Personnel security guidelines Agency personnel security responsibilities Approved October 2014 Amended April 2015 Version 1.1 © Commonwealth of Australia 2013 All material presented in this publication is provided under a Creative Commons Attribution 3.0 Australia licence (www.creativecommons.org/licenses). For the avoidance of doubt, this means this licence only applies to material as set out in this document. The details of the relevant licence conditions are available on the Creative Commons website as is the full legal code for the CC BY 3.0 AU licence (www.creativecommons.org/licenses). Use of the Coat of Arms The terms under which the Coat of Arms can be used are detailed on the It's an Honour website (www.itsanhonour.gov.au). Contact us Enquiries regarding the licence and any use of this document are welcome at: Commercial and Administrative Law Branch Attorney-General’s Department 3–5 National Cct BARTON ACT 2600 Call: 02 6141 6666 Email: copyright@ag.gov.au Document details Security classification Unclassified Dissemination limiting marking Publicly available Date of next review October 2016 Authority Protective Security Policy Committee Author Protective Security Policy Section Attorney-General’s Department Document status Approved October 2014 Amended March 2015 i Table of Contents Amendments vi 1. Introduction 1 1.1 Purpose 1 1.2 Audience 1 1.3 Scope 1 1.4 Use of specific terms in these guidelines 2 1.5 Relationship to other documents 2 2. The trusted insider threat 3 3. Personnel security risk management 5 3.1 Personnel security risk assessment 5 3.2 Personnel security risk levels 5 3.2.1 Agency risks 6 3.2.2 Program risks 6 3.2.3 Individual risks 6 4. Information sharing 8 5. Consent to collect and share personal information 9 6. Procedural fairness 10 7. Agency employment screening 11 7.1 Undertaking employment and agency specific checks prior to engagement 11 7.2 Recommended employment screening checks 12 7.2.1 Statutory declaration 13 7.2.2 Confidentiality and non-disclosure agreement 13 7.2.3 Conflict of interest declaration and personal interest declaration 13 7.3 Agency specific checks 14 7.4 Anti-discrimination and merit based selection of personnel 14 7.5 Mitigating concerns raised in minimum employment checks 14 7.6 Transfers into agencies 15 7.6.1 Recognition of employment screening on transfer of personnel 15 7.7 Recordkeeping 15 7.8 Additional information on employment and agency specific screening 15 ii 8. Ongoing suitability for employment 16 8.1 16 8.2 8.3 8.4 9. Monitoring and evaluation of ongoing suitability for employment 8.1.1 Personnel security in performance management 16 8.1.2 Periodic suitability checks and declarations 17 8.1.3 Additional checks for senior office holders 17 Security awareness training 18 8.2.1 Security awareness training 18 8.2.2 Delivery of security awareness training 19 8.2.3 Content of security awareness training 19 8.2.4 Agency specific risks, policies and procedures 19 8.2.5 Personal safety measures 19 8.2.6 Asset protection 20 8.2.7 Protection of Australian Government resources 20 8.2.8 Reporting requirements 20 Security incident reporting and investigation 21 8.3.1 Reporting requirements 21 8.3.2 Investigating incidents 21 Internal transfers 21 Agency actions on separation of personnel or those on extended leave 22 9.1 Separation of staff 22 9.2 Actions where normal separation procedures are not possible 23 9.3 Staff on extended leave 23 9.4 Special considerations when employment is terminated 23 9.5 Transfers out of agencies 23 9.6 Additional requirements for contractors 23 9.6.1 Separation of contractors 24 9.6.2 Actions at the end of a contract 24 10. Temporary access 25 10.1 Temporary access risk assessments 25 11. Agency security clearance requirements 26 11.1 Determining the need for a security clearance 26 iii 11.2 Identifying and recording positions requiring security clearances 26 11.3 Getting a security clearance 26 11.3.1 What documents do personnel need to provide, and why? 11.4 Evidence of Australian citizenship for security clearances 11.4.1 Qualifying for Australian citizenship 11.5 Merit based selection of personnel requiring security clearances 12. Eligibility waivers 27 27 27 27 29 12.1 Exceptional circumstances for eligibility waivers 29 12.2 Eligibility waiver risk assessments 29 12.2.1 Non-Australian citizen 29 12.2.2 Uncheckable background 30 13. Ongoing security clearance maintenance 32 14. Agency responsibilities for active monitoring of clearance holders 33 14.1 Annual health check 33 14.2 Reporting change of circumstances 34 14.2.1 The importance of reporting changes in personal circumstances 34 14.2.2 Who should report changes of circumstances 34 14.2.3 What to report 35 14.2.4 Managing and assessing changes in circumstances 36 14.3 Australian Government Contact Reporting Scheme 37 14.3.1 Methods of gathering human source intelligence 37 14.3.2 Reporting Criteria 38 14.3.3 Reporting procedures 38 14.3.4 Required contact/incident report information 38 14.3.5 Contact reporting briefing 39 14.4 Agency actions on separation/extended leave of personnel holding security clearances 40 14.4.1 Separation of staff 40 14.4.2 Separation of contractors 40 14.4.3 Extended leave 40 14.5 Special requirements for the management of contractor clearances 15. Summary of Annexes Annex A – Proof of Australian Citizenship 41 43 44 iv Annex C – Example Security Clearance Privacy Statement and Informed Consent Form 48 Annex D - Fact Sheet Legislative Implications for Information Sharing 54 Annex E - Example Confidentiality/ Non-disclosure agreement 55 Annex F - Example Conflict of Interest Declaration 56 Annex G - Example personnel security questions for professional referees for employment screening 61 Annex H - Example Contact Report Form 62 Annex I – Annual Health Check Conversation Guide 63 v 1. Amendments No. Date Location Amendment 1. April 2015 Section 8.1.3 Update reference to SES requirement to submit an annual declaration of interest 2. April 2015 Throughout Update links 3. April 2015 Throughout Add links to Australian Government protective security better practice guide—Identifying and managing people of security concern vi vii 2. Introduction 1.1 Purpose 1. The Australian Government personnel security guidelines—Agency personnel security responsibilities have been developed to support the protection of the Australian Government’s people, information and assets, through sound personnel security practices. The guidelines provide advice to agencies to assist in their application of the controls identified in the Australian Government personnel security protocol. 2. These Guidelines provide guidance only; agencies may use other controls and measures to implement the requirements of the Protective Security Policy Framework (PSPF). 3. Personnel security is one element of good protective security management. Agencies responsibilities for personnel security include determining the suitability of personnel to access Australian Government resources. A suitable person possesses integrity and reliability and is not vulnerable to improper influence. 4. Effective personnel security provides assurance and confidence across government when collaborating or when sharing Australian Government resources1 and can assist in mitigating the threat from the malicious trusted insider. 1.2 Audience 5. These guidelines are intended for use by: agency security management personnel human resources personnel, and service providers to the Australian Government, as part of their contractual obligations. 1.3 6. Scope These guidelines provide advice to agencies when: 7. undertaking personnel security risk assessments developing agency specific employment screening policies and procedures assessing and supporting the ongoing suitability of all personnel to access official resources, and implementing personnel separation procedures. Advice to agencies with personnel who access security classified resources when: 1 identifying positions requiring access managing temporary access and eligibility waivers ‘Australian Government resources’ is the collective term used for Australian Government people, information and assets. 1 8. undertaking security clearance maintenance, and implementing additional personnel separation procedures for security clearance holders. These guidelines apply to all agencies and organisations that are required to apply the PSPF, see PSPF–Governance–Applicability of the PSPF. 1.4 9. In these guidelines the terms: 10. ‘need to’ refers to a legislative requirement that agencies must meet ‘are to’ or ‘is to’ are controls that support compliance with the mandatory requirements of the personnel security core policy ‘should’ refers to better practice - agencies are expected to apply better practice unless the agency risk assessment has identified reasons to apply other controls, and ‘required’ is used as common language and has no special meaning in these guidelines. Unless otherwise stated, the use of: 11. Use of specific terms in these guidelines ‘personnel’ refers to employees, contractors and service providers as well as anyone else who is given access to agency assets as part of agency sharing initiatives ‘employment screening’ refers to screening undertaken by an agency prior to employment of staff or the engagement of contractors, and ‘vetting agency’ refers to the Australian Government Security Vetting Agency (AGSVA), authorised Commonwealth vetting agencies and State and Territory vetting agencies. Additional terms used in these guidelines can be found in the PSPF–Glossary of Terms. 1.5 Relationship to other documents 12. These guidelines support the Personnel security core policy and Australian Government personnel security protocol. 13. These guidelines supersede the Australian Government personnel security guidelines: Agency personnel security guidelines Reporting changes in personnel circumstances guidelines Contact reporting guidelines Security awareness training guidelines (Under GOV 1 – developing a secure culture), and Security clearance subjects guidelines. 2 3. The trusted insider threat 14. One of the most significant risks to an agency is the threat posed by the malicious trusted insider, particularly with the increasing reliance on sophisticated ICT systems. 15. Most malicious trusted insider cases are voluntary or self-initiated insiders who have been in an agency for some time. 16. It is not only government employees who are targets of exploitation and recruitment as an insider; supporting contractors and businesses may also be targeted. 17. It is not enough to want to cause harm to an agency, a person also needs access. This is significantly easier for those with legitimate access to an organisation’s assets such as staff and contractors. 18. Agency personnel may undertake or facilitate: 19. violence against other staff, clients or the public unauthorised disclosure of information physical or electronic sabotage third party access, either physically or logically financial or process corruption theft and fraud, or other forms of corrupt behaviours. There is no one type of trusted insider. However, there are broadly two categories of trusted insiders who pose a threat: The unintentional insider: unintentional insiders are trusted employees or contractors who inadvertently expose, or make vulnerable to loss or exploitation, privileged information, techniques, technology, assets or premises. Inadvertent actions include poor security practices, such as leaving IT systems unattended and failure to secure sensitive documents, and unwitting unauthorised disclosure to a third party. The malicious insider: malicious insiders are trusted employees and contractors who deliberately and willfully breach their duty to maintain the security of privileged information, techniques, technology, assets or premises. There are two types of malicious insiders: - Self-motivated insiders are individuals whose actions are undertaken of their own volition, and not initiated as the result of any connection to, or direction by, a third party, and - Recruited insiders are individuals co-opted by a third party to specifically exploit their potential, current or former privileged access. This includes cultivated and recruited foreign intelligence, or their entities, with malicious intent. 20. There is generally no single or simple reason for an employee deliberately seeking to cause harm. Commonly, malicious trusted insiders have a number of motives for their activity. Motivations are often complex and mixed. Those who betray their organisation are often driven by a mix of personal vulnerabilities, life events and situational factors. 21. Key motivators for malicious insider activity include: financial problems or to seek financial gain 3 22. ideology desire for recognition divided loyalties revenge adventure or thrill ego or self-image vulnerability to blackmail or influence compulsive or destructive behaviours family problems negligence, or disgruntlement. For further advice on insider threat management see: Managing the Insider Threat to Your Business—A personal security handbook a generic advice to managers Protective security better practice guide—Identifying and managing people of security concern or Insider threat: protecting the enterprise from sabotage, spying and theft by Eric Cole and Sandra Ring (ISBN: 1-59749-048-2) provides more detailed advice on insider threat identification and management. 4 4. Personnel security risk management 23. Agencies should consider personnel security risks as part of an agency’s overarching risk assessment and base decisions regarding personnel security on their personnel security risk profile. Personnel security risk management may impact on, and/or complement, information and physical security controls. 24. Personnel security risk management ideally should be integrated and not separate from an agencies Human Resources policies and processes as it is integral to establishing an agency’s culture. 3.1 Personnel security risk assessment 25. An agency’s personnel security risk assessment should be incorporated into the agency’s security risk management process and may be considered when conducting other agency risk management processes. 26. Undertaking personnel security risk assessments is important for the protection of an agency’s people, information and assets. A personnel security risk assessment will allow an agency to: 27. deliver a level of assurance about the credentials and integrity of the agency’s workforce identify an agency’s vulnerabilities, such as insider threats (which can be harmful, costly, embarrassing and disruptive) and identify appropriate countermeasures to mitigate the risks communicate risks and risk solutions to senior management and secure their engagement in implementing controls effectively allocate resources commensurate with the level of risk, complementary to existing information and physical security control, and continually monitor the effectiveness of mitigation controls. To understand the personnel security risks within its organisation, agencies are to undertake a risk assessment in accordance GOV - 7 of the PSPF. Risks assessments are to be conducted in alignment with Standards Australia publications: AS/NZS ISO 31000: Risk Management – Principles and Guidelines, and HB 167:2006: Security risk management. 28. Involving management and staff representatives early in the risk assessment process will increase staff uptake of mitigations as well as assisting to foster a better security culture within an agency. 29. Agencies should use suitably skilled personnel to undertake personnel security risk assessments. 30. For further details on security risk management see PSPF—Security risk management 3.2 31. Personnel security risk levels The Agencies should consider their personnel security risk assessments at three levels: 1. Agency risks – risks that are agency wide and directly affect agency business 2. Program risks – risks that are directly associated with a program or package of work undertaken within the agency, and 3. Individual risks – risks that are derived from personnel employed by the agency. 