Personnel security guidelines
Agency personnel security responsibilities
Approved October 2014
Amended April 2015
Version 1.1
© Commonwealth of Australia 2013
All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia
licence (www.creativecommons.org/licenses).
For the avoidance of doubt, this means this licence only applies to material as set out in this document.
The details of the relevant licence conditions are available on the Creative Commons website as is the
full legal code for the CC BY 3.0 AU licence (www.creativecommons.org/licenses).
Use of the Coat of Arms
The terms under which the Coat of Arms can be used are detailed on the It's an Honour website
(www.itsanhonour.gov.au).
Contact us
Enquiries regarding the licence and any use of this document are welcome at:
Commercial and Administrative Law Branch
Attorney-General’s Department
3–5 National Cct
BARTON ACT 2600
Call: 02 6141 6666
Email: copyright@ag.gov.au
Document details
Security classification
Unclassified
Dissemination limiting marking
Publicly available
Date of next review
October 2016
Authority
Protective Security Policy Committee
Author
Protective Security Policy Section
Attorney-General’s Department
Document status
Approved October 2014
Amended March 2015
i
Table of Contents
Amendments
vi
1.
Introduction
1
1.1
Purpose
1
1.2
Audience
1
1.3
Scope
1
1.4
Use of specific terms in these guidelines
2
1.5
Relationship to other documents
2
2.
The trusted insider threat
3
3.
Personnel security risk management
5
3.1
Personnel security risk assessment
5
3.2
Personnel security risk levels
5
3.2.1
Agency risks
6
3.2.2
Program risks
6
3.2.3
Individual risks
6
4.
Information sharing
8
5.
Consent to collect and share personal information
9
6.
Procedural fairness
10
7.
Agency employment screening
11
7.1
Undertaking employment and agency specific checks prior to engagement
11
7.2
Recommended employment screening checks
12
7.2.1
Statutory declaration
13
7.2.2
Confidentiality and non-disclosure agreement
13
7.2.3
Conflict of interest declaration and personal interest declaration
13
7.3
Agency specific checks
14
7.4
Anti-discrimination and merit based selection of personnel
14
7.5
Mitigating concerns raised in minimum employment checks
14
7.6
Transfers into agencies
15
7.6.1
Recognition of employment screening on transfer of personnel
15
7.7
Recordkeeping
15
7.8
Additional information on employment and agency specific screening
15
ii
8.
Ongoing suitability for employment
16
8.1
16
8.2
8.3
8.4
9.
Monitoring and evaluation of ongoing suitability for employment
8.1.1
Personnel security in performance management
16
8.1.2
Periodic suitability checks and declarations
17
8.1.3
Additional checks for senior office holders
17
Security awareness training
18
8.2.1
Security awareness training
18
8.2.2
Delivery of security awareness training
19
8.2.3
Content of security awareness training
19
8.2.4
Agency specific risks, policies and procedures
19
8.2.5
Personal safety measures
19
8.2.6
Asset protection
20
8.2.7
Protection of Australian Government resources
20
8.2.8
Reporting requirements
20
Security incident reporting and investigation
21
8.3.1
Reporting requirements
21
8.3.2
Investigating incidents
21
Internal transfers
21
Agency actions on separation of personnel or those on extended leave
22
9.1
Separation of staff
22
9.2
Actions where normal separation procedures are not possible
23
9.3
Staff on extended leave
23
9.4
Special considerations when employment is terminated
23
9.5
Transfers out of agencies
23
9.6
Additional requirements for contractors
23
9.6.1
Separation of contractors
24
9.6.2
Actions at the end of a contract
24
10. Temporary access
25
10.1 Temporary access risk assessments
25
11. Agency security clearance requirements
26
11.1 Determining the need for a security clearance
26
iii
11.2 Identifying and recording positions requiring security clearances
26
11.3 Getting a security clearance
26
11.3.1 What documents do personnel need to provide, and why?
11.4 Evidence of Australian citizenship for security clearances
11.4.1 Qualifying for Australian citizenship
11.5 Merit based selection of personnel requiring security clearances
12. Eligibility waivers
27
27
27
27
29
12.1 Exceptional circumstances for eligibility waivers
29
12.2 Eligibility waiver risk assessments
29
12.2.1 Non-Australian citizen
29
12.2.2 Uncheckable background
30
13. Ongoing security clearance maintenance
32
14. Agency responsibilities for active monitoring of clearance holders
33
14.1 Annual health check
33
14.2 Reporting change of circumstances
34
14.2.1 The importance of reporting changes in personal circumstances
34
14.2.2 Who should report changes of circumstances
34
14.2.3 What to report
35
14.2.4 Managing and assessing changes in circumstances
36
14.3 Australian Government Contact Reporting Scheme
37
14.3.1 Methods of gathering human source intelligence
37
14.3.2 Reporting Criteria
38
14.3.3 Reporting procedures
38
14.3.4 Required contact/incident report information
38
14.3.5 Contact reporting briefing
39
14.4 Agency actions on separation/extended leave of personnel holding security
clearances
40
14.4.1 Separation of staff
40
14.4.2 Separation of contractors
40
14.4.3 Extended leave
40
14.5 Special requirements for the management of contractor clearances
15. Summary of Annexes
Annex A – Proof of Australian Citizenship
41
43
44
iv
Annex C – Example Security Clearance Privacy Statement and Informed Consent Form
48
Annex D - Fact Sheet Legislative Implications for Information Sharing
54
Annex E - Example Confidentiality/ Non-disclosure agreement
55
Annex F - Example Conflict of Interest Declaration
56
Annex G - Example personnel security questions for professional referees for employment
screening
61
Annex H - Example Contact Report Form
62
Annex I – Annual Health Check Conversation Guide
63
v
1. Amendments
No.
Date
Location
Amendment
1.
April 2015
Section 8.1.3
Update reference to SES requirement to submit an annual
declaration of interest
2.
April 2015
Throughout
Update links
3.
April 2015
Throughout
Add links to Australian Government protective security
better practice guide—Identifying and managing people of
security concern
vi
vii
2. Introduction
1.1
Purpose
1.
The Australian Government personnel security guidelines—Agency personnel security
responsibilities have been developed to support the protection of the Australian Government’s
people, information and assets, through sound personnel security practices. The guidelines
provide advice to agencies to assist in their application of the controls identified in the Australian
Government personnel security protocol.
2.
These Guidelines provide guidance only; agencies may use other controls and measures to
implement the requirements of the Protective Security Policy Framework (PSPF).
3.
Personnel security is one element of good protective security management. Agencies
responsibilities for personnel security include determining the suitability of personnel to access
Australian Government resources. A suitable person possesses integrity and reliability and is not
vulnerable to improper influence.
4.
Effective personnel security provides assurance and confidence across government when
collaborating or when sharing Australian Government resources1 and can assist in mitigating the
threat from the malicious trusted insider.
1.2
Audience
5. These guidelines are intended for use by:

agency security management personnel

human resources personnel, and

service providers to the Australian Government, as part of their contractual obligations.
1.3
6.
Scope
These guidelines provide advice to agencies when:
7.

undertaking personnel security risk assessments

developing agency specific employment screening policies and procedures

assessing and supporting the ongoing suitability of all personnel to access official resources,
and

implementing personnel separation procedures.
Advice to agencies with personnel who access security classified resources when:
1

identifying positions requiring access

managing temporary access and eligibility waivers
‘Australian Government resources’ is the collective term used for Australian Government people, information and assets.
1
8.

undertaking security clearance maintenance, and

implementing additional personnel separation procedures for security clearance holders.
These guidelines apply to all agencies and organisations that are required to apply the PSPF, see
PSPF–Governance–Applicability of the PSPF.
1.4
9.
In these guidelines the terms:




10.
‘need to’ refers to a legislative requirement that agencies must meet
‘are to’ or ‘is to’ are controls that support compliance with the mandatory requirements of
the personnel security core policy
‘should’ refers to better practice - agencies are expected to apply better practice unless the
agency risk assessment has identified reasons to apply other controls, and
‘required’ is used as common language and has no special meaning in these guidelines.
Unless otherwise stated, the use of:



11.
Use of specific terms in these guidelines
‘personnel’ refers to employees, contractors and service providers as well as anyone else
who is given access to agency assets as part of agency sharing initiatives
‘employment screening’ refers to screening undertaken by an agency prior to employment
of staff or the engagement of contractors, and
‘vetting agency’ refers to the Australian Government Security Vetting Agency (AGSVA),
authorised Commonwealth vetting agencies and State and Territory vetting agencies.
Additional terms used in these guidelines can be found in the PSPF–Glossary of Terms.
1.5
Relationship to other documents
12.
These guidelines support the Personnel security core policy and Australian Government personnel
security protocol.
13.
These guidelines supersede the Australian Government personnel security guidelines:

Agency personnel security guidelines

Reporting changes in personnel circumstances guidelines

Contact reporting guidelines

Security awareness training guidelines (Under GOV 1 – developing a secure culture), and

Security clearance subjects guidelines.
2
3. The trusted insider threat
14.
One of the most significant risks to an agency is the threat posed by the malicious trusted insider,
particularly with the increasing reliance on sophisticated ICT systems.
15.
Most malicious trusted insider cases are voluntary or self-initiated insiders who have been in an
agency for some time.
16.
It is not only government employees who are targets of exploitation and recruitment as an
insider; supporting contractors and businesses may also be targeted.
17.
It is not enough to want to cause harm to an agency, a person also needs access. This is
significantly easier for those with legitimate access to an organisation’s assets such as staff and
contractors.
18.
Agency personnel may undertake or facilitate:
19.

violence against other staff, clients or the public

unauthorised disclosure of information

physical or electronic sabotage

third party access, either physically or logically

financial or process corruption

theft and fraud, or

other forms of corrupt behaviours.
There is no one type of trusted insider. However, there are broadly two categories of trusted
insiders who pose a threat:

The unintentional insider: unintentional insiders are trusted employees or contractors who
inadvertently expose, or make vulnerable to loss or exploitation, privileged information,
techniques, technology, assets or premises. Inadvertent actions include poor security
practices, such as leaving IT systems unattended and failure to secure sensitive documents,
and unwitting unauthorised disclosure to a third party.

The malicious insider: malicious insiders are trusted employees and contractors who
deliberately and willfully breach their duty to maintain the security of privileged information,
techniques, technology, assets or premises. There are two types of malicious insiders:
-
Self-motivated insiders are individuals whose actions are undertaken of their own
volition, and not initiated as the result of any connection to, or direction by, a third
party, and
-
Recruited insiders are individuals co-opted by a third party to specifically exploit their
potential, current or former privileged access. This includes cultivated and recruited
foreign intelligence, or their entities, with malicious intent.
20.
There is generally no single or simple reason for an employee deliberately seeking to cause harm.
Commonly, malicious trusted insiders have a number of motives for their activity. Motivations are
often complex and mixed. Those who betray their organisation are often driven by a mix of
personal vulnerabilities, life events and situational factors.
21.
Key motivators for malicious insider activity include:

financial problems or to seek financial gain
3
22.

ideology

desire for recognition

divided loyalties

revenge

adventure or thrill

ego or self-image

vulnerability to blackmail or influence

compulsive or destructive behaviours

family problems

negligence, or

disgruntlement.
For further advice on insider threat management see:

Managing the Insider Threat to Your Business—A personal security handbook a generic
advice to managers

Protective security better practice guide—Identifying and managing people of security
concern or

Insider threat: protecting the enterprise from sabotage, spying and theft by Eric Cole and
Sandra Ring (ISBN: 1-59749-048-2) provides more detailed advice on insider threat
identification and management.
4
4. Personnel security risk management
23.
Agencies should consider personnel security risks as part of an agency’s overarching risk
assessment and base decisions regarding personnel security on their personnel security risk
profile. Personnel security risk management may impact on, and/or complement, information
and physical security controls.
24.
Personnel security risk management ideally should be integrated and not separate from an
agencies Human Resources policies and processes as it is integral to establishing an agency’s
culture.
3.1
Personnel security risk assessment
25.
An agency’s personnel security risk assessment should be incorporated into the agency’s security
risk management process and may be considered when conducting other agency risk
management processes.
26.
Undertaking personnel security risk assessments is important for the protection of an agency’s
people, information and assets. A personnel security risk assessment will allow an agency to:
27.

