VPS and ministerial staff and contractors working for the Victorian Government who regularly handle security classified or sensitive resources need to meet an appropriate standard of integrity and honesty to help mitigate the risks and reduce the threat of unauthorised access to Victorian information assets.
1.1 Assessing the suitability and eligibility of personnel
A security clearance may be required where personnel are required as part of their duties to regularly handle classified information including national security classified information, official or sensitive information, an aggregation of sensitive or classified material, or where the organisation requires a higher standard of vetting or scrutiny of staff due to the nature of their role. A security clearance may be granted after an assessment of the suitability and eligibility and security vetting of a candidate (also known as a clearance subject).
1.2 Security clearance approval
A security clearance is the approval that the candidate is eligible and suitable, from a security standpoint, to access security classified resources. It is granted after an individual’s formal application or a clearance has been approved. A valid security clearance is one that has been assessed to the national standard and where the security clearance has been approved by the delegate
There are also obligations on the clearance subject to maintain their security clearance. Department screening or employment checks are not the equivalent of being issued a national security clearance.
1.3 Accessing Commonwealth classified information
A security clearance is required when accessing material which has been security classified protected, secret or top secret by the Commonwealth, including when accessing Commonwealth generated information which is being on-shared by a Victorian government agency or department. Victorian departments and agencies may also adopt the Commonwealth standards for accessing State generated security classified material, in which case a valid security clearance must be held to access that material.
In addition to staff holding a security clearance, appropriate and endorsed physical and information security measures need to be in place.
1.4 Security clearance and information classification levels
Clearance holders can only share classified information with someone who holds a security clearance at the level of the information being shared and has an official need to know.
Table 1 describes the level of clearance needed to access the different levels of classified information.
Clearance level | Allowed access to information classified |
---|---|
Baseline | Protected |
Negative Vetting Level 1(NV1) | Protected & secret |
Negative Vetting Level 2 (NV2) | Protect, secret & top secret |
Positive Vetting | Allows access to all classified information and resources at all classification levels. |
There may be differing requirements for accessing and sharing material classified PROTECTED and Cabinet in Confidence generated at the state level. For more information about Cabinet material please contact the Cabinet Office at Department of Premier and Cabinet (DPC).
A security clearance for access to Victorian generated information and resources at or below PROTECTED may not be required; however, depending on internal risk assessments, individual agencies or departments may have local information security protocols in place.
1.5 How to apply for a national security clearance
In Victoria, VPS security clearances are managed and coordinated by DPC. Victoria Police manages security clearances for sworn and unsworn Victoria Police employees.
If you, or someone in your department or agency requires a security clearance contact the Protective Security Team in DPC.
Under a Memorandum of Understanding on the Protection of National Security Information (2006) between the Commonwealth and the States and Territories, DPC and Victoria Police have been granted vetting agency status by the Commonwealth. The Secretary DPC has the delegated authority to grant, deny, cancel or reissue security clearances to the level of Negative Vetting Level 2 (NV2) and grant authority to delegates to do the same (the Delegate).
For certain Victorian agencies, security clearances are issued by the Australian Government Security Vetting Agency (AGSVA), however DPC is the authorised agency and must be used unless prior approval to engage AGSVA has been granted by DPC.
DPC is the central coordinating agency for all Positive Vetting (PV) security clearances for VPS staff, however PV clearances are issued by AGSVA.
Requests for security clearances need to be supported by the applicant’s work area.
1.6 Exemptions for Members of Parliament and the judiciary
Members of Parliament (MP), including Ministers and the judiciary who have an official requirement to access classified information as part of their duties are exempt from the requirement to hold a security clearance to access that information; however, the requirements of how the classified information is accessed, stored, shared and disposed of still apply.
Staff working with or supporting MPs or the judiciary who need to handle or access classified information as part of their role are not covered by the exemption and are required to hold an appropriate security clearance.
1.7 Key responsibilities/obligations for holding a security clearance
- In addition to holding a clearance, employees must have an official need to know (as opposed to an interest in the subject or just like to know what is going on) to view, share or discuss any classified information.