5 3.2.1 Agency risks 32. This level provides the foundations for considering risk at the other levels and is exacerbated by the aggregation of resources held by the agency and the vulnerability to government reputation from harm to people, the theft of assets or unauthorised disclosure of information held in trust by the agency. 33. Personnel security considerations at the agency level include: limiting access to the agency’s ICT networks protecting the agency’s valuable assets meeting specific enabling legislative requirements delivering agency outputs, and mitigating common personnel concerns, such as: - loyalty to Australia and the agency (foreign or dual citizenship may indicate loyalty to another country) - drug and alcohol abuse - violence against other employees, clients or the public, and - criminal activity. 3.2.2 Program risks 34. At this level personnel security risk reviews will depend on the complexity of agencies’ operations. 35. As program level personnel security risks are related to outputs, the personnel security risk assessment may be better included as part of the operational planning risk assessment. 36. Personnel security risk considerations specific to the program level may include: 37. ability to deliver program outputs meeting access requirements of the physical location protecting program assets, and limiting access to specialised or highly classified ICT networks. Each program or work area with identifiable specific risks should undergo a separate personnel security assessment. 3.2.3 Individual risks 38. Some positions within an agency may have specific risks that differ from other positions. Where this is the case the position should have its individual risks identified and managed. 39. Personnel security risk assessment should identify and assess groups of employees who may have greater potential to cause harm due to their: access to highly sensitive or classified information access to large aggregates of information, or access to valuable assets. 6 40. 41. Some individuals may be employed even when they pose an increased risk to the agency particularly those with: Conflicts of interest divided loyalties past criminal activity identified drug use, or Involvement in issue motivated groups. Individuals that are associated with these or other risks may require a specific risk management program if they are to be employed. 7 5. Information sharing 42. For personnel security, the sharing of information is essential in identifying potential areas of risk to agencies. Information sharing can assist in preventing and detecting a range of threats including the malicious trusted insider. There is ample evidence indicating that incidents involving the malicious trusted insider may have been prevented or identified as an issue, at an earlier stage, had there been greater information sharing. 43. Information relevant to a person’s ongoing suitability to access Australian Government resources is to be shared between agencies, vetting agencies and human resource and the security areas within agencies. 44. Different areas within an agency may hold specific pieces of information on an individual (i.e. human resources, the security area and supervisors). These pieces of information considered independently may not constitute any specific concern. However, this information when viewed collectively may warrant concern or impact a person’s suitability to access Australian Government resources. 45. Additionally, a person may be found suitable to work within an agency, but their suitability to work within certain sections of an agency may be questionable. For example, a person who has a history of fraud offence may not be suitable to work in area dealing with finances; however, they may be suitable to work within other areas of an agency. Early identification and management of any underlying concerns could help to prevent any future security incidents and mitigate against the malicious trusted insider. Without appropriate support, such individuals may be susceptible to manipulation or may attempt to abuse their access within the organisation. 46. The management of personal issues can help a person to remain a productive member of the team and strengthen personnel security requirements. Human resources and supervisors are uniquely placed to identify when a staff member is having personal issues that may affect their suitability to access Australian Government resources. Human resources and supervisors can intervene early to put in place measures to mitigate the concerns. This will also assist agencies in achieving their requirement under the Work Health and Safety Act 2011 (Cth). 47. Agencies and vetting agencies are to share information relevant to the ongoing suitability of personnel to access Australian Government resources. 48. For information on legislative implications for information sharing, see Annex D - Fact Sheet Legislative Implications for Information Sharing. 8 6. Consent to collect and share personal information 49. In order to comply with the requirements contained in the Privacy Act 1988 (Cth) agencies need to provide their personnel with a privacy statement that details how personal information, including sensitive information, will be collected, used and disclosed, and obtain written consent from all personnel that will allow an agency to: collect personal information, including sensitive information, from other agencies or private organisations disclose personal information, including sensitive information, with other agencies when determining initial or continuing suitability to access official resources use personal information, including sensitive information, to determine a person’s ongoing suitability to access official resources, and transfer information to another agency upon transfer of personnel. 50. Agencies are to obtain written consent from all clearances subjects (existing and potential) to share information with other agencies for the purposes of assessing their initial and ongoing suitability to access Australian Government resources. A template consent form is provided at Annex C - Example Security Clearance Privacy Statement and Informed Consent Form. 51. For further details on the legislative requirements of sharing personnel information see Annex D Fact Sheet Legislative Implications for Information Sharing and at www.oaic.gov.au. 9 7. Procedural fairness 52. Vetting agencies should advise sponsoring agencies not to terminate a clearance subject’s employment before any reviews or appeals are finalised. In accordance with its human resources policies, the sponsoring agency may redeploy or suspend the clearance subject during this period. 53. Decisions to make or withdraw offers of or terminate employment or contracts may be subject to review. Prior to making a decision agencies should, subject to the impact on the National Interest, give personnel an opportunity to address the concerns raised in the employment or agency specific character checks. For further details on procedural fairness see the Administrative Review Council publication Best Practice Guide 2: Natural Justice. 10 8. Agency employment screening 54. Employment screening provides agencies with a level of assurance as to the suitability of their personnel, whether employees or contractors, to access Australian Government resources. 55. All agencies are to undertake employment screening which will: mitigate the risks identified in their personnel security risk assessment, and provide a level of assurance across all agencies that all Australian Government personnel are suitable to access Australian Government resources that agencies may share. 56. An agency should use specialist service providers to undertake employment or agency specific character checks where the agency does not have the requisite skills—for example, recruitment or vetting service providers. 57. Agencies are required by the Migration Act 1958 (Cth) to confirm identities and whether personnel are eligible to work in Australia—i.e., they are Australian citizens or have valid work visas. For further details see the Department of Immigration and Border Protection. 58. To be suitable, personnel need to demonstrate a level of integrity and reliability sufficient for the agency to be assured the person can be entrusted with its Australian Government resources. Integrity (soundness of character and moral principle) and reliability (trustworthy, responsible and dependable) are assessed by considering a range of character traits and behaviours, principally: honesty, maturity, trustworthiness, loyalty, tolerance and resilience. For further information see section 5 – Adjudicative guidelines of the Australian Government personnel security guidelines – Vetting Practices. 59. Agencies should also determine if the person is unduly vulnerable to improper influence—for example from issue motivated groups, criminal associations or commercial interests. A person may be vulnerable to coercion due to one or more factors—for example: 60. conflicts of interest current or past criminal behaviours or criminal associations, or membership of issue motivated groups. Employment screening can be broadly divided into two categories: recommended employment screening checks that agencies should apply to all personnel to give assurance of suitability to access Australian Government resources, and agency specific checks to mitigate any personnel security threats applicable to the agency not addressed by minimum employment screening. 7.1 Undertaking employment and agency specific checks prior to engagement 61. Agencies should finalise employment and agency specific checks prior to an offer of employment/ contract. Where checks are not completed prior to engagement, agencies should make the employment or contract conditional on successfully satisfying the checks in a reasonable timeframe. 62. Agencies should conduct employment and agency specific checks before security clearances are initiated. If an individual is found to be unsuitable as part of pre-employment screening or agency specific checks, agencies are not to seek a clearance for the individual. If a clearance has already 11 been sought agencies are to advise the vetting agency of any adverse results of the employment screening and agency specific checks. 63. Agencies are to advise their vetting agency of information that may be a security concern if a security clearance for the person is also being sought. 7.2 64. The recommended employment screening checks include: confirm identity including confirm the right to work in Australia, by: - - verifying the person’s identity to Level 3 of the Australian Identity Proofing Guidelines. This includes verifying identity documents and relevant mandatory qualifications with the issuing agency by using: the Document Verification Service for Australian issued primary identification, or other means of verification, based on a risk assessment for other identity or qualification documents. confirming that the person is an Australian Citizen (an Australian Birth Certificate is not sufficient if born after 20 August 1986), by sighting the documents in support of citizenship, for further information see Proof of Citizenship, or 65. if the agency does not require Australian citizenship, the person has a valid visa, by sighting the documents in support of the visa. For further information see Visa Entitlement Verification Online. check personal integrity and reliability, by: - undertaking a five year employment check - undertaking a five year residency check - obtaining a professional referee check covering at least the last three months. See Annex G – Personnel security question for professional referees, and - check criminal history by: obtaining a ‘No Exclusion’ police records check,2 or obtaining a ‘Full Exclusion’ or ‘Partial Exclusion’ police records check if an exclusion from the Spent Convictions Scheme detailed in Part VIIC Divisions 3 and 6, the Crimes Act 1914 (Cth) applies to the agency.3 check credit history. For further details on undertaking background and integrity screening see Australian Standards: 2 Recommended employment screening checks AS 4811-2006: Employment Screening, and A No exclusion police records check means that individuals are not required to disclose any spent or protected convictions. 3 A Full exclusion or partial exclusion police records check means there are some exceptions which require an individual to disclose a spent or protected conviction. 12 HB 323-2007: Employment screening handbook. 8.2.3 7.2.1 Statutory declaration 66. Agencies should obtain a signed Statutory Declaration from all personnel undertaking employment screening declaring all information provided is truthful and complete. This may assist in legal proceeding if fraudulent information is identified. For more information see the Attorney-General’s Department’s guide to making a statutory declaration. 8.2.4 7.2.2 Confidentiality and non-disclosure agreement 67. Agencies should obtain a signed confidentiality agreement from all potential personnel prior to allowing access to Australian Government resources. See Annex E– Example confidentiality/ nondisclosure agreement. 68. In addition to common confidentiality requirements and secrecy provisions under the Crimes Act 1914 (Cth) and the Criminal Code Act 1995 (Cth), agencies should advise all personnel of any agency specific legislative requirements. 8.2.5 7.2.3 Conflict of interest declaration and personal interest declaration 69. There are different types of conflicts of interest. A conflict of interest can include a conflict by, financial, secondary employment and association. 70. It is common practice to have all contractors complete a conflict of interest declaration prior to the commencement of a contract, or throughout the contract if contractor circumstances change. Senior Executive Staff (SES) are also required to declare any conflict of interest. Agencies should consider, based on their risk assessment, whether all personnel, not just contractors, should complete a conflict of interest. See Annex F – Example conflict of interest declaration. 71. Australian Public Service (APS) employees have an obligation, under section 13 of the Public Service Act, to behave with integrity and to avoid or manage conflicts of interest in their employment. Senior Executive Staff employees are subject to a specific regime that requires them to submit, at least annually, a written declaration of their and their immediate family’s financial and other interests that could involve a real or apparent conflict of interest, to the APSC. For more information see APSC’s publication on conflict of interest. 72. Agencies should have a conflict of interest policy, to guide staff on what could be perceived as a conflict of interest and when and how to report a conflict. 73. There is no standard list of what a real or potential conflict could involve. However, the conflict of interest policy could include guidance on: Relationships or contacts that may poses a conflict, for example: - journalists - persons of interests for law enforcement authorities or criminals - political associations, or - suppliers, contractors or service providers. Financial interests that may pose a conflict, for example: - real estate investments - shareholdings - trusts or nominee companies - company directorships or partnerships 13 - other significant sources of income - significant liabilities - gifts, or - paid, unpaid or voluntary outside employment. 74. Agencies should consider having personnel in positions that are especially vulnerable to conflicts of interest, complete a detailed personal interest declaration —e.g., senior managers. 75. For further information see the APSC publication ‘In whose interests?: Preventing and managing conflicts of interest in the APS‘. 7.3 76. 