deliver a level of assurance about the credentials and integrity of the agency’s workforce

identify an agency’s vulnerabilities, such as insider threats (which can be harmful, costly,
embarrassing and disruptive) and identify appropriate countermeasures to mitigate the risks

communicate risks and risk solutions to senior management and secure their engagement in
implementing controls

effectively allocate resources commensurate with the level of risk, complementary to
existing information and physical security control, and

continually monitor the effectiveness of mitigation controls.
To understand the personnel security risks within its organisation, agencies are to undertake a
risk assessment in accordance GOV - 7 of the PSPF. Risks assessments are to be conducted in
alignment with Standards Australia publications:

AS/NZS ISO 31000: Risk Management – Principles and Guidelines, and

HB 167:2006: Security risk management.
28.
Involving management and staff representatives early in the risk assessment process will increase
staff uptake of mitigations as well as assisting to foster a better security culture within an agency.
29.
Agencies should use suitably skilled personnel to undertake personnel security risk assessments.
30.
For further details on security risk management see PSPF—Security risk management
3.2
31.
Personnel security risk levels
The Agencies should consider their personnel security risk assessments at three levels:
1. Agency risks – risks that are agency wide and directly affect agency business
2. Program risks – risks that are directly associated with a program or package of work
undertaken within the agency, and
3. Individual risks – risks that are derived from personnel employed by the agency.
5
3.2.1 Agency risks
32.
This level provides the foundations for considering risk at the other levels and is exacerbated by
the aggregation of resources held by the agency and the vulnerability to government reputation
from harm to people, the theft of assets or unauthorised disclosure of information held in trust
by the agency.
33.
Personnel security considerations at the agency level include:

limiting access to the agency’s ICT networks

protecting the agency’s valuable assets

meeting specific enabling legislative requirements

delivering agency outputs, and

mitigating common personnel concerns, such as:
-
loyalty to Australia and the agency (foreign or dual citizenship may indicate loyalty to
another country)
-
drug and alcohol abuse
-
violence against other employees, clients or the public, and
-
criminal activity.
3.2.2 Program risks
34.
At this level personnel security risk reviews will depend on the complexity of agencies’
operations.
35.
As program level personnel security risks are related to outputs, the personnel security risk
assessment may be better included as part of the operational planning risk assessment.
36.
Personnel security risk considerations specific to the program level may include:
37.

ability to deliver program outputs

meeting access requirements of the physical location

protecting program assets, and

limiting access to specialised or highly classified ICT networks.
Each program or work area with identifiable specific risks should undergo a separate personnel
security assessment.
3.2.3 Individual risks
38.
Some positions within an agency may have specific risks that differ from other positions. Where
this is the case the position should have its individual risks identified and managed.
39.
Personnel security risk assessment should identify and assess groups of employees who may have
greater potential to cause harm due to their:

access to highly sensitive or classified information

access to large aggregates of information, or

access to valuable assets.
6
40.
41.
Some individuals may be employed even when they pose an increased risk to the agency
particularly those with:

Conflicts of interest

divided loyalties

past criminal activity

identified drug use, or

Involvement in issue motivated groups.
Individuals that are associated with these or other risks may require a specific risk management
program if they are to be employed.
7
5. Information sharing
42.
For personnel security, the sharing of information is essential in identifying potential areas of risk
to agencies. Information sharing can assist in preventing and detecting a range of threats
including the malicious trusted insider. There is ample evidence indicating that incidents involving
the malicious trusted insider may have been prevented or identified as an issue, at an earlier
stage, had there been greater information sharing.
43.
Information relevant to a person’s ongoing suitability to access Australian Government resources
is to be shared between agencies, vetting agencies and human resource and the security areas
within agencies.
44.
Different areas within an agency may hold specific pieces of information on an individual (i.e.
human resources, the security area and supervisors). These pieces of information considered
independently may not constitute any specific concern. However, this information when viewed
collectively may warrant concern or impact a person’s suitability to access Australian Government
resources.
45.
Additionally, a person may be found suitable to work within an agency, but their suitability to
work within certain sections of an agency may be questionable. For example, a person who has a
history of fraud offence may not be suitable to work in area dealing with finances; however, they
may be suitable to work within other areas of an agency. Early identification and management of
any underlying concerns could help to prevent any future security incidents and mitigate against
the malicious trusted insider. Without appropriate support, such individuals may be susceptible
to manipulation or may attempt to abuse their access within the organisation.
46.
The management of personal issues can help a person to remain a productive member of the
team and strengthen personnel security requirements. Human resources and supervisors are
uniquely placed to identify when a staff member is having personal issues that may affect their
suitability to access Australian Government resources. Human resources and supervisors can
intervene early to put in place measures to mitigate the concerns. This will also assist agencies in
achieving their requirement under the Work Health and Safety Act 2011 (Cth).
47.
Agencies and vetting agencies are to share information relevant to the ongoing suitability of
personnel to access Australian Government resources.
48.
For information on legislative implications for information sharing, see Annex D - Fact Sheet
Legislative Implications for Information Sharing.
8
6. Consent to collect and share personal information
49.
In order to comply with the requirements contained in the Privacy Act 1988 (Cth) agencies need
to provide their personnel with a privacy statement that details how personal information,
including sensitive information, will be collected, used and disclosed, and obtain written consent
from all personnel that will allow an agency to:

collect personal information, including sensitive information, from other agencies or private
organisations

disclose personal information, including sensitive information, with other agencies when
determining initial or continuing suitability to access official resources

use personal information, including sensitive information, to determine a person’s ongoing
suitability to access official resources, and

transfer information to another agency upon transfer of personnel.
50. Agencies are to obtain written consent from all clearances subjects (existing and potential) to share
information with other agencies for the purposes of assessing their initial and ongoing suitability to
access Australian Government resources. A template consent form is provided at Annex C - Example
Security Clearance Privacy Statement and Informed Consent Form.
51. For further details on the legislative requirements of sharing personnel information see Annex D Fact Sheet Legislative Implications for Information Sharing and at www.oaic.gov.au.
9
7. Procedural fairness
52.
Vetting agencies should advise sponsoring agencies not to terminate a clearance subject’s
employment before any reviews or appeals are finalised. In accordance with its human resources
policies, the sponsoring agency may redeploy or suspend the clearance subject during this period.
53.
Decisions to make or withdraw offers of or terminate employment or contracts may be subject to
review. Prior to making a decision agencies should, subject to the impact on the National Interest,
give personnel an opportunity to address the concerns raised in the employment or agency
specific character checks. For further details on procedural fairness see the Administrative Review
Council publication Best Practice Guide 2: Natural Justice.
10
8. Agency employment screening
54.
Employment screening provides agencies with a level of assurance as to the suitability of their
personnel, whether employees or contractors, to access Australian Government resources.
55.
All agencies are to undertake employment screening which will:

mitigate the risks identified in their personnel security risk assessment, and

provide a level of assurance across all agencies that all Australian Government personnel are
suitable to access Australian Government resources that agencies may share.
56.
An agency should use specialist service providers to undertake employment or agency specific
character checks where the agency does not have the requisite skills—for example, recruitment
or vetting service providers.
57.
Agencies are required by the Migration Act 1958 (Cth) to confirm identities and whether
personnel are eligible to work in Australia—i.e., they are Australian citizens or have valid work
visas. For further details see the Department of Immigration and Border Protection.
58.
To be suitable, personnel need to demonstrate a level of integrity and reliability sufficient for the
agency to be assured the person can be entrusted with its Australian Government resources.
Integrity (soundness of character and moral principle) and reliability (trustworthy, responsible
and dependable) are assessed by considering a range of character traits and behaviours,
principally: honesty, maturity, trustworthiness, loyalty, tolerance and resilience. For further
information see section 5 – Adjudicative guidelines of the Australian Government personnel
security guidelines – Vetting Practices.
59.
Agencies should also determine if the person is unduly vulnerable to improper influence—for
example from issue motivated groups, criminal associations or commercial interests. A person
may be vulnerable to coercion due to one or more factors—for example:
60.

conflicts of interest

current or past criminal behaviours or criminal associations, or

membership of issue motivated groups.
Employment screening can be broadly divided into two categories:

recommended employment screening checks that agencies should apply to all personnel to
give assurance of suitability to access Australian Government resources, and

agency specific checks to mitigate any personnel security threats applicable to the agency
not addressed by minimum employment screening.
7.1
Undertaking employment and agency specific checks prior to
engagement
61.
Agencies should finalise employment and agency specific checks prior to an offer of employment/
contract. Where checks are not completed prior to engagement, agencies should make the
employment or contract conditional on successfully satisfying the checks in a reasonable
timeframe.
62.
Agencies should conduct employment and agency specific checks before security clearances are
initiated. If an individual is found to be unsuitable as part of pre-employment screening or agency
specific checks, agencies are not to seek a clearance for the individual. If a clearance has already
11
been sought agencies are to advise the vetting agency of any adverse results of the employment
screening and agency specific checks.
63.
Agencies are to advise their vetting agency of information that may be a security concern if a
security clearance for the person is also being sought.
7.2
64.
The recommended employment screening checks include:

confirm identity including confirm the right to work in Australia, by:
-
-
verifying the person’s identity to Level 3 of the Australian Identity Proofing Guidelines.
This includes verifying identity documents and relevant mandatory qualifications with
the issuing agency by using:

the Document Verification Service for Australian issued primary identification, or

other means of verification, based on a risk assessment for other identity or
qualification documents.
confirming that the person is an Australian Citizen (an Australian Birth Certificate is not
sufficient if born after 20 August 1986), by sighting the documents in support of
citizenship, for further information see Proof of Citizenship, or



65.
if the agency does not require Australian citizenship, the person has a valid visa,
by sighting the documents in support of the visa. For further information see Visa
Entitlement Verification Online.
check personal integrity and reliability, by:
-
undertaking a five year employment check
-
undertaking a five year residency check
-
obtaining a professional referee check covering at least the last three months. See
Annex G – Personnel security question for professional referees, and
-
check criminal history by:

obtaining a ‘No Exclusion’ police records check,2 or

obtaining a ‘Full Exclusion’ or ‘Partial Exclusion’ police records check if an
exclusion from the Spent Convictions Scheme detailed in Part VIIC Divisions 3 and
6, the Crimes Act 1914 (Cth) applies to the agency.3
check credit history.
For further details on undertaking background and integrity screening see Australian Standards:

2
Recommended employment screening checks
AS 4811-2006: Employment Screening, and
A No exclusion police records check means that individuals are not required to disclose any spent or protected convictions.
3
A Full exclusion or partial exclusion police records check means there are some exceptions which require an individual to disclose a spent or
protected conviction.
12

HB 323-2007: Employment screening handbook.
8.2.3 7.2.1 Statutory declaration
66.
Agencies should obtain a signed Statutory Declaration from all personnel undertaking
employment screening declaring all information provided is truthful and complete. This may
assist in legal proceeding if fraudulent information is identified. For more information see the
Attorney-General’s Department’s guide to making a statutory declaration.
8.2.4 7.2.2 Confidentiality and non-disclosure agreement
67.
Agencies should obtain a signed confidentiality agreement from all potential personnel prior to
allowing access to Australian Government resources. See Annex E– Example confidentiality/ nondisclosure agreement.
68.
In addition to common confidentiality requirements and secrecy provisions under the Crimes Act
1914 (Cth) and the Criminal Code Act 1995 (Cth), agencies should advise all personnel of any
agency specific legislative requirements.
8.2.5 7.2.3 Conflict of interest declaration and personal interest
declaration
69.
There are different types of conflicts of interest. A conflict of interest can include a conflict by,
financial, secondary employment and association.
70.
It is common practice to have all contractors complete a conflict of interest declaration prior to
the commencement of a contract, or throughout the contract if contractor circumstances change.
Senior Executive Staff (SES) are also required to declare any conflict of interest. Agencies should
consider, based on their risk assessment, whether all personnel, not just contractors, should
complete a conflict of interest. See Annex F – Example conflict of interest declaration.
71.
Australian Public Service (APS) employees have an obligation, under section 13 of the Public
Service Act, to behave with integrity and to avoid or manage conflicts of interest in their
employment. Senior Executive Staff employees are subject to a specific regime that requires them
to submit, at least annually, a written declaration of their and their immediate family’s financial
and other interests that could involve a real or apparent conflict of interest, to the APSC. For
more information see APSC’s publication on conflict of interest.
72.
Agencies should have a conflict of interest policy, to guide staff on what could be perceived as a
conflict of interest and when and how to report a conflict.
73.
There is no standard list of what a real or potential conflict could involve. However, the conflict of
interest policy could include guidance on:


Relationships or contacts that may poses a conflict, for example:
-
journalists
-
persons of interests for law enforcement authorities or criminals
-
political associations, or
-
suppliers, contractors or service providers.
Financial interests that may pose a conflict, for example:
-
real estate investments
-
shareholdings
-
trusts or nominee companies
-
company directorships or partnerships
13
-
other significant sources of income
-
significant liabilities
-
gifts, or
-
paid, unpaid or voluntary outside employment.
74.
Agencies should consider having personnel in positions that are especially vulnerable to conflicts
of interest, complete a detailed personal interest declaration —e.g., senior managers.
75.
For further information see the APSC publication ‘In whose interests?: Preventing and managing
conflicts of interest in the APS‘.
7.3
76.
77.
Agency specific checks
Agencies should identify checks needed to mitigate additional agency personnel security risks,
where not addressed by the minimum employment screening. Some examples of character
checks may be, but are not limited to:

drug and alcohol testing

detailed financial probity checks, including wealth and credit checks

psychological assessment

agency specific questionnaires or other tests related to the industry, and

partial or full exclusions under Part VIIC of the Crimes Act 1914 (Cth), the Spent Convictions
Scheme relating to engagement in positions covered by specific legislation to which
exemptions are given.
Agencies should advise potential personnel of agency specific checks that are part of the
recruitment or procurement process.
7.4
Anti-discrimination and merit based selection of personnel
78.
Agencies may impose requirements on potential personnel to mitigate identified risks. However,
agencies should not use pre-engagement or agency specific character checks to unfairly exclude
potential personnel from engagement.
79.
Agencies should seek separate advice from the Australian Human Rights Commission or
independent legal advice as to the suitability and use of any proposed agency specific checks.
7.5
Mitigating concerns raised in minimum employment checks
80.
Concerns identified through employment screening should be assessed against potential
mitigating factors. For further information see Annex B– Mitigating concerns raised by minimum
employment checks.
81.
Agencies should have policies for mitigating the risks from not successfully meeting character
checks.
82.
Agencies should undertake a risk assessment when a person does not successfully meet character
checks to determine whether the risk can be mitigated.
83.
If it is not possible to undertake a check normally required by an agency, the agency may make a
risk based decision to not undertake the character check or undertake an alternative check.
84.
The agency should record concerns, decisions to mitigate concerns, or not undertake checks, and
supporting risk assessments on the persons’ personnel file, or for contractors the contract file.
This will allow agencies to readily identify any decisions if the personnel later transfer.
14
85.
For further details on assessing suitability, see the Australian Government personnel security
guidelines – vetting practices.
7.6
86.
Transfers into agencies
Prior to finalising any transfer offers gaining agencies should:

seek confirmation of the checks undertaken and results gained from the losing agency, and

undertake any additional checks required to meet agency employment and ongoing
screening policies.
8.2.6 7.6.1 Recognition of employment screening on transfer of
personnel
87.
Agencies should recognise the employment screening on transferring personnel completed by
other agencies in accordance with the recommended minimum standards.
88.
Agencies should screen transferring personnel where:

the losing agency does not undertake the recommended pre-engagement screening, or

to meet agency specific requirements.
89.
Agencies may undertake re-screening of transferring personnel where there is reasonable
concern relating to the suitability of the individual.
90.
When personnel transfer between Australian Government agencies the losing agency should
advise the receiving agency of any concerns that were mitigated as part of the employment
screening process.
7.7
91.
Agencies should maintain records of all personnel security checks in accordance with their agency
recordkeeping policy, the Privacy Act 1988 (Cth) and the Archives Act 1983 (Cth). For further
information on record keeping see the National Archive of Australia.
7.8
92.
Recordkeeping
Additional information on employment and agency specific
screening
Further information on employment and agency specific screening can be found in the following
Australian Standards publications:
-
AS4811-2006: Employment Screening
-
HB 323-2007: Employment Screening Handbook
-
AS 8001-2008: Fraud and Corruption Control, and
-
APS Conditions of engagement.
15
9. Ongoing suitability for employment
93.
Employment screening only provides a snapshot of the person at the time of the checks. The
attitudes and behaviours of personnel will change over time. Agencies are to manage and assess
the ongoing suitability of all personnel. The key components of managing ongoing suitability are:

monitoring and evaluating ongoing suitability, including periodic re-assessments

continuing security awareness training

security incident reporting and investigation, and

managing internal transfers.
8.1
94.
Monitoring and evaluation of ongoing suitability for employment
Agencies should have processes to monitor and evaluate the ongoing suitability of personnel
through:

performance management

periodic suitability checks and declarations

self-reporting by personnel

reporting of concerns by other personnel, and

contract management.
95.
Agencies should have policies and procedures to allow the exchange of information about
personnel suitability to access agency resources between personnel, managers, the agency
human resources management area and the Agency Security Adviser (ASA).
96.
For information on personnel indicators of concern see:
 Managing the Trusted Insider Threat to Your Business—A personnel security handbook and
 Australian Government protective security better practice guide—Identifying and managing
people of security concern.
8.2.7 8.1.1 Personnel security in performance management
97.
Agency performance management programs provide an avenue for managers to assess and
report on the performance of their personnel. Agencies should base the personnel security
component of their performance management program on their personnel security risk
assessments.
98.
Agency performance assessments should identify personnel who display behavioural concerns
including disregard for agency security policies and procedures.
99.
Poor performance is one of the key indicators that a person may be disaffected and a potential
security concern.
100. High performers—i.e., people who regularly stay late or work outside of normal hours; may be of
concern as their access to sensitive information or valuable assets has little supervision.
101. Information on performance issues provided by managers to agency human resources areas may
indicate other personal issues that can lead to security concerns—e.g., alcohol or drug abuse,
financial difficulties.
102. Agencies should include in their annual performance appraisals confirmation:
16


by the individual that they have reported any changes of circumstances, such as:
-
changes to details provided in initial or ongoing suitability checks—e.g., criminal
charges
-
inappropriate contacts or contacts of concern, and
-
real or perceived conflicts of interest
by the manager, that there is no unreported security concerns about the individual.
103. Agencies should undertake additional screening checks to address any concerns identified in the
annual performance appraisal.
8.2.8 8.1.2 Periodic suitability checks and declarations
104. As part of an agency’s personnel security risk assessment agencies should identify the periodic
checks required to confirm a person’s ongoing suitability to access agency resources.
105. Agencies should determine the frequency of periodic checks based on the risks related to the
agency, specific work area and if appropriate the specific role. Checks may include:

Police records checks – As the Spent Convictions Scheme applies to convictions more than
ten years apart, agencies should undertake police records checks at least every ten years.
The frequency may be increased for high-risk positions/ personnel.

Financial checks – where an agencies risk assessment deems that personnel need a level of
financial assurance, agencies should undertake periodic financial screening of personnel.

Confirmation of personal particulars – Agencies should periodically update the personal
particulars of their personnel. This could include:
-
updating residential address history
-
verifying any new qualifications claimed, and
-
updating employment history for contractors.

Confirming adherence to, or completion of, any engagement conditions – Agencies should
confirm that any conditions placed on an initial or continuing engagement are met within the
timeframes specified—e.g., gaining Australian citizenship.

Other agency specific checks – Agencies should periodically re-check personnel who are in
positions subject to any agency specific pre-engagement checks.

Conflict of interest declaration – Agencies should periodically reconfirm with personnel that
changes in their circumstances have not put them into positions of real or perceived conflicts
of interest. APS employees have an obligation under section 13 of the Public Service Act 1999
(Cth) to disclose and take reasonable steps to avoid any real or apparent conflict of interest.

Confidentiality agreement – Agencies should periodically seek new confidentiality or nondisclosure agreements. This serves to remind personnel of their ongoing confidentiality
obligations.
8.2.9 8.1.3 Additional checks for senior office holders
106. Holders of high impact positions—e.g., senior managers, ICT system administrators, contract
managers, and financial management personnel; have the potential to cause greater harm to
agencies. Therefore, agencies should consider whether senior office holders undergo more
frequent or more detailed periodic checking.
107. All agency heads and SES officers employed under the Public Service Act 1999 (Cth) are
required, by decision of government, to submit at least annually a written declaration of their, and
17
their immediate family’s financial and other interests, that could involve a real or apparent conflict
of interest. SES employees submit their declarations to their agency head, and agency heads to their
minister. Additionally under sections 25 to 28 of the Public Governance Performance Accountability
Act 2013 (Cth), Directors and Officials have a duty to disclose all material personnel interests that
relate to the affairs of the entity/company.
108.
Agencies should implement a similar regime that would require agency heads, SES employees,
Directors and Officials to submit the same or similar declaration to the ASA. The ASA should
forward the information to the vetting agency if there is a change of circumstances. This will
ensure vetting agencies are aware of any change of circumstances since the issue of the
clearance.
109. An example of what should be covered in the declaration can be found at Annex F - example
Conflict of Interest Declaration.
8.2
Security awareness training
110. Security awareness training is an important element of protective security. Security awareness
training supports physical, information and personnel security measures as well as informing staff
of their governance requirements.
111. Security awareness training effectively communicates appropriate security behaviours, individual
responsibilities and agency security policies. Agencies should use their agency’s security risk
assessment to identify areas to be included in their security awareness training program.
112. Security awareness training is ongoing and is provided by all agencies to:

provide personal safety awareness, and

address agency specific security risks.
113. Agencies should follow up training with strong, visible enforcement.
114. This section supports and should be read in conjunction with:

PSPF—Governance—Developing a Culture of Security

Australian Government Personnel Security Protocol,

Australian Government information security management core policy, and

Australian Government physical security management core policy.
8.2.1 Security awareness training
115. Agencies are to provide security awareness training (GOV1 of the PSPF) to all of their employees
and contractors based in agency facilities, as well as targeted training to personnel in high-risk
positions. High risk employees including those who:

are involved in sensitive or priority negotiations or policy work

have access to valuable or attractive assets

work remotely or in dangerous conditions, or

are required to liaise with foreign officials, or regularly share information with foreign
officials.
116. Additionally, holders of NV and PV clearances should be provided with security awareness
training yearly to reinforce the clearance holder’s information security responsibilities. Baseline
clearance holders should be provided with security awareness training at least every five years as
a condition of revalidation of the clearances. .
18
8.2.2 Delivery of security awareness training
117. Agencies should:

include security awareness in their induction programs

provide regular, ongoing security awareness training to personnel who require access to
official resources

develop specialist training as required to meet agency specific risks, and

provide targeted security awareness training when the agency has an increased or changed
threat environment.
8.2.10 Content of security awareness training
118. Agencies are to determine specific security training required by their personnel. This may include
but is not limited to:

agency specific risks, policies and procedures

personal safety measures

asset protection

protection of official information

reporting requirements, and if relevant

an individual’s security clearance responsibilities, for further information see section 13 Ongoing security clearance maintenance.
8.2.11 Agency specific risks, policies and procedures
119. Agencies identify specific risks, and countermeasures, as part of the agency risk reviews and
policies. Agencies should inform personnel of:

the protective security policies and procedures operating in their area

the risks the policies and procedures are designed to mitigate against, and

the roles and responsibilities of personnel in relation to the policies and procedures.
8.2.12 Personal safety measures
120. Agencies have a responsibility to protect employees and visitors. For further information see
Work Health and Safety Act 2011(Cth).
121. It is recommended that agencies develop a safety handbook for all personnel. The handbook
should include emergency response guidelines and contacts as well as agency specific safety
requirements and procedures.
122. Agencies with heightened risks from the public and/or clients should provide their personnel
information about agency safety measures. The agencies should also hold regular safety exercises
and drills.
123. Personnel with specific emergency safety or security roles should receive regular training as well
as participate in exercises to confirm their ongoing competency. See:

AS3745-2002: Emergency control organisation and procedures for buildings, structures and
workplaces, and

