of the clearance from the
vetting agency that granted the clearance.
266. Agencies are to agree on the clearance maintenance arrangements before a secondment or
temporary assignment commences.
267. Irrespective of the agreed clearance maintenance arrangements, agencies are to advise of any
identified security concerns that arise during the secondment or temporary assignment to the
5
Security breach an accidental or unintentional failure to observe the protective security mandatory requirements
41
home agency. This includes concerns identified after the secondment or temporary assignment
concluded.
269. Agencies are to, where possible, resolve any security issues before the leave is taken.
271. In addition to provisions outlined in Section 9 - Agency responsibilities for active monitoring of
clearance holders, contracts are to contain clearance maintenance provisions including:
arrangements for dealing with any reportable changes in circumstances and the reporting
and investigation of security incidents or breaches
the requirement for contract staff to protect the agencys information and assets, and
ongoing security awareness training that includes the contracting companys responsibility
to require contracted staff to:
- protect the agencys assets and information
- report changes in personal circumstances, and
- report suspicious, on-going, unusual or persistent contacts.
272. The agency should require the contracting company to inform the agency if an individual
employed by the company is/has:
employed on other concurrent contracts with other agencies or governments, so that all
affected agencies can be advised of any security concerns and can identify any conflicts of
interest
provisions for revoking physical and ICT access upon a contracted staff members exit from
the company.
42
274. For further advice on protective security in contracting see PSPFGovernance arrangements
Contracting and the Centre for Protection of National Infrastructure (UK) publication The secure
procurement of contracting staff - a good practice guide for the oil and gas industry.
275. Lead agencies are to advise vetting agencies that security clearance sponsorship has been
withdrawn for contractors when they are no longer actively engaged by that agency.
276. Vetting agencies are to notify any interested parties (other agencies) that the lead agency has
withdrawn sponsorship for the contractor. If the interested party requires the contractor to hold a
security clearance, they will need to take on sponsorship of that contractor. This includes the
responsibilities for clearance maintenance. For further information see Section 10.1.
43
10. Agency separation actions
Mandatory Requirement
PERSEC 9: Agencies must have separation policies and procedures for departing clearance holders, which
includes a requirement to:
inform vetting agencies when a clearance holder leaves agency employment or contract engagement,
and
advise vetting agencies of any security concerns.
remind the clearance holder of their continuing personal obligations under the Crimes Act,
Criminal Code and other relevant legislation, and
278. Agencies are to report any security concerns (non-compliance with the separation procedures)
about departing clearance holders to the vetting agency and ASIO ( for security as defined in the
Australian Security Intelligence Organisation Act 1979(Cth)), particularly where the clearance
holder departs without having a security debrief.
279. The vetting agency is to place this information on the PSF where it will be reviewed prior to
consideration of any new vetting action.
280. If departing clearance holders do not cooperate with these procedures or are otherwise assessed
to pose a risk to security, the agency is to undertake a risk assessment and implement mitigations.
10.2. On separation
281. On separation of a clearance holder, an agency is to advise the vetting agency:
that the clearance holder has left, and
of the details, if known, of any other agency or contracted service provider the clearance
holder is transferring to
282. Agencies are to forward a copy of a signed recognition of continuing obligation to the vetting
agency.
44
283. Where employees leave before these actions have been completed, the agency security advisor is
to review the circumstances to ascertain whether there are any security related concerns.
284. The agency is to report any such concerns to the vetting agency and ASIO.
285. Sponsorship of a contractor clearance ceases when the contractor no longer has a business
relationship with the sponsoring agency.
286. An agency should include in their contracts an obligation on the contracting company to advise
the agency when the contractors staff or sub-contractors with sponsored clearances have ceased
to work on the agencys contract.
287. Agencies are to advise the vetting agency when a sponsored contractor no longer requires a
security clearance to access the agencys security classified resources.
288. Vetting agencies are to advise any other known agencies using the contractor that the
contractors clearance is no longer sponsored by that agency, giving interested parties the
opportunity to assume sponsorship including the responsibilities for clearance maintenance of the
contractor.
45
Annex A: Request for variation of Special Minister of States
Determination 2012/1 for a Ministers Electorate Officer
289. Under Determination 2012/1, a Ministers Chief of Staff may request a variation of the security
clearance requirement from the Secretary of the Attorney-Generals Department where:
the person is an electorate officer
the electorate officer is not required to access, and will not come into contact with, security
classified information or resources:
- above PROTECTED for electorate officers employed by a National Security Committee
of Cabinet (NSC) Minister, or
- above SECRET for electorate officers employed by a non-NSC Minister.
290. The Secretary, Attorney-Generals Department will approve the request to vary the requirement for
a Negative Vetting Level 2 security clearance following a recommendation by the Portfolio
Department that confirms the electorate officer will not access security classified information or
resources above PROTECTED or SECRET as appropriate (see above).
46
Request for variation of Special Minister of States Determination 2012/1
for a Ministers Electorate Officer
All staff employed by Ministers, including Parliamentary Secretaries, employed under Part III of the Members of Parliament
(Staff) Act 1984 are required to be security cleared to Negative Vetting Level 2 unless:
the staff member:
- is an electorate officer, and
- does not require access to, and will not be exposed to, security classified material
the Ministers Chief of Staff requests an exemption, and certifies the electorate officer will not access classified
material
the Ministers Portfolio Department endorsed the request for variation, AND
the variation is approved by the Secretary of the Attorney-Generals Department
and is not required to access, and will not come into contact with, TOP SECRET security classified material. I request a
variation of the requirement for the above electorate officer to hold a Negative Vetting Level 2 security clearance.
Name and phone number of Chief of Staff Signature Date
/ /
I endorse the request to vary the requirement for a Negative Vetting Level 2 security clearance for the above mentioned
electorate officer. I confirm he/she will not have access to TOP SECRET material, and may have access to or come in
contact with security classified material:
At or below PROTECTED AT CONFIDENTIAL OR SECRET
(Tick whichever is applicable)
Send to: Protective Security Policy Section, Attorney-Generals Department, 3-5 National Circuit, BARTON ACT 2600
Email: pspf@ag.gov.au
Approval of request
As the delegate for Secretary, Attorney-Generals Department, I vary the requirement for the above mentioned
electorate officer to be security cleared to Negative Vetting Level 2, subject to them undergoing:
Baseline
Negative Vetting Level 1
Variation not approved - Negative Vetting Level 2 required
(Tick whichever is applicable).
Send to: Ministerial and Parliamentary Services, Department of Finance and Deregulation, Parkes Place, PARKES
ACT 2600
47