77. Agency specific checks Agencies should identify checks needed to mitigate additional agency personnel security risks, where not addressed by the minimum employment screening. Some examples of character checks may be, but are not limited to: drug and alcohol testing detailed financial probity checks, including wealth and credit checks psychological assessment agency specific questionnaires or other tests related to the industry, and partial or full exclusions under Part VIIC of the Crimes Act 1914 (Cth), the Spent Convictions Scheme relating to engagement in positions covered by specific legislation to which exemptions are given. Agencies should advise potential personnel of agency specific checks that are part of the recruitment or procurement process. 7.4 Anti-discrimination and merit based selection of personnel 78. Agencies may impose requirements on potential personnel to mitigate identified risks. However, agencies should not use pre-engagement or agency specific character checks to unfairly exclude potential personnel from engagement. 79. Agencies should seek separate advice from the Australian Human Rights Commission or independent legal advice as to the suitability and use of any proposed agency specific checks. 7.5 Mitigating concerns raised in minimum employment checks 80. Concerns identified through employment screening should be assessed against potential mitigating factors. For further information see Annex B– Mitigating concerns raised by minimum employment checks. 81. Agencies should have policies for mitigating the risks from not successfully meeting character checks. 82. Agencies should undertake a risk assessment when a person does not successfully meet character checks to determine whether the risk can be mitigated. 83. If it is not possible to undertake a check normally required by an agency, the agency may make a risk based decision to not undertake the character check or undertake an alternative check. 84. The agency should record concerns, decisions to mitigate concerns, or not undertake checks, and supporting risk assessments on the persons’ personnel file, or for contractors the contract file. This will allow agencies to readily identify any decisions if the personnel later transfer. 14 85. For further details on assessing suitability, see the Australian Government personnel security guidelines – vetting practices. 7.6 86. Transfers into agencies Prior to finalising any transfer offers gaining agencies should: seek confirmation of the checks undertaken and results gained from the losing agency, and undertake any additional checks required to meet agency employment and ongoing screening policies. 8.2.6 7.6.1 Recognition of employment screening on transfer of personnel 87. Agencies should recognise the employment screening on transferring personnel completed by other agencies in accordance with the recommended minimum standards. 88. Agencies should screen transferring personnel where: the losing agency does not undertake the recommended pre-engagement screening, or to meet agency specific requirements. 89. Agencies may undertake re-screening of transferring personnel where there is reasonable concern relating to the suitability of the individual. 90. When personnel transfer between Australian Government agencies the losing agency should advise the receiving agency of any concerns that were mitigated as part of the employment screening process. 7.7 91. Agencies should maintain records of all personnel security checks in accordance with their agency recordkeeping policy, the Privacy Act 1988 (Cth) and the Archives Act 1983 (Cth). For further information on record keeping see the National Archive of Australia. 7.8 92. Recordkeeping Additional information on employment and agency specific screening Further information on employment and agency specific screening can be found in the following Australian Standards publications: - AS4811-2006: Employment Screening - HB 323-2007: Employment Screening Handbook - AS 8001-2008: Fraud and Corruption Control, and - APS Conditions of engagement. 15 9. Ongoing suitability for employment 93. Employment screening only provides a snapshot of the person at the time of the checks. The attitudes and behaviours of personnel will change over time. Agencies are to manage and assess the ongoing suitability of all personnel. The key components of managing ongoing suitability are: monitoring and evaluating ongoing suitability, including periodic re-assessments continuing security awareness training security incident reporting and investigation, and managing internal transfers. 8.1 94. Monitoring and evaluation of ongoing suitability for employment Agencies should have processes to monitor and evaluate the ongoing suitability of personnel through: performance management periodic suitability checks and declarations self-reporting by personnel reporting of concerns by other personnel, and contract management. 95. Agencies should have policies and procedures to allow the exchange of information about personnel suitability to access agency resources between personnel, managers, the agency human resources management area and the Agency Security Adviser (ASA). 96. For information on personnel indicators of concern see: Managing the Trusted Insider Threat to Your Business—A personnel security handbook and Australian Government protective security better practice guide—Identifying and managing people of security concern. 8.2.7 8.1.1 Personnel security in performance management 97. Agency performance management programs provide an avenue for managers to assess and report on the performance of their personnel. Agencies should base the personnel security component of their performance management program on their personnel security risk assessments. 98. Agency performance assessments should identify personnel who display behavioural concerns including disregard for agency security policies and procedures. 99. Poor performance is one of the key indicators that a person may be disaffected and a potential security concern. 100. High performers—i.e., people who regularly stay late or work outside of normal hours; may be of concern as their access to sensitive information or valuable assets has little supervision. 101. Information on performance issues provided by managers to agency human resources areas may indicate other personal issues that can lead to security concerns—e.g., alcohol or drug abuse, financial difficulties. 102. Agencies should include in their annual performance appraisals confirmation: 16 by the individual that they have reported any changes of circumstances, such as: - changes to details provided in initial or ongoing suitability checks—e.g., criminal charges - inappropriate contacts or contacts of concern, and - real or perceived conflicts of interest by the manager, that there is no unreported security concerns about the individual. 103. Agencies should undertake additional screening checks to address any concerns identified in the annual performance appraisal. 8.2.8 8.1.2 Periodic suitability checks and declarations 104. As part of an agency’s personnel security risk assessment agencies should identify the periodic checks required to confirm a person’s ongoing suitability to access agency resources. 105. Agencies should determine the frequency of periodic checks based on the risks related to the agency, specific work area and if appropriate the specific role. Checks may include: Police records checks – As the Spent Convictions Scheme applies to convictions more than ten years apart, agencies should undertake police records checks at least every ten years. The frequency may be increased for high-risk positions/ personnel. Financial checks – where an agencies risk assessment deems that personnel need a level of financial assurance, agencies should undertake periodic financial screening of personnel. Confirmation of personal particulars – Agencies should periodically update the personal particulars of their personnel. This could include: - updating residential address history - verifying any new qualifications claimed, and - updating employment history for contractors. Confirming adherence to, or completion of, any engagement conditions – Agencies should confirm that any conditions placed on an initial or continuing engagement are met within the timeframes specified—e.g., gaining Australian citizenship. Other agency specific checks – Agencies should periodically re-check personnel who are in positions subject to any agency specific pre-engagement checks. Conflict of interest declaration – Agencies should periodically reconfirm with personnel that changes in their circumstances have not put them into positions of real or perceived conflicts of interest. APS employees have an obligation under section 13 of the Public Service Act 1999 (Cth) to disclose and take reasonable steps to avoid any real or apparent conflict of interest. Confidentiality agreement – Agencies should periodically seek new confidentiality or nondisclosure agreements. This serves to remind personnel of their ongoing confidentiality obligations. 8.2.9 8.1.3 Additional checks for senior office holders 106. Holders of high impact positions—e.g., senior managers, ICT system administrators, contract managers, and financial management personnel; have the potential to cause greater harm to agencies. Therefore, agencies should consider whether senior office holders undergo more frequent or more detailed periodic checking. 107. All agency heads and SES officers employed under the Public Service Act 1999 (Cth) are required, by decision of government, to submit at least annually a written declaration of their, and 17 their immediate family’s financial and other interests, that could involve a real or apparent conflict of interest. SES employees submit their declarations to their agency head, and agency heads to their minister. Additionally under sections 25 to 28 of the Public Governance Performance Accountability Act 2013 (Cth), Directors and Officials have a duty to disclose all material personnel interests that relate to the affairs of the entity/company. 108. Agencies should implement a similar regime that would require agency heads, SES employees, Directors and Officials to submit the same or similar declaration to the ASA. The ASA should forward the information to the vetting agency if there is a change of circumstances. This will ensure vetting agencies are aware of any change of circumstances since the issue of the clearance. 109. An example of what should be covered in the declaration can be found at Annex F - example Conflict of Interest Declaration. 8.2 Security awareness training 110. Security awareness training is an important element of protective security. Security awareness training supports physical, information and personnel security measures as well as informing staff of their governance requirements. 111. Security awareness training effectively communicates appropriate security behaviours, individual responsibilities and agency security policies. Agencies should use their agency’s security risk assessment to identify areas to be included in their security awareness training program. 112. Security awareness training is ongoing and is provided by all agencies to: provide personal safety awareness, and address agency specific security risks. 113. Agencies should follow up training with strong, visible enforcement. 114. This section supports and should be read in conjunction with: PSPF—Governance—Developing a Culture of Security Australian Government Personnel Security Protocol, Australian Government information security management core policy, and Australian Government physical security management core policy. 8.2.1 Security awareness training 115. Agencies are to provide security awareness training (GOV1 of the PSPF) to all of their employees and contractors based in agency facilities, as well as targeted training to personnel in high-risk positions. High risk employees including those who: are involved in sensitive or priority negotiations or policy work have access to valuable or attractive assets work remotely or in dangerous conditions, or are required to liaise with foreign officials, or regularly share information with foreign officials. 116. Additionally, holders of NV and PV clearances should be provided with security awareness training yearly to reinforce the clearance holder’s information security responsibilities. Baseline clearance holders should be provided with security awareness training at least every five years as a condition of revalidation of the clearances. . 18 8.2.2 Delivery of security awareness training 117. Agencies should: include security awareness in their induction programs provide regular, ongoing security awareness training to personnel who require access to official resources develop specialist training as required to meet agency specific risks, and provide targeted security awareness training when the agency has an increased or changed threat environment. 8.2.10 Content of security awareness training 118. Agencies are to determine specific security training required by their personnel. This may include but is not limited to: agency specific risks, policies and procedures personal safety measures asset protection protection of official information reporting requirements, and if relevant an individual’s security clearance responsibilities, for further information see section 13 Ongoing security clearance maintenance. 8.2.11 Agency specific risks, policies and procedures 119. Agencies identify specific risks, and countermeasures, as part of the agency risk reviews and policies. Agencies should inform personnel of: the protective security policies and procedures operating in their area the risks the policies and procedures are designed to mitigate against, and the roles and responsibilities of personnel in relation to the policies and procedures. 8.2.12 Personal safety measures 120. Agencies have a responsibility to protect employees and visitors. For further information see Work Health and Safety Act 2011(Cth). 121. It is recommended that agencies develop a safety handbook for all personnel. The handbook should include emergency response guidelines and contacts as well as agency specific safety requirements and procedures. 122. Agencies with heightened risks from the public and/or clients should provide their personnel information about agency safety measures. The agencies should also hold regular safety exercises and drills. 123. Personnel with specific emergency safety or security roles should receive regular training as well as participate in exercises to confirm their ongoing competency. See: AS3745-2002: Emergency control organisation and procedures for buildings, structures and workplaces, and HB 328-2009: Mailroom security. 19 8.2.13 Asset protection 124. Agencies should provide advice to personnel on agency specific asset management and loss reporting procedures prior to them taking custody of assets. This should include agency fraud control measures. 125. For further information see: RMG 201 – Preventing Detecting and dealing with fraud Public Governance and Accountability Act 2013 (Cth) AS 8001-2008 Fraud and corruption control 8.2.14 Protection of Australian Government resources 126. Agencies should advise all personnel, regardless of level or security clearance, of the harm caused by the compromise of security classified resources handled in their workplace and the ways in which those resources might be vulnerable to compromise or misuse. 127. Agencies should provide employees with training on agency specific information management procedures including agency ICT system(s) security classifications and Dissemination Limiting Markers. 128. When agencies have diverse programs with different information security requirements, each program area should advise its personnel of the marking and handling requirements for the resources they possess or develop, whether security classified or not. 8.2.15 Reporting requirements 129. Agencies should provide all personnel advice on: ongoing suspicious contact reporting, including the Contact Reporting Scheme reporting changes in circumstances that might impact on the person’s suitability to access Australian Government resources fraud reporting procedures reporting concerns about other members of staff, and any other agency specific reporting requirements including public interest disclosure (whistleblowing) under the Public Interest Disclosure Act 2013 (Cth). 