HB 328-2009: Mailroom security.
19
8.2.13 Asset protection
124. Agencies should provide advice to personnel on agency specific asset management and loss
reporting procedures prior to them taking custody of assets. This should include agency fraud
control measures.
125. For further information see:

RMG 201 – Preventing Detecting and dealing with fraud

Public Governance and Accountability Act 2013 (Cth)

AS 8001-2008 Fraud and corruption control
8.2.14 Protection of Australian Government resources
126. Agencies should advise all personnel, regardless of level or security clearance, of the harm caused
by the compromise of security classified resources handled in their workplace and the ways in
which those resources might be vulnerable to compromise or misuse.
127. Agencies should provide employees with training on agency specific information management
procedures including agency ICT system(s) security classifications and Dissemination Limiting
Markers.
128. When agencies have diverse programs with different information security requirements, each
program area should advise its personnel of the marking and handling requirements for the
resources they possess or develop, whether security classified or not.
8.2.15 Reporting requirements
129. Agencies should provide all personnel advice on:

ongoing suspicious contact reporting, including the Contact Reporting Scheme

reporting changes in circumstances that might impact on the person’s suitability to access
Australian Government resources

fraud reporting procedures

reporting concerns about other members of staff, and

any other agency specific reporting requirements including public interest disclosure
(whistleblowing) under the Public Interest Disclosure Act 2013 (Cth).
130. For further information on reporting requirements see section 14.3 - Australian Government
Contact Reporting Scheme.
131. Agencies can develop security awareness through:

campaigns that address the ongoing needs of the agency and the specific needs of sensitive
areas, activities or periods of time

security instructions and reminders via publications, electronic bulletins and visual displays
such as posters

protective security-related questions in staff selection interviews

drills and exercises, and

inclusion of security attitudes and performance in the agency performance management
program.
20
132. Agencies should seek guidance from their Portfolio Department on developing security
awareness training programs.
133. Agencies should use a Registered Training Organisation (RTO) if training is outsourced. RTOs are
accredited training providers who offer courses through the Australian Quality Training
Framework. A list of RTOs is available from www.training.gov.au.
8.3
Security incident reporting and investigation
8.3.1 Reporting requirements
134. Agencies should provide employees with a list of key agency reporting contacts. For further
information see PSPF—Governance—Protective security investigations. It is recommended that
the list of reporting contacts be included in the employee safety handbook.
135. The contacts list could also cover, but is not limited to, how and when to report:

suspicious behaviours

threatening behaviours including letters, bomb threats and phone calls

broken ICT and security equipment

security infringements and breaches

fraud or suspected fraud

full secure waste bins, and

lost credit cards.
136. Reporting guidelines should also include any agency specific public interest disclosure (whistle
blowing) provisions.
8.3.2 Investigating incidents
137. For details on undertaking investigations see PSPF—Governance—Protective security
investigations.
8.4
Internal transfers
138. Agencies should confirm that all required employment, agency specific character and periodic
checks required for a new position are complete before confirming any internal transfers.
21
139.
10. Agency actions on separation of personnel or those on
extended leave
140. Agencies need to consider the risks to the ongoing confidentiality, integrity and availability of
their resources by personnel who are terminating their employment or are taking long term
leave. Agencies should have policies and procedures in place for the management of those
personnel ceasing their employment or taking extended leave.
141. If an agency divides the responsibilities for the management and implementation of separation or
termination of personnel between different areas within the agency, the agency should include
how the process is coordinated in their separation policies. This is so that procedures are
uniformly applied and necessary steps are not missed. Agencies should develop a separation
checklist to ensure that no areas are missed.
9.1
Separation of staff
142. Prior to separation agencies should:

as part of an agencies exit procedures, confirm with the employee their ongoing
confidentiality requirements, including the use of intellectual property

where a security clearance is held, inform the vetting agency of the employee’s cessation
including whether there are any outstanding issues of a protective security nature

consider conducting an audit to determine whether the employee has forwarded any
proprietary information without approval (particularly when an employee is moving into a
private sector position)

retrieve ICT equipment or physical assets that are issued to the employee, in particular any
portable devices, and

recover any corporate credit cards.
143. Upon separation agencies should have in place procedures to:

change any shared account passwords that were known by the employee

remove access to agency ICT systems including any special access arrangements and have
processes in place to cancel that access (for example: administrator access, TS networks,
ASNET)

disable any remote access to the ICT systems, including email and telephone voicemail

remind remaining staff of their responsibility to report any contact by previous employees
with a suspicious, persistent or unusual interest in their work or that of the agency in general

revoke physical access to facilities and retrieve keys and/or access cards, and

change any combinations of locks—e.g., doors, safes or security containers to which the staff
member had access.
144. Where agencies allow the transfer of ownership of ICT equipment to the separating employee, or
where agencies allow the use of personal devices for work purposes, agencies should consider
the following steps prior to transferring ownership:

archive any business related documents in accordance with agency records management
policies
22

removal of all agency information

removal all agency software applications, and if necessary

erase the entire content of the device’s hard drive.
9.2
Actions where normal separation procedures are not possible
145. Agencies should conduct a risk assessment where it is not possible to undertake normal
separation procedures, e.g. personnel who work remotely or from home, personnel who suffer
significant injury or illness and cannot continue working, personnel who separate while on leave
or personnel who refuse to go undergo separation processes.
146. Agencies should base any actions to limit access to information or recover assets on a risk review.
9.3
Staff on extended leave
147. Where personnel are planning extended leave for three months or longer, agencies should:

remind employees on extended leave of their ongoing confidentiality obligations

appropriately brief personnel travelling overseas to make them aware of their
responsibilities including their requirement to report any suspicious, persistent or unusual
foreign contact

consider and manage any security issues before extended leave is approved, particularly if
the employee is assessed as likely to decide, while on leave, not to return, and

where agencies policies allow the use of out-of office messaging, have the employee set outof-office email and voicemail advice with alternate contact details, or forward emails and
telephones to an alternate officer prior to the start of their leave.
9.4
Special considerations when employment is terminated
148. Agency human resource managers are to advise their ASA and IT security adviser (ITSA) of any
proposed terminations of employment due to conduct concerns.
149. Agencies should base any personnel security measures for staff whose employment has been
terminated on a risk assessment. Options for high risk personnel may include:

immediate suspension of duties

immediate removal of all access to agency systems and facilities, or

escorting the person from premises.
9.5
Transfers out of agencies
150. Agencies should make the results of any pre-engagement or periodic checking available to gaining
agencies prior to personnel transferring from their agencies unless the checks are undertaken
under specific agency legislative requirements and cannot be shared—e.g., partial or full
exclusion police records checks.
151. Agencies should advise the gaining agency of any exceptions given to agency screening checks
and any conditions placed on personnel as a result of the checks undertaken.
9.6
Additional requirements for contractors
152. Contractors may pose an increased risk to agencies as agencies have little oversight of personnel
security measures within contractor organisations.
23
153. In addition to normal agency pre-engagement and periodic screening requirements, agencies
should:

undertake a specific risk assessment for each contract to identify any additional screening
required to mitigate the increased risk of outsourcing functions

consider increasing the frequency of screening checks for contractors, and

include any specific personnel security requirements in tender and contract documents.
For further information see the Australian Government protective security governance
guidelines—Security of outsourced services and functions.
9.6.1 Separation of contractors
154. Agencies should include any separation requirements for contractors in their tender
documentation and contracts. This should include any applicable separation arrangements for
employees identified in section 14.4 – Separation of staff.
155. Agencies should continually review and monitor all contracts and contractors and include in all
contracts a requirement for contracted service providers to advise the agency whenever the
provider changes staff servicing the agencies’ contracts. This is particularly important for
contractors’ personnel that are terminated for conduct issues.
9.6.2 Actions at the end of a contract
156. Agencies should determine prior to entering into a contract how the agency will exit the contract.
In addition to any personnel security measures for contractor personnel at the end of a contract,
agencies should:

consider ongoing confidentiality of agency information including the protection of agency
intellectual property (as well as protection of contractor intellectual policy)

ensure the return of any agency assets required for the contract

disable any special ICT access (particularly if they are contracted in an administrator role) and
consider any ICT system sanitisation

change any shared account passwords that were known by the contractor

remove contractor access to agency ICT systems

disable any remote access to the ICT systems, including email and telephone voicemail

revoke physical access to facilities and retrieves keys and/or access cards, and

change any combinations to locks—e.g., doors, safes or security containers to which the
contractor has access.
157. For further information see the Australian Government protective security governance
guidelines—Security of outsourced services and functions.
24
11. Temporary access
158. Temporary access allows limited, supervised access to security classified resources.
10.1 Temporary access risk assessments
159. Agencies are to base any decision to approve temporary access on a detailed risk assessment.
160. Agencies should develop their own risk assessment template. As a minimum the assessment
should include:

details of the need for temporary access, including why the role cannot be performed by a
person with a clearance at the appropriate level

confirmation from the vetting agency that the person has no:
-
previously identified security concerns
-
cancelled or denied clearance, or
-
history of temporary access and incomplete clearance processes

details of the type and level of information that could be accessed by the person and any
potential impact of compromise of this information

confirmation that third parties who provide information that the person may access have
been consulted

details on how access to classified information is to be controlled to only that needed to
meet the reason for temporary access

details on how access to caveat or codeword information is to be prevented

an assessment of any potential conflicts of interest

details of any mitigating factors such as pre-engagement screening, agency specific character
checks and existing lower level security clearances, and

an undertaking by the person to protect official information, see Annex E – Example
confidentiality / non-disclosure agreement.
25
12. Agency security clearance requirements
11.1 Determining the need for a security clearance
161. The government expects agencies to limit the number of people who require clearances.
162. Clearances may be required to:

meet minimum requirements for agency ICT systems

access specific areas of agency facilities

access specific security classified information

meet specific compartment briefing requirements, or

provide a level of assurance.
163. An agency’s decision on the level of assurance it requires should be linked to the agency’s risk
assessment.
11.2 Identifying and recording positions requiring security clearances
164. Agencies are to maintain a register of positions that require a clearance. Before advertising a
position, agencies are to identify:

if the position requires a security clearance

the level of clearance required

whether the clearance is for access to security classified information or to give a level of
assurance, and

when the requirement for a security clearance will be reassessed.
165. Agencies should periodically reassess the clearance requirement for positions, at least each time
the position becomes vacant and before it is advertised.
11.3 Getting a security clearance
166. Identified vetting agencies conduct security vetting for the Commonwealth Government. The
Australian Government Security Vetting Agency (AGSVA) provides security vetting services to
most Australian government agencies.
167. Australian citizenship is a condition of eligibility for security clearances. Under certain conditions
an agency head may waive this requirement if the risks can be otherwise mitigated. For further
information see section 11.4- Evidence of Australian citizenship for security clearances.
168. Personnel that agree to undertake the security clearance process for the purposes of gaining
employment, transferring or promotion into a position, securing a service provision contract, or
to complete additional tasks within an existing position are to:

disclose all relevant and required information

co-operate in the collection of personal documents and corroborating evidence

answer questions fully and honestly, and

provide accurate information and personal documents.
26
11.3.1 What documents do personnel need to provide, and why?
169. Vetting agencies need a number of documents to confirm identity and background.
170. If there are any gaps or anomalies identified from the information and documents a clearance
subject provides, the vetting agency may request additional documents. The vetting agency will
be able to provide justification at the time of the request.
11.4 Evidence of Australian citizenship for security clearances
171. Australian citizenship is a condition of eligibility for security clearances, unless under exceptional
circumstances the agency head has waived this requirement.
172. Agencies, or for contractors AGSVA, is required to verify that a clearance subject is an Australian
citizenship as part of the vetting process unless a citizenship waiver has been granted.
173. Australian citizenship is also generally a requirement for employment in the Australian Public
Service. For further information on conditions of engagement refer to the APSC publication
Citizenship in the Australian Public Service.
11.4.1 Qualifying for Australian citizenship
174. Most people born in Australia prior to 20 August 1986 are Australian citizens by birth unless one
parent was a foreign diplomat. For people born prior to this date, an Australian birth certificate
can be taken as evidence of Australian citizenship.
175. Australian Citizenship is afforded if the individual:

was previously issued with an Australian citizenship certificate (this includes children who are
on a parent's citizenship certificate)

were born in Australia and acquired Australian citizenship

born in Australian after 1986 and one responsible parent was a permanent resident or
Australian citizen

born in Australia after 1986 and spent the first 10 years of their life in Australia

were adopted in Australia and acquired Australian citizenship

were born in the former Australian Territory of Papua before 16 September 1975 and
acquired Australian citizenship, or

were born outside Australia before 26 January 1949 and acquired Australian citizenship.
176. The Department of Immigration and Border Protection (DIPB) is the agency responsible for
determining a person’s Australian citizenship status. If there is any doubt about your Australian
citizenship status, you should contact DIBP. Further information is available at
www.citizenship.gov.au.
177. See Annex A – Proof of Australian Citizenship for further information on what is required for
evidence of citizenship.
11.5 Merit based selection of personnel requiring security clearances
178. Personnel cannot gain a security clearance unless they are expected to be engaged in roles
requiring security clearances. Therefore, it is not reasonable to expect potential personnel to hold
security clearances prior to being selected for these roles.
179. Selection based on existing clearance status is, therefore, not merit based and may be contrary to
agencies’ enabling legislation—e.g., the Public Service Act 1999 (Cth).
27
180. Agencies, or their contracted service providers, should not discriminate against potential
personnel who are not holders of a current security clearance where they indicate a willingness
and ability to gain a clearance prior to engagement.
181. Agencies should only limit selection to cleared personnel in exceptional circumstances, such as
when filling the position is time critical to the agency meeting its objectives. Agencies should
document the reasons for limited selections.
28
13. Eligibility waivers
182. An agency head’s decision to waive an eligibility requirement is to be made on the written advice
from the agency’s security executive and/or security adviser following a thorough analysis of the
risks to the Australian Government and the possible impact on the National Interest of granting
the waiver.
183. The submission of a waiver does not guarantee that the vetting agency will be able to proceed
with a clearance request.
184. Vetting agencies may not accept requests for clearances subject to waivers, if the vetting agency:

cannot undertake the required checks to establish eligibility, or

determines that there are issues that cannot be mitigated which would preclude the
clearances being granted.
185. Agencies should advise individuals subject to an eligibility waiver of the importance of reporting
changes of circumstances. If individuals do not report changes of circumstance to their
sponsoring and vetting agency, they are self-managing risks that may arise from those changes.
There is a tendency for individuals to underestimate risk as it applies to them, leading to poor
decision-making that tends to favour or benefit the person making the decision. Reporting
changes allows sponsoring and vetting agencies to assess and manage possible risks, rather than
the individual.
186. Agencies are to report details of clearance holders with waivers in their annual PSPF compliance
reports.
12.1 Exceptional circumstances for eligibility waivers
187. Agency heads are to only grant a waiver in exceptional circumstances where:

the exception is critical to the agency meeting its outcomes, and

the risks to any affected agency can be mitigated or managed.
188. Exceptional circumstances will vary from agency to agency and may include:

the person is necessary to the agency meeting a critical objective, and

the role cannot be redesigned so that access to classified information or resources is
restricted to existing personnel with the appropriate clearance.
189. Additionally for non-Australian citizens:

the role cannot be performed by an Australian citizen, and there is no conflict of interest in
relation to the person's country of allegiance and the role being undertaken, or

the foreign national is a permanent resident, is actively seeking citizenship and the process
will be concluded in a reasonable period.
12.2 Eligibility waiver risk assessments
12.2.1 Non-Australian citizen
190
If an agency head determines that there are exceptional circumstances and a citizenship waiver is
required, the citizenship waiver request should be submitted with the request for a security
clearance.
29
191
Agencies should bear in mind that even if a citizenship waiver is accepted by the vetting agency,
the clearance subject may later be found to have an uncheckable background, and be deemed
ineligible on this basis. If this is the case, the vetting agency will consult with the requesting
agency and discuss how or whether the request for a clearance may proceed.
192
Acceptance of a citizenship waiver does not mean that a clearance will be granted; it simply
allows the vetting agency to proceed with an assessment of suitability.
190. The sponsoring agency’s waiver assessment for non-Australian citizens should:

include details of the exceptional circumstances that precludes the position being filled by an
Australian citizen

include the person’s visa status and whether they are, or plan to, actively seeking Australian
citizenship (one of the personal factors is loyalty to Australia)

consider the threat assessment from ASIO on the clearance subject’s country(ies) of
citizenship

detail the agency’s plan to ensure the clearance subject does not access ‘Australian Eyes
Only’ (AUSTEO) or third country ‘EYES ONLY’ material

consult with third parties whose information may be accessed (either foreign or other
Australian agencies) and, in the case of foreign agencies, obtain agreement – unless there is
an existing bilateral agreement in place allowing the information exchange

for TOP SECRET information consult with the originating or controlling agency on a case by
case basis, and gain their specific approval, and

confirm the date of issue of the waiver and the length of time it is to apply.
191. Vetting agencies will not be able to complete a clearance for a non-Australian citizen if there are
other unresolved concerns about the clearance subject—e.g., an uncheckable background.
12.2.2 Uncheckable background
192. Vetting agencies will not be able to complete a clearance if they cannot make an assessment
against the whole person. Vetting agencies will make a case-by-case assessment of what
constitutes an uncheckable background as this will vary depending of the clearance subject’s
individual circumstances. However, long periods of uncheckable background may prevent a
clearance being assessed.
193. Time spent outside of Australia during the checkable period represents a risk to the Australian
Government, as the activities and associations of individuals outside of Australia are generally
significantly less checkable or ascertainable than activities and associations within Australia.
194. The vetting agency is unlikely to be able to assess a clearance subject’s loyalty or allegiance to
Australia if the clearance subject is not an Australian citizen and has not resided in Australia for
the majority of the checkable period.
195. If the majority of the required vetting checks are unable to be made in Australia, or with
Australian citizens, the clearance subject is unlikely to be assessed as having a checkable
background.
196. A determination by a vetting agency that an individual is ineligible as a result of their having an
uncheckable background does not preclude an agency from sponsoring the individual for a
security clearance at a later date. If an individual is later able to demonstrate stronger and more
enduring ties to Australia, and enough reliable, credible information is available to the vetting
agency to allow it to conduct a full assessment of suitability in accordance with the requirements
of the Adjudicative Guidelines, the individual may then be determined to be eligible.
30
197. Where a vetting agency identifies that an individual has spent a period of time outside of
Australia during the checkable period, the vetting agency will ask the sponsoring agency to submit
an eligibility waiver. The vetting agency will provide the agency with an assessment of likely risk
to inform the agency’s own assessment of whether it may be appropriate to grant an eligibility
waiver.
198. The vetting agency can proceed with consideration of an assessment of suitability only after an
eligibility waiver is received from the sponsoring agency.
199. The sponsoring agency is to then undertake a waiver assessment that:

includes details of the uncheckable background and assessment of the impact of the period
of uncheckability against the whole person

considers potential conflicts of interest

confirms from the vetting agency that there are no known concerns about the individual

consults with third parties who provide information that the person may access, and

confirms the date of issue of the waiver and the length of time it is to apply.
200. The vetting agency may still deny a clearance on suitability grounds where there are significant
concerns, including the eligibility condition that was waived, that cannot be mitigated.
31
201.
14. Ongoing security clearance maintenance
202. Some clearances are granted subject to specific aftercare requirements. If so the clearance
subject will be advised at the time their clearance is granted.
203. All clearances are required to be revalidated at regular intervals. The interval is dependent on the
level of the clearance. AGSVA will advise the clearance subject when their revalidation is due.
204. If personnel have a change in personal circumstances, the changes may affect their security
clearance. All changes are to be reported. For further information see section 14.2 - Reporting
changes in circumstances.
32
15. Agency responsibilities for active monitoring of clearance
holders
205. The granting of a security clearance provides a snapshot of the person at the time of the
completion of that clearance. The attitudes and behaviours of personnel will change over time.
206. In addition to the general ongoing suitability for employment requirements identified in Section 8
- Ongoing suitability for employment, the following additional suitability checks apply to security
clearance holders.
207. Agencies are to manage and assess ongoing suitability of all personnel. The key components of
managing ongoing suitability are:

continuing security awareness training

monitoring and evaluating ongoing suitability, including periodic re-assessments

security incident reporting and investigation, and

managing personnel transfers.
208. This section covers:

annual health checks (annual appraisal of security awareness)

reporting changes of circumstance

contact reporting under the Australian Government Contact Reporting Scheme

extended leave, and

special requirements for managing contractors.
14.1 Annual health check
209. The annual health check provides an avenue for managers to assess and report on their staffs
performance and personnel security concerns. Annual health checks help identify personnel who
display behavioural concerns including disregard for agency security policies and procedures.
210. Information on performance issues provided by managers to agency human resources areas may
indicate other personal issues that can lead to security concerns—e.g., alcohol or drug abuse,
financial difficulties.
211. Agencies could include this as part of their annual performance management process.
212. When having the conversation with their staff, managers should consider any changes in
employee’s behaviour (and consider whether it should be reported). For example:

unexplained changes in an employee’s personal circumstances (sudden and unexplained
wealth or financial hardship)

inappropriate interest in classified information (i.e. where the ‘need-to-know’ principle is
not met)

employee seems under considerable stress

decline in work performance, or
33

unusual hours of work inconsistent with the role.
213. Agencies should ensure contractors are aware of their protective security obligations and act
accordingly.
214. See Annex I – Annual Health Check Conversation Guide for the annual health check
conversation guide.
14.2 Reporting change of circumstances
14.2.1 The importance of reporting changes in personal circumstances
215. Vetting agencies grant security clearances after careful consideration of the whole of person.
Some changes in circumstances may affect a person’s ongoing suitability to hold a clearance.
216. Agencies should recognise that changes in circumstance can result in a range of things. Some
changes in circumstance may:

increase a person’s vulnerability to coercion, or lead to deliberate breaches of security, fraud
or corruption, or

be used by foreign governments, commercial organisations; issue motivated groups, criminal
organisations or others to induce personnel into providing information or goods belonging to
the Government.
217. Agencies need to be aware of these changes in order to provide support to their staff. Reporting
changes in circumstances can prevent smaller issues from becoming larger problems.
14.2.2 Who should report changes of circumstances
218. Agencies are responsible for the ongoing clearance maintenance of their personnel and ensuring
that all personnel are suitable to access Australian Government Resources.
219. Agencies are to require all personnel who hold security clearances to report changes in personal
circumstances, to their ASA or personnel responsible for security clearance maintenance (e.g. the
security function may reside in the Human Resources area of some agencies).
220. Agencies should identify the area within an agency where clearance subjects should report any
change in circumstances.
221. Clearance subjects reporting requirements should be included as part of an agencies security
awareness training.
222. ASA’s are to report any changes in circumstances to the vetting agency.
223. Additionally, personnel should report significant changes in circumstance relating to other
individuals where they feel it may impact on agency security to their managers or agency security
staff. This includes:

managers, including contract managers, reporting any concerns with personnel they manage

co-workers reporting concerns about people with whom they work, and

personnel reporting concerns about their managers.
224. Clearance holders should also advise managers and/or senior managers within the line areas of
significant changes in circumstances to assist in mitigating possible ‘Conflicts of Interest’.
225. Managers should report changes in circumstances relating to their personnel to their agency
security section regardless of whether they believe changes have been notified by the clearance
holder to their agency security section.
34
14.2.3 What to report
226. Clearance holders and supervisors are to report the following changes in circumstances. This list
is not exhaustive; if personnel are uncertain whether the information is relevant, they should
report it to their manager or ASA.

Change of name/identity (gender): the clearance holder is to provide a copy of the change
of name certificate or relevant documentation.

Changes in significant relationships: for example entering into or out of a relationship.

Changes in address: including changes to share house arrangements, for example new
roommates.

Entering into, or ceasing, a relationship (marriage, civil union or defacto relationship): The
clearance holder should provide a copy of the Marriage Certificate/ decree nisi to the vetting
agency, which will update the clearance holder’s Personal Security File.