- Discussions involving classified information must be conducted in an appropriate location where the conversation cannot be overheard and where appropriate physical security controls are in place
- Where classified information is to be discussed or shared at a meeting, attendees should be notified prior to the commencement of the meeting that classified information will be discussed. Those not cleared to the appropriate level are to be asked to vacate the room for the duration of the classified discussion.
Contact the Protective Security Team in DPC to check the clearance status of meeting attendees.
- Information must be protected from unauthorised access, use, modification, destruction and disclosure at all times.
- The physical environment where classified information is being accessed or stored must meet the requirements specified in the Protective Security Policy Framework (PSPF).
- Clearance holders must report any breaches of security (applicable to the management of classified information) to their supervisor/ security staff. Breaches must also be reported to the Director, CSEMB to determine if the breach affects the status of the clearance holder’s security clearance or has any broader security consequences.
- Clearance holders must advise the Protective Security Team at DPC when they leave their role or transfer to another organisation.
The Protective Security Policy Framework (PSPF) is the Australian Government’s overarching policy framework for protective security. It provides guidance to entities to support the implementation and ongoing management of protective security governance and personnel, information and physical security.
1.8 Annual security check
DPC has an obligation to monitor and manage clearance holders’ ongoing suitability to hold a security clearance. This is done by conducting an annual security check which includes:
- Compliance with general security clearance obligations, in particular
- Reporting:
- Significant changes in a clearance holder’s circumstances
- Any security incidents
- Suspicious, ongoing, unusual or persistent contacts
- Completing internal security awareness training
- Reporting:
- Addressing any workplace behaviours to identify any areas of concern held by the clearance holder or/and the clearance holder’s supervisor/organisation.
Clearance holders are notified of the annual security check via their last advised .vic.gov.au email address. Non-response will result in the security clearance being made inactive.
An inactive security clearance can usually be made active by completing the annual security check and submitting a Change of Circumstances form and Annual Security Check form.
1.9 Advising of changes in circumstances
Clearance holders have an obligation to advise significant changes in their circumstances whilst holding a security clearance. DPC uses this information to assess ongoing suitability and eligibility and maintain up to date records. If unsure about what to report, contact the Protective Security Team at DPC.
DPC has a Change of Circumstances form that makes it easy to advise of any changes. Some of the reportable changes include if you:
- change your name or identity, address, contact details, financial situation, relationship or domestic circumstances, citizenship or nationality, or political or religious beliefs.
- or a close relative travel or move to a foreign country.
- have been charged or convicted of a criminal offence
- are involved in disciplinary procedures or a security incident
- have been issued a new passport.
Note: Reportable changes are explained in more detail in the Change of Circumstances form.
1.10 Security clearance transfers
VPS clearances
Existing Victorian Public Servants (VPS) staff holding a security clearance who change jobs and who still need their clearance in the new role, must submit a change of circumstances form and complete security awareness training with the new department or agency.
AGSVA or Victoria Police clearances
Security clearances are generally transferable between DPC, Victoria Police and Commonwealth and Victorian government agencies who use AGSVA.
Note: Some Commonwealth agencies do not allow transfer of Personal Security Files (PSF) from their agency.
Contact the Protective Security Team at DPC for more information about transferring a security clearance or to request a Consent to Release PSF form.
1.11 Recognition of existing security clearances
A valid national security clearance issued by another vetting agency can be recognised by DPC if:
- it is within the current clearance period which is not more than:
- 15 years, for Baseline clearances
- 10 years, for NV1 clearances
- 7 years, for NV2 clearances
- there are no concerns regarding the suitability of the clearance holder accessing security classified resources
- the clearance was not granted based on an eligibility (citizenship or background) waiver
- there are no specific maintenance requirements in place
- the clearance has not ceased (i.e. been denied, has time-based conditions on reapplication, or where the clearance holder is ineligible to hold or maintain a security clearance).
1.12 Ongoing security obligations after leaving a role
Clearance holders have ongoing security obligations under applicable legislation (such as the Crimes Act 1914, Criminal Code Act 1995) even after they leave a role that involved accessing classified information. Separation activities to be undertaken by the employer include:
- Removing access to government resources when a person leaves or transfers from a role if the access is not required in the new role.
- Conducting a risk assessment where it is not possible to undertake required separation procedures to identify any security implications.
- Advising the Protective Security Team at DPC that the clearance holder has left the role by submitting a change of circumstances form.