130. For further information on reporting requirements see section 14.3 - Australian Government Contact Reporting Scheme. 131. Agencies can develop security awareness through: campaigns that address the ongoing needs of the agency and the specific needs of sensitive areas, activities or periods of time security instructions and reminders via publications, electronic bulletins and visual displays such as posters protective security-related questions in staff selection interviews drills and exercises, and inclusion of security attitudes and performance in the agency performance management program. 20 132. Agencies should seek guidance from their Portfolio Department on developing security awareness training programs. 133. Agencies should use a Registered Training Organisation (RTO) if training is outsourced. RTOs are accredited training providers who offer courses through the Australian Quality Training Framework. A list of RTOs is available from www.training.gov.au. 8.3 Security incident reporting and investigation 8.3.1 Reporting requirements 134. Agencies should provide employees with a list of key agency reporting contacts. For further information see PSPF—Governance—Protective security investigations. It is recommended that the list of reporting contacts be included in the employee safety handbook. 135. The contacts list could also cover, but is not limited to, how and when to report: suspicious behaviours threatening behaviours including letters, bomb threats and phone calls broken ICT and security equipment security infringements and breaches fraud or suspected fraud full secure waste bins, and lost credit cards. 136. Reporting guidelines should also include any agency specific public interest disclosure (whistle blowing) provisions. 8.3.2 Investigating incidents 137. For details on undertaking investigations see PSPF—Governance—Protective security investigations. 8.4 Internal transfers 138. Agencies should confirm that all required employment, agency specific character and periodic checks required for a new position are complete before confirming any internal transfers. 21 139. 10. Agency actions on separation of personnel or those on extended leave 140. Agencies need to consider the risks to the ongoing confidentiality, integrity and availability of their resources by personnel who are terminating their employment or are taking long term leave. Agencies should have policies and procedures in place for the management of those personnel ceasing their employment or taking extended leave. 141. If an agency divides the responsibilities for the management and implementation of separation or termination of personnel between different areas within the agency, the agency should include how the process is coordinated in their separation policies. This is so that procedures are uniformly applied and necessary steps are not missed. Agencies should develop a separation checklist to ensure that no areas are missed. 9.1 Separation of staff 142. Prior to separation agencies should: as part of an agencies exit procedures, confirm with the employee their ongoing confidentiality requirements, including the use of intellectual property where a security clearance is held, inform the vetting agency of the employee’s cessation including whether there are any outstanding issues of a protective security nature consider conducting an audit to determine whether the employee has forwarded any proprietary information without approval (particularly when an employee is moving into a private sector position) retrieve ICT equipment or physical assets that are issued to the employee, in particular any portable devices, and recover any corporate credit cards. 143. Upon separation agencies should have in place procedures to: change any shared account passwords that were known by the employee remove access to agency ICT systems including any special access arrangements and have processes in place to cancel that access (for example: administrator access, TS networks, ASNET) disable any remote access to the ICT systems, including email and telephone voicemail remind remaining staff of their responsibility to report any contact by previous employees with a suspicious, persistent or unusual interest in their work or that of the agency in general revoke physical access to facilities and retrieve keys and/or access cards, and change any combinations of locks—e.g., doors, safes or security containers to which the staff member had access. 144. Where agencies allow the transfer of ownership of ICT equipment to the separating employee, or where agencies allow the use of personal devices for work purposes, agencies should consider the following steps prior to transferring ownership: archive any business related documents in accordance with agency records management policies 22 removal of all agency information removal all agency software applications, and if necessary erase the entire content of the device’s hard drive. 9.2 Actions where normal separation procedures are not possible 145. Agencies should conduct a risk assessment where it is not possible to undertake normal separation procedures, e.g. personnel who work remotely or from home, personnel who suffer significant injury or illness and cannot continue working, personnel who separate while on leave or personnel who refuse to go undergo separation processes. 146. Agencies should base any actions to limit access to information or recover assets on a risk review. 9.3 Staff on extended leave 147. Where personnel are planning extended leave for three months or longer, agencies should: remind employees on extended leave of their ongoing confidentiality obligations appropriately brief personnel travelling overseas to make them aware of their responsibilities including their requirement to report any suspicious, persistent or unusual foreign contact consider and manage any security issues before extended leave is approved, particularly if the employee is assessed as likely to decide, while on leave, not to return, and where agencies policies allow the use of out-of office messaging, have the employee set outof-office email and voicemail advice with alternate contact details, or forward emails and telephones to an alternate officer prior to the start of their leave. 9.4 Special considerations when employment is terminated 148. Agency human resource managers are to advise their ASA and IT security adviser (ITSA) of any proposed terminations of employment due to conduct concerns. 149. Agencies should base any personnel security measures for staff whose employment has been terminated on a risk assessment. Options for high risk personnel may include: immediate suspension of duties immediate removal of all access to agency systems and facilities, or escorting the person from premises. 9.5 Transfers out of agencies 150. Agencies should make the results of any pre-engagement or periodic checking available to gaining agencies prior to personnel transferring from their agencies unless the checks are undertaken under specific agency legislative requirements and cannot be shared—e.g., partial or full exclusion police records checks. 151. Agencies should advise the gaining agency of any exceptions given to agency screening checks and any conditions placed on personnel as a result of the checks undertaken. 9.6 Additional requirements for contractors 152. Contractors may pose an increased risk to agencies as agencies have little oversight of personnel security measures within contractor organisations. 23 153. In addition to normal agency pre-engagement and periodic screening requirements, agencies should: undertake a specific risk assessment for each contract to identify any additional screening required to mitigate the increased risk of outsourcing functions consider increasing the frequency of screening checks for contractors, and include any specific personnel security requirements in tender and contract documents. For further information see the Australian Government protective security governance guidelines—Security of outsourced services and functions. 9.6.1 Separation of contractors 154. Agencies should include any separation requirements for contractors in their tender documentation and contracts. This should include any applicable separation arrangements for employees identified in section 14.4 – Separation of staff. 155. Agencies should continually review and monitor all contracts and contractors and include in all contracts a requirement for contracted service providers to advise the agency whenever the provider changes staff servicing the agencies’ contracts. This is particularly important for contractors’ personnel that are terminated for conduct issues. 9.6.2 Actions at the end of a contract 156. Agencies should determine prior to entering into a contract how the agency will exit the contract. In addition to any personnel security measures for contractor personnel at the end of a contract, agencies should: consider ongoing confidentiality of agency information including the protection of agency intellectual property (as well as protection of contractor intellectual policy) ensure the return of any agency assets required for the contract disable any special ICT access (particularly if they are contracted in an administrator role) and consider any ICT system sanitisation change any shared account passwords that were known by the contractor remove contractor access to agency ICT systems disable any remote access to the ICT systems, including email and telephone voicemail revoke physical access to facilities and retrieves keys and/or access cards, and change any combinations to locks—e.g., doors, safes or security containers to which the contractor has access. 157. For further information see the Australian Government protective security governance guidelines—Security of outsourced services and functions. 24 11. Temporary access 158. Temporary access allows limited, supervised access to security classified resources. 10.1 Temporary access risk assessments 159. Agencies are to base any decision to approve temporary access on a detailed risk assessment. 160. Agencies should develop their own risk assessment template. As a minimum the assessment should include: details of the need for temporary access, including why the role cannot be performed by a person with a clearance at the appropriate level confirmation from the vetting agency that the person has no: - previously identified security concerns - cancelled or denied clearance, or - history of temporary access and incomplete clearance processes details of the type and level of information that could be accessed by the person and any potential impact of compromise of this information confirmation that third parties who provide information that the person may access have been consulted details on how access to classified information is to be controlled to only that needed to meet the reason for temporary access details on how access to caveat or codeword information is to be prevented an assessment of any potential conflicts of interest details of any mitigating factors such as pre-engagement screening, agency specific character checks and existing lower level security clearances, and an undertaking by the person to protect official information, see Annex E – Example confidentiality / non-disclosure agreement. 25 12. Agency security clearance requirements 11.1 Determining the need for a security clearance 161. The government expects agencies to limit the number of people who require clearances. 162. Clearances may be required to: meet minimum requirements for agency ICT systems access specific areas of agency facilities access specific security classified information meet specific compartment briefing requirements, or provide a level of assurance. 163. An agency’s decision on the level of assurance it requires should be linked to the agency’s risk assessment. 11.2 Identifying and recording positions requiring security clearances 164. Agencies are to maintain a register of positions that require a clearance. Before advertising a position, agencies are to identify: if the position requires a security clearance the level of clearance required whether the clearance is for access to security classified information or to give a level of assurance, and when the requirement for a security clearance will be reassessed. 165. Agencies should periodically reassess the clearance requirement for positions, at least each time the position becomes vacant and before it is advertised. 11.3 Getting a security clearance 166. Identified vetting agencies conduct security vetting for the Commonwealth Government. The Australian Government Security Vetting Agency (AGSVA) provides security vetting services to most Australian government agencies. 167. Australian citizenship is a condition of eligibility for security clearances. Under certain conditions an agency head may waive this requirement if the risks can be otherwise mitigated. For further information see section 11.4- Evidence of Australian citizenship for security clearances. 168. Personnel that agree to undertake the security clearance process for the purposes of gaining employment, transferring or promotion into a position, securing a service provision contract, or to complete additional tasks within an existing position are to: disclose all relevant and required information co-operate in the collection of personal documents and corroborating evidence answer questions fully and honestly, and provide accurate information and personal documents. 26 11.3.1 What documents do personnel need to provide, and why? 169. Vetting agencies need a number of documents to confirm identity and background. 170. If there are any gaps or anomalies identified from the information and documents a clearance subject provides, the vetting agency may request additional documents. The vetting agency will be able to provide justification at the time of the request. 11.4 Evidence of Australian citizenship for security clearances 171. Australian citizenship is a condition of eligibility for security clearances, unless under exceptional circumstances the agency head has waived this requirement. 172. Agencies, or for contractors AGSVA, is required to verify that a clearance subject is an Australian citizenship as part of the vetting process unless a citizenship waiver has been granted. 173. Australian citizenship is also generally a requirement for employment in the Australian Public Service. For further information on conditions of engagement refer to the APSC publication Citizenship in the Australian Public Service. 11.4.1 Qualifying for Australian citizenship 174. Most people born in Australia prior to 20 August 1986 are Australian citizens by birth unless one parent was a foreign diplomat. For people born prior to this date, an Australian birth certificate can be taken as evidence of Australian citizenship. 175. Australian Citizenship is afforded if the individual: was previously issued with an Australian citizenship certificate (this includes children who are on a parent's citizenship certificate) were born in Australia and acquired Australian citizenship born in Australian after 1986 and one responsible parent was a permanent resident or Australian citizen born in Australia after 1986 and spent the first 10 years of their life in Australia were adopted in Australia and acquired Australian citizenship were born in the former Australian Territory of Papua before 16 September 1975 and acquired Australian citizenship, or were born outside Australia before 26 January 1949 and acquired Australian citizenship. 