Changes in citizenship or nationality: a clearance holder who assumes foreign citizenship, by
either renouncing their Australian citizenship or attaining dual citizenship may raise concerns
over their loyalty to Australia. Personnel who obtain Australian citizenship should also advise
their sponsoring agency and the vetting agency. The waiver for citizenship can be concluded
and any conditions on the clearance relating to citizenship removed.

Changes in financial circumstances: changes in financial circumstances may include, but are
not limited to receipt or the giving of large amounts of money, significant increases in debt,
new financial associations, financial hardship and bankruptcy. Generally, this equates to plus
or minus $10,000 in each instance, which is the threshold for Austrac reporting. This will
ensure that a person’s lifestyle is consistent with earnings.
Additionally, agencies need to consider the impact of online currency (i.e. Bitcoin), family
trusts and personal businesses.

Changes in health or medical circumstances: changes in health or medical circumstances can
lead to financial and personal stress or increase vulnerability; e.g., the use of some
prescription drugs may have adverse effects on a clearance holder’s ability to determine
when not to disclose information.

Changes in criminal history, police involvement and association with criminal activity: this
includes any criminal charges laid convictions of an offence, good behavior bonds/orders,
cautions and community service. Deliberate involvement in criminal activity indicates
questionable honesty, judgment and integrity.

Involvement or association with any individual, group, society or organisation: these could
include criminal organisations (e.g. Outlaw Motorcycle Gangs), extreme political parties
(declared/proscribed organisations) or foreign owned businesses.

Disciplinary procedures: professional misconduct proceedings (code of conduct) and
deregistration from a professional body.

Security incidents: clearance holders and managers should report all security incidents. A
history of incidents (major or minor) may bring into question a clearance holder’s suitability
to retain access to agency resources.

Drug or alcohol problems: any dependency on drugs, whether legal or illegal, or alcohol can
affect a person’s judgment. Illegal drug use may also make a person susceptible to influence
by criminal organisations.
35

Any other significant changes in circumstance: examples of significant changes in
circumstance include a major change of religious faith, political ideology or other life
changes.

Residence in, or visits to, foreign countries: clearance holders should report residence in, or
visits to, foreign countries in accordance with the Agency’s security plan. These countries
may vary dependent on the clearance holder’s role and his or her agency’s responsibilities.
Agency security staff will assess the travel based on ASIO’s advice relating to countries of
significance. Agencies will then notify the Vetting Agency where they hold security concerns,
especially relating to visits to countries of significance.

Relatives residing in foreign countries of security significance: changes to the clearance
holder’s close relatives’ country of residence overseas may be significant (i.e. immediate
family or relatives with whom the clearance subject has regular contact). Agency security
staff will then notify the Vetting Agency where they hold security concerns, especially
relating to visits to countries of significance.

Suspicious, persistent or unusual contacts: All suspicious, persistent or unusual contacts,
including those from Australian nationals, should be reported through the Contact Reporting
Scheme administered by ASIO, especially if the clearance holder is concerned about
questions asked, or information requested by, a foreign entity or individual. For further
information see section 14 .3 – Australian Government Contact Reporting Scheme.
14.2.4 Managing and assessing changes in circumstances
227. Agencies should consider any risk as a result of a clearance holder’s changes in circumstances and
any action that may need to be taken to mitigate the risk.
228. When the clearance holder, the sponsoring agency or a third party notifies a change of
circumstance the vetting agency will assess the change in circumstance to determine its
significance and update the Personal Security File with details of the change in circumstance and
advise the sponsoring agency.
229. Potential concerns, as a result of changes in circumstances, may require:

review for cause

code of conduct investigations,

security investigation, or

criminal investigation.
230. Where an allegation of security concern is received an investigation by the sponsoring agency or
the vetting agency should validate the report. Agencies need to ensure that they do not prejudice
the person in question, as some claims can be malicious. For further information see the
Australian Privacy Principle - 10.
231. Where the change will significantly affect the sponsoring agency or the National Interest, the
vetting agency can initiate a review for cause of the clearance. The vetting agency will notify the
sponsoring agency to allow it to manage the risk.
232. A review for cause may entail an investigation into specific changes of circumstances or a full
revalidation.
233. If the vetting agency is satisfied that the clearance subject remains suitable to retain a clearance
at the particular level, the clearance will continue.
234. After conducting the review the vetting agency will notify the sponsoring agency and the
clearance holder of the results.
36
235. If a clearance becomes inactive or is denied the vetting agency will notify the sponsoring agency
and the clearance holder of the rights for a review of the decision.
14.3 Australian Government Contact Reporting Scheme
236. ASIO manages the Australian Government Contact Reporting Scheme. The Scheme assists ASIO to
identify activity directed against Australia and its interests including people who hold an
Australian Government security clearance. It also helps identify trends, including:

what information is of interest to foreign intelligence services

who is interested in it, and

the methods the foreign intelligence services are prepared to use to collect the information.
237. ASIO uses this intelligence to assist in the formulation of threat assessment and security
intelligence advice and to protect the national interest.
238. Additionally, all employees should complete a contact report for instances when an individual or
group, regardless of nationality, seeks to obtain official information they do not have a need to
know in order to fulfil their work function.
14.3.1 Methods of gathering human source intelligence
239. Foreign intelligence services, foreign officials and politically, commercially or issue-motivated
groups and individuals can devote considerable energy and resources into obtaining access to
political, economic, scientific, technological, military and other information. This is not limited to
classified information and often includes privileged information, i.e. information that is not
normally available to the general public. Any compromise may be prejudicial to Australia’s
National Interest.
240. Intelligence services use human intelligence collection as a low-risk and common means of
intelligence gathering. Intelligence services can develop an aggregate picture through low-level
collection from a number of sources including government employees.
241. Small pieces of information could contribute to an intelligence collection process. Accordingly,
employees need to recognise that an ‘innocent’ conversation or ‘contact’ (e.g. e-mail) can be part
of human intelligence gathering.
242. Contacts may be official, as part of a person’s role, social or incidental. The following are
examples of types of contacts:

invitations to attend functions

written correspondence

sport and recreation activities

overseas travel

visits to embassies, consulates or involvement with trade missions or other international
events

membership of international clubs, institutes, professional associations or friendship
societies

incidental social interaction

e-mail

phone calls – including unsolicited phone calls where the caller has obtained the employee’s
details from a department/company website
37

training or study (eg. language classes)

on-line social networking sites, and/or

introductions via a third party.
243. The initial overture might be subtle, carefully planned and occur over an extended period of time.
It is designed so that the person being cultivated is not aware it is occurring. However there could
be indicators that arouse suspicion including:

a seemingly innocuous interest in an employee’s official, social or personal activities

a fascination with some particular aspect of an employee’s work, social or personal activities

requests for information about other employees who work in the agency

a request to meet with the employee away from the work environment

introduction to another person who takes a similar interest

encouragement to participate in questionable or illegal activity, or

offers of hospitality or gifts.
14.3.2 Reporting Criteria
244. Agencies are to require their personnel to report suspicious, on-going, unusual or persistent
contacts with foreign officials and other foreign nationals to their agency security section. This
includes if an individual or group, regardless of nationality, seeks to obtain official information
they do not have a need to access.
14.3.3 Reporting procedures
245. Agencies are to advise personnel who believe they have been the subject of an inappropriate
contact to report the incident to the ASA. The ASA can provide employees with a Contact Report
form.
246. To assist with the accurate recall of events, personnel should complete a written report as soon
as possible after the suspected contact has occurred.
247. In some circumstances, a contact report may lead to a security or criminal investigation. If the
matter involves fraud or theft, the agency should follow its fraud control policies.
14.3.4 Required contact/incident report information
248. The style and format of contact reports may vary from agency to agency, but the following
information should be included:

Time, Date – indicating if details are approximate

Location – including address where contact or incident occurred

Names, Designations and Nationalities – the reporting person’s details along with those of all
other persons present during the contact

Types of Contact – may include a combination of social, informal, official business and/or
other aspects

Conversation – any conversation or discussion may cover a number of subjects. The general
topic areas should be described, including personal details disclosed by either party, and

Other details – such as the circumstances that led to the contact or incident and the factors
that made it noteworthy or unusual.
38
249. A preliminary brief to report an incident should also include:
250.

details of the incident

whether any assets have been compromised (type and level of classification), and

an initial assessment of the harm the compromise could cause.
A generic contact reporting form is at Annex H - Example Contact Report Form.
14.3.5 Contact reporting briefing
251. Agencies’ security awareness training programs are to inform personnel about the Contact
Reporting Scheme and understand their obligations and the reporting arrangements.
252. The Scheme is not intended to restrict legitimate contact between employees and foreign
officials. It provides support and encourages information sharing, which benefits the Government
employee who has been contacted, and the Australian Government. ASIO can provide a brief on
the Contact Reporting Scheme to agencies. These briefings are arranged through the individual
ASA.
253. Agencies should advise personnel to contact their agency security staff prior to travel to ascertain
the possible threat from foreign intelligence services and seek appropriate briefings. Agencies
should advise personnel performing official duties overseas that the intelligence and security
services in certain countries conduct surveillance of foreign representatives. ASIO can, where
relevant, provide a briefing on security situations that individuals may encounter when they
perform official duties overseas.
254. Agencies should inform personnel of:

the existing threat and threat sources

their personal and professional responsibilities

the ways that people can be deceived, coerced or pressured into actions harmful to national
security or interest

the fact that targeting occurs across all levels or ranks of an organisation not just at senior
level

the fact that most attempts to collect intelligence will be subtle and often appear innocuous

the effectiveness of security awareness training in restricting information collection by
foreign representatives

the need for high standards of personal conduct, and

the procedures for contact reporting.
255. Agencies should identify whether or not they have people working in high risk areas and, if so,
provide appropriate briefings. High risk employees include those who:

are required to liaise with foreign officials because they have a good proficiency in the native
language of the foreign officials

are involved in sensitive or priority negotiations or policy work, or

work in units that regularly share information with foreign officials.
39
14.4 Agency actions on separation/extended leave of personnel holding
security clearances
256. Agencies should follow the procedures in section 9 - Agency actions on separation of personnel
or those on extended leave, in addition to the below requirements for separating personnel who
hold a security clearance.
14.4.1 Separation of staff
257. Agencies are to advise the vetting agency of separation of personnel.
258. Agencies are to, where appropriate:

obtain an assurance that individuals are aware of their ongoing obligations in respect of
national security and confidentiality

identify any departing staff that represent a security risk

report any identified risks and any significant security concerns associated with a clearance
holder’s separation to the vetting agency

where applicable, notify compartment holders and organise a debrief from those
compartments, and

where clearance holders depart suddenly without obtaining assurances of an individual’s
ongoing obligations, undertake a risk assessment to identify any security implications
relating to the departure.
259. When clearance holders are separating from an agency the agency should formally record the
termination of the sponsorship of the clearance and briefings.
260. Agencies are to report any security concerns about departing clearance holders to the vetting
agency, particularly where the clearance holder departs without having a security debrief.
261. Agencies are to report to ASIO any security concerns about separating clearance holders.
(Security as defined in section 4 of the Australian Security Intelligence Organisation Act 1979
(Cth).
14.4.2 Separation of contractors
262. An agency should include in their contracts an obligation on the contracting company to advise
the agency when the contractor’s staff or sub-contractors with sponsored clearances have ceased
to work on the agency’s contract.
263. Agencies are to advise the vetting agency when a sponsored contractor no longer requires a
security clearance to access the agency’s security classified resources. Vetting Agencies should
advise any other known agencies using the contractor that the contractor’s clearance is no longer
sponsored.
264. Lead agencies for contracts involving multiple agencies should advise the other agencies, where
known, when a clearance is no longer sponsored by the lead agency.
265. If agencies have any concerns about the contractor on separation, they should advise the vetting
agency.
14.4.3 Extended leave
266. Clearance holders taking extended leave should be subject to the same procedures as separating
staff, unless a risk assessment determines this is unnecessary. The risk assessment might consider
the purpose of the long leave, any travel plans and the degree of ongoing contact between the
agency and the clearance holder during the leave.
40
267. Agencies are to put procedures in place to ensure security staff is notified of staff planning to go
on leave. The period will depend on the agency’s risk profile and any specific risks associated with
the position.
268. Agencies should advise the vetting agency where personnel holding a clearance take extended
leave.
269. Agencies should brief personnel who will be taking extended leave of their ongoing
confidentiality obligations. Any security issues should be resolved before the leave is taken.
270. Agencies should apply the procedures for separating staff to clearance holders taking extended
leave, unless a risk assessment determines this is unnecessary. The risk assessment might
consider the purpose of the long leave, any travel plans and the degree of ongoing contact
between the agency and the clearance holder during the leave.
271. Agencies should, based on their risk assessment, advise the vetting agency to change clearances
to inactive, for personnel on extended absences. When clearance holders return to work, the
vetting agency can make the clearance active, if requested, after undertaking appropriate vetting
updates.
14.5 Special requirements for the management of contractor clearances
272. Contractors pose additional risks to an agencies personnel security, due to the lack of oversight
that an agency may have over a contractor. In order to mitigate these risks agencies should have
procedures and policies for management of contractor’s clearances.
273. Contracts should include:

arrangements for dealing with any reportable changes in circumstances and the reporting and
investigation of security incidents or breaches

the requirement for contract staff to protect the agency’s information and assets, and

ongoing security awareness training that includes the contracting company’s responsibility to
require contracted staff to:
- protect the agency’s assets and information
- report changes in personal circumstances, and
- report suspicious contacts.
274. Agencies should include the following provisions in their contracts:

details of and additional management requirements for contractors who have clearances

details of whether the agency is the sponsor of the clearance,

an obligation for contractors to report changes of circumstances, including, whether they are
working for another agency, to the vetting agency, sponsoring agency and any other agency
their services are provided

procedures and contact details for contracted employees to advise of change of circumstances

obligations for the contracting company to report to the sponsoring agency, and any other
agency the contracted employee provides services, if a contracted employee is dismissed,
arrested, or expelled from an accredited body

provisions advising that the agency may share personnel information, including information
about deactivation or withdrawal of sponsorship, regarding a contracted employee with the
vetting agency and other agencies which the contracted employee provides services, and
41

provisions relating to the ongoing clearance maintenance for contractors.
275. Before entering into a contract for contracted services, agencies should have good understanding
of business requirements in the tender documentations.
276. Contractors are to annually confirm that they have reported all changes of circumstances or
suspicious contacts and have undergone any required security awareness training to the vetting
agencies and the sponsoring agency. Contract managers should be responsible for personnel to
confirm they have reported any concerns about the clearance holders.
42
16. Summary of Annexes
The following documents are examples only and agencies should create their own template in
accordance with agency specific requirement and legislation:

Annex A – Proof of Australian Citizenship

Annex B – Mitigating concerns raised by minimum employment checks

Annex C – Example security clearance informed consent form and privacy statement

Annex D – Fact sheet legislative implications for information sharing

Annex E – Example confidentiality/ non-disclosure agreement

Annex F – Example conflict of interest declaration

Annex G – Example personnel security questions for professional referees

Annex H – Example contact report form

Annex I – Annual health check conversation Guide
43
Annex A – Proof of Australian Citizenship
44
Annex B – Mitigating concerns raised by minimum employment checks
Supporting documents
Identity fraud—i.e., people claiming different identities, qualifications or experience they do not have; is
a significant threat faced by agencies during employment screening.
Claims made by a person should be supported by documents. If there are concerns about the validity of
provided documents agencies should seek confirmation of the details from the issuing authority.
Agencies should verify all supplied primary identity documents issued in Australia. Australian issued
primary documents can be verified using the Document Verification Service. While the service is free
there may be some set up cost to ensure an ICT solution to automate checking.
Agencies should take a risk based approach to verifying primary identity documents issued outside of
Australia or other identity documents.
Qualifications
Claiming qualifications that have not been awarded is the most common form of identity fraud during
recruitment. Agencies should verify with the issuing agency qualifications that are required for a
position. Agencies should also, based on their risk assessment, consider verifying all claimed
qualifications.
Employment history
Agencies should resolve unexplained gaps in employment. A person may not disclose periods of
employment when they have had their employment terminated or anticipates an adverse referee’s
report.
A history of short periods of employment may indicate poor reliability. However, there may be valid
reasons for the changes and agencies should seek further information from the person. Additional
referees’ checks could also be sought from previous employers.
Agencies should resolve concerns raised by referees about a person’s suitability to access official
resources, or the reliability of the person.
Referees who have had personal conflicts with an individual may provide negative referee’s reports. If
such a report is provided agencies should seek additional reports from previous employers/ supervisors.
Alternatively advice on the person’s suitability may be available from the Human Resources areas of
large employers.
Potential employees whose recent employment has been terminated may be of concern, depending on
the reasons. Agencies should investigate the reasons with the previous employer and the person. If a
determination on the concerns cannot be made agencies may need to contact alternative referees or
other previous employers for corroborating evidence.
Gaps in residential history
Residential history will aid in substantiating the person’s identity in the community. All personnel need
to provide supporting evidence of their current permanent residential address.
Agencies should request supporting proof for the previous five years of residential addresses.
Acceptable supporting proof may be:


primary, secondary or tertiary proof of identity documents bearing an address, or
typed official correspondence addressed to the person—e.g., rates notice or bank statement.
People may have problems providing supporting documentation residential addresses particularly
where:
45



the residence was in someone else’s name
the person was living at home, or
the person was in temporary accommodation and had a separate permanent residential
address.
Agencies should make an assessment on whether the person’s explanation for periods of residency for
which they cannot provide supporting documents are reasonable.
Inconsistencies between residential and employment addresses
Agencies should also consider whether the residential addresses are appropriate for the employment
locations. Some travel is expected between a residential address and employment. However, residing in
a different town or city may indicate concerns about employment. The person needs to be able to
provide a reasonable explanation for these inconsistencies.
Criminal convictions
A Commonwealth ‘No Exclusion’ police records check will provide a record of Commonwealth
convictions for the preceding ten years, or until there is a gap of ten years between convictions,
whichever is the longer. However, the convictions that will be reported by each State or Territory will
depend on their Spent Convictions Scheme.
Failure to declare convictions
Failure to declare disclosable criminal offences may indicate a lack of honesty. Unless the person can
provide a reasonable explanation why the conviction was not declared agencies should reconsider the
person’s suitability for engagement.
One possible circumstance where a person could mistakenly not declare a conviction is where the date
of the offence was greater than ten years, but the date of conviction was less.
Declared convictions
Agencies should make a risk management determination on declared offences based on the agency’s
requirements and the role which the person will occupy—e.g., it may be inappropriate for someone
with a previous fraud conviction to be in a position with access to funds.
A history of low level alcohol or drugs related convictions may indicate a drinking or drugs problem.
Additionally any current drugs convictions may make the person susceptible to undue influence from
criminal organisations.
Financial history
A history of poor financial management may be of concern. However, it is not uncommon for small
businesses to fail. Agencies should look for a history of credit fraud or failure to resolve bankruptcy.
Agencies should make a risk based decision on the suitability of a potential employee based on their
financial history and job type or role within the agency – e.g., an individual with a history of credit fraud
may not be suitable for a role within the agencies financial area.
Potential for undue influence
There are a number of factors that may make a person susceptible to undue influence. These could
include:



Foreign or dual citizenship – the person may be loyal to another country and provide access to
agency resources about, or of value to, the other country.
Current criminal activity – potential for influence by criminal organisations.
Conflicts of interests – the person may provide or give access to agency resources relating to the
conflict of interest—e.g., concurrent contracts with competitor organisations.
46
Additional advice
For further details on assessing character traits see section 5 of the Personnel security guidelines –
Vetting practices.
47
Annex C – Example Security Clearance Privacy Statement and
Informed Consent Form
[The informed consent form is a sample only. Agencies should seek independent legal
advice before using the sample form. Agencies should tailor the form for each individual
agencies requirement.]
Privacy Statement
Your personal information is being collected to assess your ongoing suitability to hold and
maintain a security clearance and to access Australian Government official resources.
Australian Government official resources include people, information and assets.
Personal information, including sensitive information, may be collected from and disclosed
to any entity or person listed in the Privacy Statement to assess your ongoing suitability to
hold and maintain a security clearance.
Without your personal information, your suitability to hold security a clearance cannot be
assessed. The inability to obtain a security clearance may have an adverse effect on your
employment, where it is a condition of engagement to hold and maintain a security
clearance.
Where you are simultaneously engaged by more than one agency, each agency will have
access to your personal information, including sensitive information. The security clearance
assessment, involves a series of assessments and background checks to determine if you are
a suitable person to access security classified information, and other Australian Government
official resources.
It is your responsibility to provide accurate information and continue to update your
personal information by advising the [Agency name] security area and the [Vetting Agency
Name] of any changes in circumstances [insert link to change of circumstances form].
The security clearance process is intrusive by its nature. However, your privacy and dignity
will be respected. If you have any enquiries relating to the Privacy Act 1988 (Cth), or how
your information will be collected, used or disclosed, please email [insert person’s and
position] [privacy@agencyname.gov.au] or call (0X) XXXX XXXX.
[Vetting agency’s] privacy policy can be found at [insert website]
The privacy policy contains information on how:

to access and seek correction of your personal information held by Agency name];

to make a complaint about a breach of the Australian Privacy Principles by the
[Agency name]; and

the [Agency name] will deal with such a complaint.
48
The [Agency Name] recognises and respects your privacy and is committed to the Australian
Privacy Principles set out in the Privacy Act 1988 (Cth). The collection and use of your
personal information is required in accordance with the Australian Government’s Protective
Security Policy Framework.
By signing the consent form contained in this security clearance pack, you consent to the
collection, use and disclosure of your personal information as described below and for your
Personnel Security File (PSF) to be transferred to [Vetting Agency Name] and to be shared
with [Agency name] and any future sponsoring agency.
How your information will be collected
During the security clearance assessment process and while you continue to hold an
Australian Government security clearance, we may collect personal information, including
sensitive information, from:

your current and previous or future private and Government employers. If you do
not consent to your current employer being contacted, please notify [Vetting Agency
Name] with the reasons for the denial of consent;

your referees (both nominated by you and not nominated by you);

third parties relevant to assessing and monitoring your ongoing suitability to hold
and maintain a security clearance. your Personnel Security File (if applicable) from
the relevant Commonwealth, State or Territory Agency in relation to any existing or
previous security clearances held by you;

other service providers, such as contracted vetting providers, and medical or
psychological practitioners, used during the clearance process;

financial institutions and financial checking institutions

agencies to confirm residential addresses

the Department of Immigration and Border Protection and the Department of
Foreign Affairs and Trade to check any naturalisation and/or citizenship documents
and international movements;

medical professionals to clarify any medical conditions, with your consent; and

State and Territory Registries of Births, Deaths and Marriages.

you directly

the Government agency which has sponsored your clearance

Government agencies which have investigated any suspected breaches of law or
Australian government policy

AFP and state and territory law enforcement agencies

ASIO, and

Educational institutions in relation to education documentation.
49
Disclosure of your information
During the security clearance assessment process and while you continue to hold an
Australian Government security clearance, we may disclose your personal information,
including sensitive information with:

you directly

the Government agency that has sponsored this clearance and any previous
Government agencies which have employed you or engaged you as a contractor,
and any future sponsoring or interested vetting agencies;

the Australian Federal Police (AFP) [or S&T Police Name];

financial institutions and [Financial checking agencies]; and

the Australian Security Intelligence Organisation (ASIO).

your previous and current and or future private and/or Government employers;
including any employers that you worked for as a contractor. If you do not consent
to your current employer being contacted, please notify [Vetting Agency Name] with
the reasons for the denial of consent;

your referees (both nominated by you and not nominated by you);

third parties relevant to assessing and monitoring your ongoing suitability to hold
and maintain a security clearance

your Personnel Security File (if applicable) from the relevant Commonwealth, State
or Territory Agency in relation to any existing or previous security clearances held by
you

other service providers, such as contracted vetting providers, and medical or
psychological practitioners, used during the clearance process

financial institutions and financial checking institutions

agencies to confirm residential addresses

the Department of Immigration and Border Protection and the Department of
Foreign Affairs and Trade to check any naturalisation and/or citizenship documents
and international movements;

medical professionals to clarify any medical conditions, with your consent; and

State and Territory Registries of Births, Deaths and Marriages

the Government agency which has sponsored your clearance

Government agencies which have investigated any suspected breaches of law or
Australian government policy