- Advising Protective Security Team at DPC if cessation of employment has resulted from misconduct or other adverse reason and advise other entities whose material was being accessed that a security breach has occurred.
- Obtaining an acknowledgement from the clearance holder that they understand their obligations to continue to protect information accessed whilst in their role.
- Reminding the clearance holder of their contact reporting responsibilities even after leaving a role. This includes reporting contacts from former colleagues who show a suspicious, persistent or unusual interest in their work or that of the entity.
- If the clearance holder is moving to a new role within the Victorian Government, where the clearance is still needed, a change of circumstances form must be completed to keep the clearance active. If the clearance is not required it can be made inactive until needed, as long as it is within the remaining term.
1.13 Temporary access to security classified information
In limited circumstances and following a risk assessment, staff requiring urgent and critical access to security classified material who don’t hold a current security clearance at the required level may apply to be granted temporary access to security classified material by the Delegate, DPC.
Short-term access
Short term access allows access to security classified information for a maximum period of three months in any twelve and, where the person doesn’t hold a current clearance or holds a current Baseline clearance, may only be granted to the level of SECRET. Any requirement for short-term access to TOP SECRET material requires the candidate to first hold a current NV1 security clearance. Staff granted short- term access are required to complete and lodge an application for a full security clearance during the short-term access period.
Provisional access
Staff undergoing vetting and awaiting the outcome of their application may, following a risk assessment, be granted provisional access by the Delegate, DPC until their application is finalised. Provisional access can only be granted up to the level of SECRET.
Recognition of Temporary Access by other agencies
Some Commonwealth agencies may still restrict access to security classified material to staff granted temporary access by DPC. This can sometimes be mitigated by early consultation with the Commonwealth regarding verification and recognition of the clearance or access status of attendees.
Contact the Protective Security Team at DPC if temporary access is required.
1.14 Vetting
All security clearance applications undergo a vetting process to assess the suitability and eligibility of the candidate to access security classified resources.
DPC outsources vetting processes to a third-party specialist provider to conduct vetting, suitability and eligibility assessments and to make a recommendation on whether the clearance should be approved.
Vetting is conducted to national standards and includes Australian Security Intelligence Organisation (ASIO) security assessments (for NV1 and NV2 applications).
Security clearances issued by DPC are recognised as a national security clearance and may be transferred as required.
1.15 Vetting fees and aftercare costs
Vetting fees range between $400 to $1700, depending on the level of clearance and are payable by the clearance subject’s work area, as well as any associated costs, such as expedited clearance requests or travel and accommodation costs for face-to-face interviews. Should a clearance subject’s employment cease before vetting is complete, the requesting work area is still expected to pay vetting costs.
The higher the clearance the more in-depth vetting is required and the longer it takes to be completed. Times taken to complete vetting also depends on the complexity of each individual application.
Table 2 provides some indicative timeframes for processing the different clearances from the time a completed application is received by the specialist vetting provider.
Level of security clearance | Timeframe (may vary) |
---|---|
Baseline | 4 to 12 weeks |
Negative Vetting Level 1 (NV1) | 6 to 12 months |
Negative Vetting Level 2 (NV2) | 6 to 12 months |
Positive Vetting | Processed by AGSVA – 12 to 18 months |
1.16 Security clearances for contractors and non-VPS staff
Non-VPS staff or third-party providers are not eligible to hold a security clearance unless they are sponsored by a government agency. Sponsorship is provided by the department or agency engaging the contractor/third party. Following a risk assessment, and taking into consideration physical, personnel and information protection, the agency head (or delegate) provides assurance via letter to the Director, CSEMB that the agency will:
- abide by the PSPF for the management of personnel requiring access to security classified of sensitive material
- notify the Director, CSEMB of any breaches of security pertaining to classified information and including personnel, information or physical security breaches
- notify the Protective Security Team at DPC should the contractor leave the role they have been sponsored for
- store security classified material
- the contractor has access to appropriately and in accordance with the physical security requirement of the PSPF, particularly if material will be stored offsite
- monitor and manage security risks and report any breaches to the Protective Security Team at DPC
- once sponsorship is agreed, the application process proceeds in the same manner as VPS clearance applications.
Updated