176. The Department of Immigration and Border Protection (DIPB) is the agency responsible for determining a person’s Australian citizenship status. If there is any doubt about your Australian citizenship status, you should contact DIBP. Further information is available at www.citizenship.gov.au. 177. See Annex A – Proof of Australian Citizenship for further information on what is required for evidence of citizenship. 11.5 Merit based selection of personnel requiring security clearances 178. Personnel cannot gain a security clearance unless they are expected to be engaged in roles requiring security clearances. Therefore, it is not reasonable to expect potential personnel to hold security clearances prior to being selected for these roles. 179. Selection based on existing clearance status is, therefore, not merit based and may be contrary to agencies’ enabling legislation—e.g., the Public Service Act 1999 (Cth). 27 180. Agencies, or their contracted service providers, should not discriminate against potential personnel who are not holders of a current security clearance where they indicate a willingness and ability to gain a clearance prior to engagement. 181. Agencies should only limit selection to cleared personnel in exceptional circumstances, such as when filling the position is time critical to the agency meeting its objectives. Agencies should document the reasons for limited selections. 28 13. Eligibility waivers 182. An agency head’s decision to waive an eligibility requirement is to be made on the written advice from the agency’s security executive and/or security adviser following a thorough analysis of the risks to the Australian Government and the possible impact on the National Interest of granting the waiver. 183. The submission of a waiver does not guarantee that the vetting agency will be able to proceed with a clearance request. 184. Vetting agencies may not accept requests for clearances subject to waivers, if the vetting agency: cannot undertake the required checks to establish eligibility, or determines that there are issues that cannot be mitigated which would preclude the clearances being granted. 185. Agencies should advise individuals subject to an eligibility waiver of the importance of reporting changes of circumstances. If individuals do not report changes of circumstance to their sponsoring and vetting agency, they are self-managing risks that may arise from those changes. There is a tendency for individuals to underestimate risk as it applies to them, leading to poor decision-making that tends to favour or benefit the person making the decision. Reporting changes allows sponsoring and vetting agencies to assess and manage possible risks, rather than the individual. 186. Agencies are to report details of clearance holders with waivers in their annual PSPF compliance reports. 12.1 Exceptional circumstances for eligibility waivers 187. Agency heads are to only grant a waiver in exceptional circumstances where: the exception is critical to the agency meeting its outcomes, and the risks to any affected agency can be mitigated or managed. 188. Exceptional circumstances will vary from agency to agency and may include: the person is necessary to the agency meeting a critical objective, and the role cannot be redesigned so that access to classified information or resources is restricted to existing personnel with the appropriate clearance. 189. Additionally for non-Australian citizens: the role cannot be performed by an Australian citizen, and there is no conflict of interest in relation to the person's country of allegiance and the role being undertaken, or the foreign national is a permanent resident, is actively seeking citizenship and the process will be concluded in a reasonable period. 12.2 Eligibility waiver risk assessments 12.2.1 Non-Australian citizen 190 If an agency head determines that there are exceptional circumstances and a citizenship waiver is required, the citizenship waiver request should be submitted with the request for a security clearance. 29 191 Agencies should bear in mind that even if a citizenship waiver is accepted by the vetting agency, the clearance subject may later be found to have an uncheckable background, and be deemed ineligible on this basis. If this is the case, the vetting agency will consult with the requesting agency and discuss how or whether the request for a clearance may proceed. 192 Acceptance of a citizenship waiver does not mean that a clearance will be granted; it simply allows the vetting agency to proceed with an assessment of suitability. 190. The sponsoring agency’s waiver assessment for non-Australian citizens should: include details of the exceptional circumstances that precludes the position being filled by an Australian citizen include the person’s visa status and whether they are, or plan to, actively seeking Australian citizenship (one of the personal factors is loyalty to Australia) consider the threat assessment from ASIO on the clearance subject’s country(ies) of citizenship detail the agency’s plan to ensure the clearance subject does not access ‘Australian Eyes Only’ (AUSTEO) or third country ‘EYES ONLY’ material consult with third parties whose information may be accessed (either foreign or other Australian agencies) and, in the case of foreign agencies, obtain agreement – unless there is an existing bilateral agreement in place allowing the information exchange for TOP SECRET information consult with the originating or controlling agency on a case by case basis, and gain their specific approval, and confirm the date of issue of the waiver and the length of time it is to apply. 191. Vetting agencies will not be able to complete a clearance for a non-Australian citizen if there are other unresolved concerns about the clearance subject—e.g., an uncheckable background. 12.2.2 Uncheckable background 192. Vetting agencies will not be able to complete a clearance if they cannot make an assessment against the whole person. Vetting agencies will make a case-by-case assessment of what constitutes an uncheckable background as this will vary depending of the clearance subject’s individual circumstances. However, long periods of uncheckable background may prevent a clearance being assessed. 193. Time spent outside of Australia during the checkable period represents a risk to the Australian Government, as the activities and associations of individuals outside of Australia are generally significantly less checkable or ascertainable than activities and associations within Australia. 194. The vetting agency is unlikely to be able to assess a clearance subject’s loyalty or allegiance to Australia if the clearance subject is not an Australian citizen and has not resided in Australia for the majority of the checkable period. 195. If the majority of the required vetting checks are unable to be made in Australia, or with Australian citizens, the clearance subject is unlikely to be assessed as having a checkable background. 196. A determination by a vetting agency that an individual is ineligible as a result of their having an uncheckable background does not preclude an agency from sponsoring the individual for a security clearance at a later date. If an individual is later able to demonstrate stronger and more enduring ties to Australia, and enough reliable, credible information is available to the vetting agency to allow it to conduct a full assessment of suitability in accordance with the requirements of the Adjudicative Guidelines, the individual may then be determined to be eligible. 30 197. Where a vetting agency identifies that an individual has spent a period of time outside of Australia during the checkable period, the vetting agency will ask the sponsoring agency to submit an eligibility waiver. The vetting agency will provide the agency with an assessment of likely risk to inform the agency’s own assessment of whether it may be appropriate to grant an eligibility waiver. 198. The vetting agency can proceed with consideration of an assessment of suitability only after an eligibility waiver is received from the sponsoring agency. 199. The sponsoring agency is to then undertake a waiver assessment that: includes details of the uncheckable background and assessment of the impact of the period of uncheckability against the whole person considers potential conflicts of interest confirms from the vetting agency that there are no known concerns about the individual consults with third parties who provide information that the person may access, and confirms the date of issue of the waiver and the length of time it is to apply. 200. The vetting agency may still deny a clearance on suitability grounds where there are significant concerns, including the eligibility condition that was waived, that cannot be mitigated. 31 201. 14. Ongoing security clearance maintenance 202. Some clearances are granted subject to specific aftercare requirements. If so the clearance subject will be advised at the time their clearance is granted. 203. All clearances are required to be revalidated at regular intervals. The interval is dependent on the level of the clearance. AGSVA will advise the clearance subject when their revalidation is due. 204. If personnel have a change in personal circumstances, the changes may affect their security clearance. All changes are to be reported. For further information see section 14.2 - Reporting changes in circumstances. 32 15. Agency responsibilities for active monitoring of clearance holders 205. The granting of a security clearance provides a snapshot of the person at the time of the completion of that clearance. The attitudes and behaviours of personnel will change over time. 206. In addition to the general ongoing suitability for employment requirements identified in Section 8 - Ongoing suitability for employment, the following additional suitability checks apply to security clearance holders. 207. Agencies are to manage and assess ongoing suitability of all personnel. The key components of managing ongoing suitability are: continuing security awareness training monitoring and evaluating ongoing suitability, including periodic re-assessments security incident reporting and investigation, and managing personnel transfers. 208. This section covers: annual health checks (annual appraisal of security awareness) reporting changes of circumstance contact reporting under the Australian Government Contact Reporting Scheme extended leave, and special requirements for managing contractors. 14.1 Annual health check 209. The annual health check provides an avenue for managers to assess and report on their staffs performance and personnel security concerns. Annual health checks help identify personnel who display behavioural concerns including disregard for agency security policies and procedures. 210. Information on performance issues provided by managers to agency human resources areas may indicate other personal issues that can lead to security concerns—e.g., alcohol or drug abuse, financial difficulties. 211. Agencies could include this as part of their annual performance management process. 212. When having the conversation with their staff, managers should consider any changes in employee’s behaviour (and consider whether it should be reported). For example: unexplained changes in an employee’s personal circumstances (sudden and unexplained wealth or financial hardship) inappropriate interest in classified information (i.e. where the ‘need-to-know’ principle is not met) employee seems under considerable stress decline in work performance, or 33 unusual hours of work inconsistent with the role. 213. Agencies should ensure contractors are aware of their protective security obligations and act accordingly. 214. See Annex I – Annual Health Check Conversation Guide for the annual health check conversation guide. 14.2 Reporting change of circumstances 14.2.1 The importance of reporting changes in personal circumstances 215. Vetting agencies grant security clearances after careful consideration of the whole of person. Some changes in circumstances may affect a person’s ongoing suitability to hold a clearance. 216. Agencies should recognise that changes in circumstance can result in a range of things. Some changes in circumstance may: increase a person’s vulnerability to coercion, or lead to deliberate breaches of security, fraud or corruption, or be used by foreign governments, commercial organisations; issue motivated groups, criminal organisations or others to induce personnel into providing information or goods belonging to the Government. 217. Agencies need to be aware of these changes in order to provide support to their staff. Reporting changes in circumstances can prevent smaller issues from becoming larger problems. 14.2.2 Who should report changes of circumstances 218. Agencies are responsible for the ongoing clearance maintenance of their personnel and ensuring that all personnel are suitable to access Australian Government Resources. 219. Agencies are to require all personnel who hold security clearances to report changes in personal circumstances, to their ASA or personnel responsible for security clearance maintenance (e.g. the security function may reside in the Human Resources area of some agencies). 220. Agencies should identify the area within an agency where clearance subjects should report any change in circumstances. 221. Clearance subjects reporting requirements should be included as part of an agencies security awareness training. 222. ASA’s are to report any changes in circumstances to the vetting agency. 223. Additionally, personnel should report significant changes in circumstance relating to other individuals where they feel it may impact on agency security to their managers or agency security staff. This includes: managers, including contract managers, reporting any concerns with personnel they manage co-workers reporting concerns about people with whom they work, and personnel reporting concerns about their managers. 224. Clearance holders should also advise managers and/or senior managers within the line areas of significant changes in circumstances to assist in mitigating possible ‘Conflicts of Interest’. 225. Managers should report changes in circumstances relating to their personnel to their agency security section regardless of whether they believe changes have been notified by the clearance holder to their agency security section. 34 14.2.3 What to report 226. Clearance holders and supervisors are to report the following changes in circumstances. This list is not exhaustive; if personnel are uncertain whether the information is relevant, they should report it to their manager or ASA. Change of name/identity (gender): the clearance holder is to provide a copy of the change of name certificate or relevant documentation. Changes in significant relationships: for example entering into or out of a relationship. Changes in address: including changes to share house arrangements, for example new roommates. Entering into, or ceasing, a relationship (marriage, civil union or defacto relationship): The clearance holder should provide a copy of the Marriage Certificate/ decree nisi to the vetting agency, which will update the clearance holder’s Personal Security File. Changes in citizenship or nationality: a clearance holder who assumes foreign citizenship, by either renouncing their Australian citizenship or attaining dual citizenship may raise concerns over their loyalty to Australia. Personnel who obtain Australian citizenship should also advise their sponsoring agency and the vetting agency. The waiver for citizenship can be concluded and any conditions on the clearance relating to citizenship removed. Changes in financial circumstances: changes in financial circumstances may include, but are not limited to receipt or the giving of large amounts of money, significant increases in debt, new financial associations, financial hardship and bankruptcy. Generally, this equates to plus or minus $10,000 in each instance, which is the threshold for Austrac reporting. This will ensure that a person’s lifestyle is consistent with earnings. Additionally, agencies need to consider the impact of online currency (i.e. Bitcoin), family trusts and personal businesses. Changes in health or medical circumstances: changes in health or medical circumstances can lead to financial and personal stress or increase vulnerability; e.g., the use of some prescription drugs may have adverse effects on a clearance holder’s ability to determine when not to disclose information. Changes in criminal history, police involvement and association with criminal activity: this includes any criminal charges laid convictions of an offence, good behavior bonds/orders, cautions and community service. Deliberate involvement in criminal activity indicates questionable honesty, judgment and integrity. Involvement or association with any individual, group, society or organisation: these could include criminal organisations (e.g. Outlaw Motorcycle Gangs), extreme political parties (declared/proscribed organisations) or foreign owned businesses. Disciplinary procedures: professional misconduct proceedings (code of conduct) and deregistration from a professional body. Security incidents: clearance holders and managers should report all security incidents. A history of incidents (major or minor) may bring into question a clearance holder’s suitability to retain access to agency resources. Drug or alcohol problems: any dependency on drugs, whether legal or illegal, or alcohol can affect a person’s judgment. Illegal drug use may also make a person susceptible to influence by criminal organisations. 