AFP and state and territory law enforcement agencies

ASIO, and

Educational institutions in relation to education documentation.
Limited amounts of your personal information may also be disclosed to overseas recipients if
you are required to access foreign government resources. The information that may be
disclosed includes your clearance status, your full name and date of birth, and your position.
50
The [Agency Name] will not use or disclose your personal information that is collected for
the purpose of assessing your ongoing suitability to hold and maintain a security clearance,
to any other person or organisation, other than those listed above, unless:
it would be reasonably expected by you that such a disclosure would occur, in
relation to your security clearance;

disclosure is required or authorised by or under Australian law or a court/tribunal
order;

a permitted general situation exists in relation to the use or disclosure of the
information, as defined in section 16A of the Privacy Act 1988 (Cth); or

the use or disclosure of the information is reasonably necessary for one or more
enforcement related activities conducted by, or on behalf of, an enforcement body.
51
Informed Consent form
Full Name in Block Letters
I,
Date of Birth
Born on:
Place of Birth
at:
Full Residential Address
of:
Name of organisation / company / agency
Employed by:
Understand that:
My personal information will be collected and disclosed with those persons, sources and agencies listed
in the privacy notice.
My personal information will be used to assess and monitor my ongoing suitability to hold and maintain
a security clearance and access to Australian Government resources, while I continue to hold a security
clearance.
It is my responsibility to notify the vetting agency and the [Agency Name] security area of any change in
circumstances, using the change of circumstances form.
I consent for my personal information to be collected and disclosed:


with the agencies, people and sources listed in the privacy notice for the purpose of assessing
and monitoring my ongoing suitability to hold and maintain a security clearance and to access
Australian Government resources
with the agencies, people and sources listed in the privacy notice, while I continue hold a
security clearance.
Signature
Witness Signature
Date
Witness Name and Address
52
53
Annex D – Fact Sheet Legislative Implications for Information Sharing
The importance of sharing information
Timely, reliable, and appropriate information sharing is the foundation of good government.
Information sharing enables better government service delivery and improved policy development
through focused interagency collaboration. For Personnel Security, the sharing of information is
essential to identify potential areas of risk to agencies from the compromise to agency resources.
Information sharing can help prevent and detect a range of threats including the trusted insider. There
is ample evidence that trusted insider cases could have been prevented or at least identified had there
been greater information sharing between agencies, the vetting agencies and human resource and
security areas within agencies.
Legislation that facilitates information sharing
There are a number of legislative instruments that facilitate the sharing of personal information for the
purposes of assessing a person’s ongoing suitability to hold and maintain a security clearance.



Privacy Act 1988 (Cth);
Public Service Act 1999 (Cth); and
Human rights and anti-discrimination legislation
Privacy Act
The Privacy Act facilitates the sharing of personal information when informed consent has been
provided by the individual. This includes the sharing of information relating to matters raised in
confidence such as relationship breakdowns, financial stress, and drug and alcohol addiction.
Public Service Act
The Public Service Act 1999 (PS Act) facilitates the sharing of personal information through Regulation
9.2 of the Public Service Regulations 1999 (Cth). Regulation 9.2 is only applicable to persons employed
under the PS Act. Regulation 9.2 was drafted with the intention to allow certainty for Australian Public
Service agencies as to the circumstances in which they may disclose personal information about their
employees to other agencies, and the circumstances in which they may legitimately use personal
information about employees within an agency.
Regulation 9.2 provides that personal information may be shared within an agency, if it is necessary for,
or relevant to, the performance or exercise of the employer powers of the agency. This means, the
human resources area within an agency can share relevant personal information with the security area
of an agency, as holding a security clearance is relevant to the performance of the employer powers of
the Agency Head.
Human Rights and anti-discrimination legislation
Human rights and anti-discrimination legislation does not prevent the sharing of personal information,
including information relating to medical and mental illness.
Sharing personal information does not breach anti-discrimination legislation. Section 15 of the Disability
and Discrimination Act 1992 (Cth) includes general prohibitions against discrimination in work on
grounds of disability, including mental health. However, the prohibition is subject to exceptions, where
a person would be unable to carry out the inherent requirements of the particular job. Any action taken
must be in reference to the inherent requirements of the particular job, including the employee’s
suitability to access Australian Government resources. All security clearance decisions are
administrative decisions and as such can be reviewed. Procedural fairness is accorded to clearance
subjects, no arbitrary decision making occurs and does not breach Australia’s international human rights
law obligations.
54
Annex E – Example Confidentiality/ Non-disclosure agreement
Full Name in Block Letters
I,
Date of Birth
Born on:
Place of Birth
at:
Full Residential Address
of:
Name of organisation / company / agency
Employed by:
being a person who has agreed to receive security classified information from:
Name of the agency providing security classified information
Undertake to:




preserve the confidentiality/ secrecy of the information entrusted to me
not disclose, publish or communicate such information to any person inside or outside my organisation/
company/ agency, except to senior managers who have a need to know such information
ensure that those persons to whom I provide the information are made aware of the conditions under
which this information is communicated, and of the fact that the confidentiality/ secrecy of the
information must be maintained, and
undergo the security clearance vetting process where I have been given access to security classified
information for more than three months in one year.
Further, I acknowledge that:


I have received a security briefing on my responsibility to protect the information, including the correct
methods for storage, handling and dissemination, and
any breach of this Undertaking may constitute the commission of an offence under sections 70 and 79 of
the Crimes Act 1914 (Cth) and Division 91 and Part 7.4 of the Criminal Code 1995 (Cth).
[include any agency specific secrecy provisions that apply.]
Signature
Witness Signature
Date
Witness Name and Address
-
55
Annex F – Example Conflict of Interest Declaration
The form below provides agencies with a template they may wish to use to document the management of an
actual or perceived conflict of interest in the recruitment process.
All personnel must complete a Conflict of Interest Declaration upon engagement and update the Declaration at
least once a year. Personnel must immediately notify the [insert agency name] of any matters that may result in
real or apparent conflicts of interest. Outside employment that creates a conflict of interest, or the appearance of
such must be declared on this Conflict of Interest Declaration.
For more information, see [insert agency name] Conflict of Interest Policy, available at [link to agency conflict of
interest policy]
SURNAME:
(please print)
OTHER NAMES
AGENCY NAME
1. Shareholding in public and private companies (including holding companies) indicating the
name of the company or companies
Name of company (including holding and subsidiary companies if applicable)
Self
Spouse
Dependent
Children
56
2. Family and Business Trusts and Nominee Companies
a. In which beneficial interest us held indicating the name of the trust, the nature of its
operation and beneficial interest
Name of Trust/nominee
company
Nature of its operation
Beneficial interest
Self
-
-
-
Spouse
-
-
-
Dependent
Children
-
-
-
b. In which you, your spouse, or a child who is wholly or mainly dependent on you for
support, is a trustee (but not including a trustee of an estate where no beneficial
interest is held by you. Your spouse or dependent children), indicating the name of the
trust, the nature of its operation and the beneficiary of the trust.
Name of Trust/nominee
company
Nature of its operation
Beneficial interest
Self
Spouse
Dependent
Children
3. Real estate, including the location (suburb or area only) and the purpose for which it is owned
Location
Purpose for which owned
Self
Spouse
Dependent
Children
57
4. Registered Directorships of companies
Name of company
Activities of company
Self
Spouse
Dependent
Children
5. Partnerships indicating the nature of the interests and the activities if the partnerships
Name
Name of Interest
Self
-
Spouse
-
Dependent Children
-
Activities of Partnership
6. Liabilities indicating the nature if the liability and the creditor concerned
Nature of liability
Creditor
Self
Spouse
Dependent
Children
7. The nature of any bonds, debentures and like investments
Nature of account
Name of bank/institution
Self
Spouse
58
Dependent
Children
8. Saving or investment accounts, indicating their nature and the name of the bank or other
institutions concerned
Nature of account
Name of bank/institution
Self
Spouse
Dependent
Children
9. The nature of any other assets (excluding household and personal effects) each valued at over
$7,500
Nature of any other assets
Self
Spouse
Dependent
Children
10. The nature of any other substantial sources of income
Nature of income
Self
Spouse
Dependent
Children
59
11. Membership of any organisation where a conflict of interest with your duties could
foreseeably arise or be seen to arise
Name of organisation
Self
Spouse
Dependent
Children
12. Any other interest where a conflict of interest with your duties could foreseeable arise or be
seen to arise
Nature of interests
Self
Spouse
Dependent
Children
60
Annex G – Example personnel security questions for professional
referees for employment screening
The following questions are examples only and should be asked in addition to any role specific
recruitment questions.



Please state the person’s full name:
Please provide details of:
Your relationship with the applicant:
(Include name of organisation(s), period of time known, whether the person was a colleague or was
supervised by you and whether the person is related to you.)






The person’s job title and main responsibilities:
Any substantiated client complaints about the person’s behaviour:
The results of actions, investigations or inquiries concerning the person’s character,
competence or conduct:
Any inquiries (internal or otherwise) currently in progress concerning the person’s character,
competence or conduct:
Do you believe the person is honest, trustworthy and acts with integrity?
Do you know of any other factors concerning the subject which might impact the person’s
fitness for employment?
(Among the factors which may be relevant are significant financial difficulties, abuse of alcohol or drugs,
criminal or civil proceedings against the person, living beyond the person’s means, mental or physical
illness that may impact on the person’s judgement.)
61
Annex H – Example Contact Report Form
Details of Contact
(If space is insufficient, please include an attachment)
Contact Initiated By:
Time:
Unit or Firm Rep 
Date:
Foreign Rep 
Location:
Other 
Means of Contact:
In Person 
If Other, please specify:
Telephone 
Correspondence 
Other 
Topics of Conversation Significant to Security (Or
details of incident):
If Other, please specify:
Further Contact (Outline any arrangements made):
Names of Persons Present (Include Designations
and Nationality):
Other Information (e.g. Documents provided,
undertakings given or received, etc.):
Reason or Occasion:
Business 
Social 
Personal 
Official 
Details of Person Making the Report
Signature:
(Hard copy only)
Printed Name:
Designation/Position:
Incidental 
Phone #:
Other 
Date:
If Other, please specify:
The completed Contact Report Form should be provided to your ASA.
62
Annex I – Annual Health Check Conversation Guide
Below is a sample of questions that managers could use as start point for a conversation about security
practices, agencies should develop their own questions and guides based on an agencies risk.
Work life balance - areas for discussion:

Managing caring commitments

Flexible work arrangements

Workload

Any health issues or reasonable adjustment required

Other personal circumstances
Good security practices - For managers to consider:

Any changes in employee’s behaviour (and consider whether it should be reported). For
example:

unexplained changes in an employee’s personal circumstances (sudden and
unexplained wealth or financial hardship )

inappropriate interest in classified information

employee seems under considerable stress

decline in work performance

unusual hours of work inconsistent with the role

For contractors – ensure they are aware of their protective security obligations and act
accordingly
For managers to ask their staff:

What protective security training have you undertaken in the past 12 months? Do you feel
that you have the adequate training to fulfil your responsibilities? [The training may include
protective security policy awareness, training for access to the secure ICT systems, and fraud
awareness training].

Are there any specific protective security measures/controls in your sections / branch /
division’s area that are working well or not working well (that is, are the security practices enablers
or barriers to your business needs.

Have you observed any suspected breaches of security, fraud (e.g. credit card, travel, and
contract management)? Or the APS Code of Conduct? Did you report it? Were you informed of the
outcome?


Are you aware of your responsibilities to report:

significant changes in your personal circumstances to the Department Security Unit and
the vetting agency? e.g. family bereavement, divorce, separation, marriage, overseas
travel, change of citizenship, changes in health, any criminal charges, any disciplinary
matters or security breaches), and

suspicious contact to the Departmental Security Unit?
Have you shared your access to official resources (passwords, entry pass, and unsupervised
access to ICT systems with your logon)? This is a breach and must be reported. Are you aware that
63
you may not share your access to official resources as this is a security breach? Are you aware if this
is a practice in the work area?

Have you ensured official information is classified appropriately and used for its official
purpose only?

How are you contributing to a safe working environment for your colleagues, contractors,
and clients? Is there anything we can do to improve personal safety
64