35 Any other significant changes in circumstance: examples of significant changes in circumstance include a major change of religious faith, political ideology or other life changes. Residence in, or visits to, foreign countries: clearance holders should report residence in, or visits to, foreign countries in accordance with the Agency’s security plan. These countries may vary dependent on the clearance holder’s role and his or her agency’s responsibilities. Agency security staff will assess the travel based on ASIO’s advice relating to countries of significance. Agencies will then notify the Vetting Agency where they hold security concerns, especially relating to visits to countries of significance. Relatives residing in foreign countries of security significance: changes to the clearance holder’s close relatives’ country of residence overseas may be significant (i.e. immediate family or relatives with whom the clearance subject has regular contact). Agency security staff will then notify the Vetting Agency where they hold security concerns, especially relating to visits to countries of significance. Suspicious, persistent or unusual contacts: All suspicious, persistent or unusual contacts, including those from Australian nationals, should be reported through the Contact Reporting Scheme administered by ASIO, especially if the clearance holder is concerned about questions asked, or information requested by, a foreign entity or individual. For further information see section 14 .3 – Australian Government Contact Reporting Scheme. 14.2.4 Managing and assessing changes in circumstances 227. Agencies should consider any risk as a result of a clearance holder’s changes in circumstances and any action that may need to be taken to mitigate the risk. 228. When the clearance holder, the sponsoring agency or a third party notifies a change of circumstance the vetting agency will assess the change in circumstance to determine its significance and update the Personal Security File with details of the change in circumstance and advise the sponsoring agency. 229. Potential concerns, as a result of changes in circumstances, may require: review for cause code of conduct investigations, security investigation, or criminal investigation. 230. Where an allegation of security concern is received an investigation by the sponsoring agency or the vetting agency should validate the report. Agencies need to ensure that they do not prejudice the person in question, as some claims can be malicious. For further information see the Australian Privacy Principle - 10. 231. Where the change will significantly affect the sponsoring agency or the National Interest, the vetting agency can initiate a review for cause of the clearance. The vetting agency will notify the sponsoring agency to allow it to manage the risk. 232. A review for cause may entail an investigation into specific changes of circumstances or a full revalidation. 233. If the vetting agency is satisfied that the clearance subject remains suitable to retain a clearance at the particular level, the clearance will continue. 234. After conducting the review the vetting agency will notify the sponsoring agency and the clearance holder of the results. 36 235. If a clearance becomes inactive or is denied the vetting agency will notify the sponsoring agency and the clearance holder of the rights for a review of the decision. 14.3 Australian Government Contact Reporting Scheme 236. ASIO manages the Australian Government Contact Reporting Scheme. The Scheme assists ASIO to identify activity directed against Australia and its interests including people who hold an Australian Government security clearance. It also helps identify trends, including: what information is of interest to foreign intelligence services who is interested in it, and the methods the foreign intelligence services are prepared to use to collect the information. 237. ASIO uses this intelligence to assist in the formulation of threat assessment and security intelligence advice and to protect the national interest. 238. Additionally, all employees should complete a contact report for instances when an individual or group, regardless of nationality, seeks to obtain official information they do not have a need to know in order to fulfil their work function. 14.3.1 Methods of gathering human source intelligence 239. Foreign intelligence services, foreign officials and politically, commercially or issue-motivated groups and individuals can devote considerable energy and resources into obtaining access to political, economic, scientific, technological, military and other information. This is not limited to classified information and often includes privileged information, i.e. information that is not normally available to the general public. Any compromise may be prejudicial to Australia’s National Interest. 240. Intelligence services use human intelligence collection as a low-risk and common means of intelligence gathering. Intelligence services can develop an aggregate picture through low-level collection from a number of sources including government employees. 241. Small pieces of information could contribute to an intelligence collection process. Accordingly, employees need to recognise that an ‘innocent’ conversation or ‘contact’ (e.g. e-mail) can be part of human intelligence gathering. 242. Contacts may be official, as part of a person’s role, social or incidental. The following are examples of types of contacts: invitations to attend functions written correspondence sport and recreation activities overseas travel visits to embassies, consulates or involvement with trade missions or other international events membership of international clubs, institutes, professional associations or friendship societies incidental social interaction e-mail phone calls – including unsolicited phone calls where the caller has obtained the employee’s details from a department/company website 37 training or study (eg. language classes) on-line social networking sites, and/or introductions via a third party. 243. The initial overture might be subtle, carefully planned and occur over an extended period of time. It is designed so that the person being cultivated is not aware it is occurring. However there could be indicators that arouse suspicion including: a seemingly innocuous interest in an employee’s official, social or personal activities a fascination with some particular aspect of an employee’s work, social or personal activities requests for information about other employees who work in the agency a request to meet with the employee away from the work environment introduction to another person who takes a similar interest encouragement to participate in questionable or illegal activity, or offers of hospitality or gifts. 14.3.2 Reporting Criteria 244. Agencies are to require their personnel to report suspicious, on-going, unusual or persistent contacts with foreign officials and other foreign nationals to their agency security section. This includes if an individual or group, regardless of nationality, seeks to obtain official information they do not have a need to access. 14.3.3 Reporting procedures 245. Agencies are to advise personnel who believe they have been the subject of an inappropriate contact to report the incident to the ASA. The ASA can provide employees with a Contact Report form. 246. To assist with the accurate recall of events, personnel should complete a written report as soon as possible after the suspected contact has occurred. 247. In some circumstances, a contact report may lead to a security or criminal investigation. If the matter involves fraud or theft, the agency should follow its fraud control policies. 14.3.4 Required contact/incident report information 248. The style and format of contact reports may vary from agency to agency, but the following information should be included: Time, Date – indicating if details are approximate Location – including address where contact or incident occurred Names, Designations and Nationalities – the reporting person’s details along with those of all other persons present during the contact Types of Contact – may include a combination of social, informal, official business and/or other aspects Conversation – any conversation or discussion may cover a number of subjects. The general topic areas should be described, including personal details disclosed by either party, and Other details – such as the circumstances that led to the contact or incident and the factors that made it noteworthy or unusual. 38 249. A preliminary brief to report an incident should also include: 250. details of the incident whether any assets have been compromised (type and level of classification), and an initial assessment of the harm the compromise could cause. A generic contact reporting form is at Annex H - Example Contact Report Form. 14.3.5 Contact reporting briefing 251. Agencies’ security awareness training programs are to inform personnel about the Contact Reporting Scheme and understand their obligations and the reporting arrangements. 252. The Scheme is not intended to restrict legitimate contact between employees and foreign officials. It provides support and encourages information sharing, which benefits the Government employee who has been contacted, and the Australian Government. ASIO can provide a brief on the Contact Reporting Scheme to agencies. These briefings are arranged through the individual ASA. 253. Agencies should advise personnel to contact their agency security staff prior to travel to ascertain the possible threat from foreign intelligence services and seek appropriate briefings. Agencies should advise personnel performing official duties overseas that the intelligence and security services in certain countries conduct surveillance of foreign representatives. ASIO can, where relevant, provide a briefing on security situations that individuals may encounter when they perform official duties overseas. 254. Agencies should inform personnel of: the existing threat and threat sources their personal and professional responsibilities the ways that people can be deceived, coerced or pressured into actions harmful to national security or interest the fact that targeting occurs across all levels or ranks of an organisation not just at senior level the fact that most attempts to collect intelligence will be subtle and often appear innocuous the effectiveness of security awareness training in restricting information collection by foreign representatives the need for high standards of personal conduct, and the procedures for contact reporting. 255. Agencies should identify whether or not they have people working in high risk areas and, if so, provide appropriate briefings. High risk employees include those who: are required to liaise with foreign officials because they have a good proficiency in the native language of the foreign officials are involved in sensitive or priority negotiations or policy work, or work in units that regularly share information with foreign officials. 39 14.4 Agency actions on separation/extended leave of personnel holding security clearances 256. Agencies should follow the procedures in section 9 - Agency actions on separation of personnel or those on extended leave, in addition to the below requirements for separating personnel who hold a security clearance. 14.4.1 Separation of staff 257. Agencies are to advise the vetting agency of separation of personnel. 258. Agencies are to, where appropriate: obtain an assurance that individuals are aware of their ongoing obligations in respect of national security and confidentiality identify any departing staff that represent a security risk report any identified risks and any significant security concerns associated with a clearance holder’s separation to the vetting agency where applicable, notify compartment holders and organise a debrief from those compartments, and where clearance holders depart suddenly without obtaining assurances of an individual’s ongoing obligations, undertake a risk assessment to identify any security implications relating to the departure. 259. When clearance holders are separating from an agency the agency should formally record the termination of the sponsorship of the clearance and briefings. 260. Agencies are to report any security concerns about departing clearance holders to the vetting agency, particularly where the clearance holder departs without having a security debrief. 261. Agencies are to report to ASIO any security concerns about separating clearance holders. (Security as defined in section 4 of the Australian Security Intelligence Organisation Act 1979 (Cth). 14.4.2 Separation of contractors 262. An agency should include in their contracts an obligation on the contracting company to advise the agency when the contractor’s staff or sub-contractors with sponsored clearances have ceased to work on the agency’s contract. 263. Agencies are to advise the vetting agency when a sponsored contractor no longer requires a security clearance to access the agency’s security classified resources. Vetting Agencies should advise any other known agencies using the contractor that the contractor’s clearance is no longer sponsored. 264. Lead agencies for contracts involving multiple agencies should advise the other agencies, where known, when a clearance is no longer sponsored by the lead agency. 265. If agencies have any concerns about the contractor on separation, they should advise the vetting agency. 14.4.3 Extended leave 266. Clearance holders taking extended leave should be subject to the same procedures as separating staff, unless a risk assessment determines this is unnecessary. The risk assessment might consider the purpose of the long leave, any travel plans and the degree of ongoing contact between the agency and the clearance holder during the leave. 40 267. Agencies are to put procedures in place to ensure security staff is notified of staff planning to go on leave. The period will depend on the agency’s risk profile and any specific risks associated with the position. 268. Agencies should advise the vetting agency where personnel holding a clearance take extended leave. 269. Agencies should brief personnel who will be taking extended leave of their ongoing confidentiality obligations. Any security issues should be resolved before the leave is taken. 270. Agencies should apply the procedures for separating staff to clearance holders taking extended leave, unless a risk assessment determines this is unnecessary. The risk assessment might consider the purpose of the long leave, any travel plans and the degree of ongoing contact between the agency and the clearance holder during the leave. 271. Agencies should, based on their risk assessment, advise the vetting agency to change clearances to inactive, for personnel on extended absences. When clearance holders return to work, the vetting agency can make the clearance active, if requested, after undertaking appropriate vetting updates. 14.5 Special requirements for the management of contractor clearances 272. Contractors pose additional risks to an agencies personnel security, due to the lack of oversight that an agency may have over a contractor. In order to mitigate these risks agencies should have procedures and policies for management of contractor’s clearances. 273. Contracts should include: arrangements for dealing with any reportable changes in circumstances and the reporting and investigation of security incidents or breaches the requirement for contract staff to protect the agency’s information and assets, and ongoing security awareness training that includes the contracting company’s responsibility to require contracted staff to: - protect the agency’s assets and information - report changes in personal circumstances, and - report suspicious contacts. 274. Agencies should include the following provisions in their contracts: details of and additional management requirements for contractors who have clearances details of whether the agency is the sponsor of the clearance, an obligation for contractors to report changes of circumstances, including, whether they are working for another agency, to the vetting agency, sponsoring agency and any other agency their services are provided procedures and contact details for contracted employees to advise of change of circumstances obligations for the contracting company to report to the sponsoring agency, and any other agency the contracted employee provides services, if a contracted employee is dismissed, arrested, or expelled from an accredited body provisions advising that the agency may share personnel information, including information about deactivation or withdrawal of sponsorship, regarding a contracted employee with the vetting agency and other agencies which the contracted employee provides services, and 41 provisions relating to the ongoing clearance maintenance for contractors. 275. Before entering into a contract for contracted services, agencies should have good understanding of business requirements in the tender documentations. 276. Contractors are to annually confirm that they have reported all changes of circumstances or suspicious contacts and have undergone any required security awareness training to the vetting agencies and the sponsoring agency. Contract managers should be responsible for personnel to confirm they have reported any concerns about the clearance holders. 42 16. Summary of Annexes The following documents are examples only and agencies should create their own template in accordance with agency specific requirement and legislation: Annex A – Proof of Australian Citizenship Annex B – Mitigating concerns raised by minimum employment checks Annex C – Example security clearance informed consent form and privacy statement Annex D – Fact sheet legislative implications for information sharing Annex E – Example confidentiality/ non-disclosure agreement Annex F – Example conflict of interest declaration Annex G – Example personnel security questions for professional referees Annex H – Example contact report form Annex I – Annual health check conversation Guide 43 Annex A – Proof of Australian Citizenship 44 Annex B – Mitigating concerns raised by minimum employment checks Supporting documents Identity fraud—i.e., people claiming different identities, qualifications or experience they do not have; is a significant threat faced by agencies during employment screening. Claims made by a person should be supported by documents. If there are concerns about the validity of provided documents agencies should seek confirmation of the details from the issuing authority. Agencies should verify all supplied primary identity documents issued in Australia. Australian issued primary documents can be verified using the Document Verification Service. While the service is free there may be some set up cost to ensure an ICT solution to automate checking. Agencies should take a risk based approach to verifying primary identity documents issued outside of Australia or other identity documents. Qualifications Claiming qualifications that have not been awarded is the most common form of identity fraud during recruitment. Agencies should verify with the issuing agency qualifications that are required for a position. Agencies should also, based on their risk assessment, consider verifying all claimed qualifications. Employment history Agencies should resolve unexplained gaps in employment. A person may not disclose periods of employment when they have had their employment terminated or anticipates an adverse referee’s report. A history of short periods of employment may indicate poor reliability. However, there may be valid reasons for the changes and agencies should seek further information from the person. Additional referees’ checks could also be sought from previous employers. Agencies should resolve concerns raised by referees about a person’s suitability to access official resources, or the reliability of the person. Referees who have had personal conflicts with an individual may provide negative referee’s reports. If such a report is provided agencies should seek additional reports from previous employers/ supervisors. Alternatively advice on the person’s suitability may be available from the Human Resources areas of large employers. Potential employees whose recent employment has been terminated may be of concern, depending on the reasons. Agencies should investigate the reasons with the previous employer and the person. If a determination on the concerns cannot be made agencies may need to contact alternative referees or other previous employers for corroborating evidence. Gaps in residential history Residential history will aid in substantiating the person’s identity in the community. All personnel need to provide supporting evidence of their current permanent residential address. Agencies should request supporting proof for the previous five years of residential addresses. Acceptable supporting proof may be: primary, secondary or tertiary proof of identity documents bearing an address, or typed official correspondence addressed to the person—e.g., rates notice or bank statement. People may have problems providing supporting documentation residential addresses particularly where: 45 the residence was in someone else’s name the person was living at home, or the person was in temporary accommodation and had a separate permanent residential address. Agencies should make an assessment on whether the person’s explanation for periods of residency for which they cannot provide supporting documents are reasonable. Inconsistencies between residential and employment addresses Agencies should also consider whether the residential addresses are appropriate for the employment locations. Some travel is expected between a residential address and employment. However, residing in a different town or city may indicate concerns about employment. The person needs to be able to provide a reasonable explanation for these inconsistencies. Criminal convictions A Commonwealth ‘No Exclusion’ police records check will provide a record of Commonwealth convictions for the preceding ten years, or until there is a gap of ten years between convictions, whichever is the longer. However, the convictions that will be reported by each State or Territory will depend on their Spent Convictions Scheme. Failure to declare convictions Failure to declare disclosable criminal offences may indicate a lack of honesty. Unless the person can provide a reasonable explanation why the conviction was not declared agencies should reconsider the person’s suitability for engagement. One possible circumstance where a person could mistakenly not declare a conviction is where the date of the offence was greater than ten years, but the date of conviction was less. Declared convictions Agencies should make a risk management determination on declared offences based on the agency’s requirements and the role which the person will occupy—e.g., it may be inappropriate for someone with a previous fraud conviction to be in a position with access to funds. A history of low level alcohol or drugs related convictions may indicate a drinking or drugs problem. Additionally any current drugs convictions may make the person susceptible to undue influence from criminal organisations. Financial history A history of poor financial management may be of concern. However, it is not uncommon for small businesses to fail. Agencies should look for a history of credit fraud or failure to resolve bankruptcy. Agencies should make a risk based decision on the suitability of a potential employee based on their financial history and job type or role within the agency – e.g., an individual with a history of credit fraud may not be suitable for a role within the agencies financial area. Potential for undue influence There are a number of factors that may make a person susceptible to undue influence. These could include: Foreign or dual citizenship – the person may be loyal to another country and provide access to agency resources about, or of value to, the other country. Current criminal activity – potential for influence by criminal organisations. Conflicts of interests – the person may provide or give access to agency resources relating to the conflict of interest—e.g., concurrent contracts with competitor organisations. 46 Additional advice For further details on assessing character traits see section 5 of the Personnel security guidelines – Vetting practices. 47 Annex C – Example Security Clearance Privacy Statement and Informed Consent Form [The informed consent form is a sample only. Agencies should seek independent legal advice before using the sample form. Agencies should tailor the form for each individual agencies requirement.] Privacy Statement Your personal information is being collected to assess your ongoing suitability to hold and maintain a security clearance and to access Australian Government official resources. Australian Government official resources include people, information and assets. Personal information, including sensitive information, may be collected from and disclosed to any entity or person listed in the Privacy Statement to assess your ongoing suitability to hold and maintain a security clearance. Without your personal information, your suitability to hold security a clearance cannot be assessed. The inability to obtain a security clearance may have an adverse effect on your employment, where it is a condition of engagement to hold and maintain a security clearance. Where you are simultaneously engaged by more than one agency, each agency will have access to your personal information, including sensitive information. The security clearance assessment, involves a series of assessments and background checks to determine if you are a suitable person to access security classified information, and other Australian Government official resources. It is your responsibility to provide accurate information and continue to update your personal information by advising the [Agency name] security area and the [Vetting Agency Name] of any changes in circumstances [insert link to change of circumstances form]. The security clearance process is intrusive by its nature. However, your privacy and dignity will be respected. If you have any enquiries relating to the Privacy Act 1988 (Cth), or how your information will be collected, used or disclosed, please email [insert person’s and position] [privacy@agencyname.gov.au] or call (0X) XXXX XXXX. [Vetting agency’s] privacy policy can be found at [insert website] The privacy policy contains information on how: to access and seek correction of your personal information held by Agency name]; to make a complaint about a breach of the Australian Privacy Principles by the [Agency name]; and the [Agency name] will deal with such a complaint. 48 The [Agency Name] recognises and respects your privacy and is committed to the Australian Privacy Principles set out in the Privacy Act 1988 (Cth). The collection and use of your personal information is required in accordance with the Australian Government’s Protective Security Policy Framework. By signing the consent form contained in this security clearance pack, you consent to the collection, use and disclosure of your personal information as described below and for your Personnel Security File (PSF) to be transferred to [Vetting Agency Name] and to be shared with [Agency name] and any future sponsoring agency. How your information will be collected During the security clearance assessment process and while you continue to hold an Australian Government security clearance, we may collect personal information, including sensitive information, from: your current and previous or future private and Government employers. If you do not consent to your current employer being contacted, please notify [Vetting Agency Name] with the reasons for the denial of consent; your referees (both nominated by you and not nominated by you); third parties relevant to assessing and monitoring your ongoing suitability to hold and maintain a security clearance. your Personnel Security File (if applicable) from the relevant Commonwealth, State or Territory Agency in relation to any existing or previous security clearances held by you; other service providers, such as contracted vetting providers, and medical or psychological practitioners, used during the clearance process; financial institutions and financial checking institutions agencies to confirm residential addresses the Department of Immigration and Border Protection and the Department of Foreign Affairs and Trade to check any naturalisation and/or citizenship documents and international movements; medical professionals to clarify any medical conditions, with your consent; and State and Territory Registries of Births, Deaths and Marriages. you directly the Government agency which has sponsored your clearance Government agencies which have investigated any suspected breaches of law or Australian government policy AFP and state and territory law enforcement agencies ASIO, and Educational institutions in relation to education documentation. 49 Disclosure of your information During the security clearance assessment process and while you continue to hold an Australian Government security clearance, we may disclose your personal information, including sensitive information with: you directly the Government agency that has sponsored this clearance and any previous Government agencies which have employed you or engaged you as a contractor, and any future sponsoring or interested vetting agencies; the Australian Federal Police (AFP) [or S&T Police Name]; financial institutions and [Financial checking agencies]; and the Australian Security Intelligence Organisation (ASIO). your previous and current and or future private and/or Government employers; including any employers that you worked for as a contractor. If you do not consent to your current employer being contacted, please notify [Vetting Agency Name] with the reasons for the denial of consent; your referees (both nominated by you and not nominated by you); third parties relevant to assessing and monitoring your ongoing suitability to hold and maintain a security clearance your Personnel Security File (if applicable) from the relevant Commonwealth, State or Territory Agency in relation to any existing or previous security clearances held by you other service providers, such as contracted vetting providers, and medical or psychological practitioners, used during the clearance process financial institutions and financial checking institutions agencies to confirm residential addresses the Department of Immigration and Border Protection and the Department of Foreign Affairs and Trade to check any naturalisation and/or citizenship documents and international movements; medical professionals to clarify any medical conditions, with your consent; and State and Territory Registries of Births, Deaths and Marriages the Government agency which has sponsored your clearance Government agencies which have investigated any suspected breaches of law or Australian government policy AFP and state and territory law enforcement agencies ASIO, and Educational institutions in relation to education documentation. Limited amounts of your personal information may also be disclosed to overseas recipients if you are required to access foreign government resources. The information that may be disclosed includes your clearance status, your full name and date of birth, and your position. 50 The [Agency Name] will not use or disclose your personal information that is collected for the purpose of assessing your ongoing suitability to hold and maintain a security clearance, to any other person or organisation, other than those listed above, unless: it would be reasonably expected by you that such a disclosure would occur, in relation to your security clearance; disclosure is required or authorised by or under Australian law or a court/tribunal order; a permitted general situation exists in relation to the use or disclosure of the information, as defined in section 16A of the Privacy Act 1988 (Cth); or the use or disclosure of the information is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body. 51 Informed Consent form Full Name in Block Letters I, Date of Birth Born on: Place of Birth at: Full Residential Address of: Name of organisation / company / agency Employed by: Understand that: My personal information will be collected and disclosed with those persons, sources and agencies listed in the privacy notice. My personal information will be used to assess and monitor my ongoing suitability to hold and maintain a security clearance and access to Australian Government resources, while I continue to hold a security clearance. It is my responsibility to notify the vetting agency and the [Agency Name] security area of any change in circumstances, using the change of circumstances form. I consent for my personal information to be collected and disclosed: with the agencies, people and sources listed in the privacy notice for the purpose of assessing and monitoring my ongoing suitability to hold and maintain a security clearance and to access Australian Government resources with the agencies, people and sources listed in the privacy notice, while I continue hold a security clearance. Signature Witness Signature Date Witness Name and Address 52 53 Annex D – Fact Sheet Legislative Implications for Information Sharing The importance of sharing information Timely, reliable, and appropriate information sharing is the foundation of good government. Information sharing enables better government service delivery and improved policy development through focused interagency collaboration. For Personnel Security, the sharing of information is essential to identify potential areas of risk to agencies from the compromise to agency resources. Information sharing can help prevent and detect a range of threats including the trusted insider. There is ample evidence that trusted insider cases could have been prevented or at least identified had there been greater information sharing between agencies, the vetting agencies and human resource and security areas within agencies. Legislation that facilitates information sharing There are a number of legislative instruments that facilitate the sharing of personal information for the purposes of assessing a person’s ongoing suitability to hold and maintain a security clearance. Privacy Act 1988 (Cth); Public Service Act 1999 (Cth); and Human rights and anti-discrimination legislation Privacy Act The Privacy Act facilitates the sharing of personal information when informed consent has been provided by the individual. This includes the sharing of information relating to matters raised in confidence such as relationship breakdowns, financial stress, and drug and alcohol addiction. Public Service Act The Public Service Act 1999 (PS Act) facilitates the sharing of personal information through Regulation 9.2 of the Public Service Regulations 1999 (Cth). Regulation 9.2 is only applicable to persons employed under the PS Act. Regulation 9.2 was drafted with the intention to allow certainty for Australian Public Service agencies as to the circumstances in which they may disclose personal information about their employees to other agencies, and the circumstances in which they may legitimately use personal information about employees within an agency. Regulation 9.2 provides that personal information may be shared within an agency, if it is necessary for, or relevant to, the performance or exercise of the employer powers of the agency. This means, the human resources area within an agency can share relevant personal information with the security area of an agency, as holding a security clearance is relevant to the performance of the employer powers of the Agency Head. Human Rights and anti-discrimination legislation Human rights and anti-discrimination legislation does not prevent the sharing of personal information, including information relating to medical and mental illness. Sharing personal information does not breach anti-discrimination legislation. Section 15 of the Disability and Discrimination Act 1992 (Cth) includes general prohibitions against discrimination in work on grounds of disability, including mental health. However, the prohibition is subject to exceptions, where a person would be unable to carry out the inherent requirements of the particular job. Any action taken must be in reference to the inherent requirements of the particular job, including the employee’s suitability to access Australian Government resources. All security clearance decisions are administrative decisions and as such can be reviewed. Procedural fairness is accorded to clearance subjects, no arbitrary decision making occurs and does not breach Australia’s international human rights law obligations. 54 Annex E – Example Confidentiality/ Non-disclosure agreement Full Name in Block Letters I, Date of Birth Born on: Place of Birth at: Full Residential Address of: Name of organisation / company / agency Employed by: being a person who has agreed to receive security classified information from: Name of the agency providing security classified information Undertake to: preserve the confidentiality/ secrecy of the information entrusted to me not disclose, publish or communicate such information to any person inside or outside my organisation/ company/ agency, except to senior managers who have a need to know such information ensure that those persons to whom I provide the information are made aware of the conditions under which this information is communicated, and of the fact that the confidentiality/ secrecy of the information must be maintained, and undergo the security clearance vetting process where I have been given access to security classified information for more than three months in one year. Further, I acknowledge that: I have received a security briefing on my responsibility to protect the information, including the correct methods for storage, handling and dissemination, and any breach of this Undertaking may constitute the commission of an offence under sections 70 and 79 of the Crimes Act 1914 (Cth) and Division 91 and Part 7.4 of the Criminal Code 1995 (Cth). [include any agency specific secrecy provisions that apply.] Signature Witness Signature Date Witness Name and Address - 55 Annex F – Example Conflict of Interest Declaration The form below provides agencies with a template they may wish to use to document the management of an actual or perceived conflict of interest in the recruitment process. All personnel must complete a Conflict of Interest Declaration upon engagement and update the Declaration at least once a year. Personnel must immediately notify the [insert agency name] of any matters that may result in real or apparent conflicts of interest. Outside employment that creates a conflict of interest, or the appearance of such must be declared on this Conflict of Interest Declaration. For more information, see [insert agency name] Conflict of Interest Policy, available at [link to agency conflict of interest policy] SURNAME: (please print) OTHER NAMES AGENCY NAME 1. Shareholding in public and private companies (including holding companies) indicating the name of the company or companies Name of company (including holding and subsidiary companies if applicable) Self Spouse Dependent Children 56 2. Family and Business Trusts and Nominee Companies a. In which beneficial interest us held indicating the name of the trust, the nature of its operation and beneficial interest Name of Trust/nominee company Nature of its operation Beneficial interest Self - - - Spouse - - - Dependent Children - - - b. In which you, your spouse, or a child who is wholly or mainly dependent on you for support, is a trustee (but not including a trustee of an estate where no beneficial interest is held by you. Your spouse or dependent children), indicating the name of the trust, the nature of its operation and the beneficiary of the trust. Name of Trust/nominee company Nature of its operation Beneficial interest Self Spouse Dependent Children 3. Real estate, including the location (suburb or area only) and the purpose for which it is owned Location Purpose for which owned Self Spouse Dependent Children 57 4. Registered Directorships of companies Name of company Activities of company Self Spouse Dependent Children 5. Partnerships indicating the nature of the interests and the activities if the partnerships Name Name of Interest Self - Spouse - Dependent Children - Activities of Partnership 6. Liabilities indicating the nature if the liability and the creditor concerned Nature of liability Creditor Self Spouse Dependent Children 7. The nature of any bonds, debentures and like investments Nature of account Name of bank/institution Self Spouse 58 Dependent Children 8. Saving or investment accounts, indicating their nature and the name of the bank or other institutions concerned Nature of account Name of bank/institution Self Spouse Dependent Children 9. The nature of any other assets (excluding household and personal effects) each valued at over $7,500 Nature of any other assets Self Spouse Dependent Children 10. The nature of any other substantial sources of income Nature of income Self Spouse Dependent Children 59 11. Membership of any organisation where a conflict of interest with your duties could foreseeably arise or be seen to arise Name of organisation Self Spouse Dependent Children 12. Any other interest where a conflict of interest with your duties could foreseeable arise or be seen to arise Nature of interests Self Spouse Dependent Children 60 Annex G – Example personnel security questions for professional referees for employment screening The following questions are examples only and should be asked in addition to any role specific recruitment questions. Please state the person’s full name: Please provide details of: Your relationship with the applicant: (Include name of organisation(s), period of time known, whether the person was a colleague or was supervised by you and whether the person is related to you.) The person’s job title and main responsibilities: Any substantiated client complaints about the person’s behaviour: The results of actions, investigations or inquiries concerning the person’s character, competence or conduct: Any inquiries (internal or otherwise) currently in progress concerning the person’s character, competence or conduct: Do you believe the person is honest, trustworthy and acts with integrity? Do you know of any other factors concerning the subject which might impact the person’s fitness for employment? (Among the factors which may be relevant are significant financial difficulties, abuse of alcohol or drugs, criminal or civil proceedings against the person, living beyond the person’s means, mental or physical illness that may impact on the person’s judgement.) 61 Annex H – Example Contact Report Form Details of Contact (If space is insufficient, please include an attachment) Contact Initiated By: Time: Unit or Firm Rep Date: Foreign Rep Location: Other Means of Contact: In Person If Other, please specify: Telephone Correspondence Other Topics of Conversation Significant to Security (Or details of incident): If Other, please specify: Further Contact (Outline any arrangements made): Names of Persons Present (Include Designations and Nationality): Other Information (e.g. Documents provided, undertakings given or received, etc.): Reason or Occasion: Business Social Personal Official Details of Person Making the Report Signature: (Hard copy only) Printed Name: Designation/Position: Incidental Phone #: Other Date: If Other, please specify: The completed Contact Report Form should be provided to your ASA. 62 Annex I – Annual Health Check Conversation Guide Below is a sample of questions that managers could use as start point for a conversation about security practices, agencies should develop their own questions and guides based on an agencies risk. Work life balance - areas for discussion: Managing caring commitments Flexible work arrangements Workload Any health issues or reasonable adjustment required Other personal circumstances Good security practices - For managers to consider: Any changes in employee’s behaviour (and consider whether it should be reported). For example: unexplained changes in an employee’s personal circumstances (sudden and unexplained wealth or financial hardship ) inappropriate interest in classified information employee seems under considerable stress decline in work performance unusual hours of work inconsistent with the role For contractors – ensure they are aware of their protective security obligations and act accordingly For managers to ask their staff: What protective security training have you undertaken in the past 12 months? Do you feel that you have the adequate training to fulfil your responsibilities? [The training may include protective security policy awareness, training for access to the secure ICT systems, and fraud awareness training]. Are there any specific protective security measures/controls in your sections / branch / division’s area that are working well or not working well (that is, are the security practices enablers or barriers to your business needs. Have you observed any suspected breaches of security, fraud (e.g. credit card, travel, and contract management)? Or the APS Code of Conduct? Did you report it? Were you informed of the outcome? Are you aware of your responsibilities to report: significant changes in your personal circumstances to the Department Security Unit and the vetting agency? e.g. family bereavement, divorce, separation, marriage, overseas travel, change of citizenship, changes in health, any criminal charges, any disciplinary matters or security breaches), and suspicious contact to the Departmental Security Unit? Have you shared your access to official resources (passwords, entry pass, and unsupervised access to ICT systems with your logon)? This is a breach and must be reported. Are you aware that 63 you may not share your access to official resources as this is a security breach? Are you aware if this is a practice in the work area? Have you ensured official information is classified appropriately and used for its official purpose only? How are you contributing to a safe working environment for your colleagues, contractors, and clients? Is there anything we can do to improve personal safety 64