- Published by:
- Department of Premier and Cabinet
- Date:
- 1 Dec 2021
This guide aims to assist Victorian Public Sector (VPS) and ministerial staff and contractors be aware of their protective security responsibilities for accessing security classified or sensitive information and resources, travelling overseas, managing foreign visitors and delegations and how to report suspicious contacts.
1. Personnel security
VPS and ministerial staff and contractors working for the Victorian Government who handle security classified or sensitive resources need to meet an appropriate standard of integrity and honesty.
VPS and ministerial staff and contractors working for the Victorian Government who regularly handle security classified or sensitive resources need to meet an appropriate standard of integrity and honesty to help mitigate the risks and reduce the threat of unauthorised access to Victorian information assets.
1.1 Assessing the suitability and eligibility of personnel
A security clearance may be required where personnel are required as part of their duties to regularly handle classified information including national security classified information, official or sensitive information, an aggregation of sensitive or classified material, or where the organisation requires a higher standard of vetting or scrutiny of staff due to the nature of their role. A security clearance may be granted after an assessment of the suitability and eligibility and security vetting of a candidate (also known as a clearance subject).
1.2 Security clearance approval
A security clearance is the approval that the candidate is eligible and suitable, from a security standpoint, to access security classified resources. It is granted after an individual’s formal application or a clearance has been approved. A valid security clearance is one that has been assessed to the national standard and where the security clearance has been approved by the delegate
There are also obligations on the clearance subject to maintain their security clearance. Department screening or employment checks are not the equivalent of being issued a national security clearance.
1.3 Accessing Commonwealth classified information
A security clearance is required when accessing material which has been security classified protected, secret or top secret by the Commonwealth, including when accessing Commonwealth generated information which is being on-shared by a Victorian government agency or department. Victorian departments and agencies may also adopt the Commonwealth standards for accessing State generated security classified material, in which case a valid security clearance must be held to access that material.
In addition to staff holding a security clearance, appropriate and endorsed physical and information security measures need to be in place.
1.4 Security clearance and information classification levels
Clearance holders can only share classified information with someone who holds a security clearance at the level of the information being shared and has an official need to know.
Table 1 describes the level of clearance needed to access the different levels of classified information.
Clearance level | Allowed access to information classified |
---|---|
Baseline | Protected |
Negative Vetting Level 1(NV1) | Protected & secret |
Negative Vetting Level 2 (NV2) | Protect, secret & top secret |
Positive Vetting | Allows access to all classified information and resources at all classification levels. |
There may be differing requirements for accessing and sharing material classified PROTECTED and Cabinet in Confidence generated at the state level. For more information about Cabinet material please contact the Cabinet Office at Department of Premier and Cabinet (DPC).
A security clearance for access to Victorian generated information and resources at or below PROTECTED may not be required; however, depending on internal risk assessments, individual agencies or departments may have local information security protocols in place.
1.5 How to apply for a national security clearance
In Victoria, VPS security clearances are managed and coordinated by DPC. Victoria Police manages security clearances for sworn and unsworn Victoria Police employees.
If you, or someone in your department or agency requires a security clearance contact the Protective Security Team in DPC.
Under a Memorandum of Understanding on the Protection of National Security Information (2006) between the Commonwealth and the States and Territories, DPC and Victoria Police have been granted vetting agency status by the Commonwealth. The Secretary DPC has the delegated authority to grant, deny, cancel or reissue security clearances to the level of Negative Vetting Level 2 (NV2) and grant authority to delegates to do the same (the Delegate).
For certain Victorian agencies, security clearances are issued by the Australian Government Security Vetting Agency (AGSVA), however DPC is the authorised agency and must be used unless prior approval to engage AGSVA has been granted by DPC.
DPC is the central coordinating agency for all Positive Vetting (PV) security clearances for VPS staff, however PV clearances are issued by AGSVA.
Requests for security clearances need to be supported by the applicant’s work area.
1.6 Exemptions for Members of Parliament and the judiciary
Members of Parliament (MP), including Ministers and the judiciary who have an official requirement to access classified information as part of their duties are exempt from the requirement to hold a security clearance to access that information; however, the requirements of how the classified information is accessed, stored, shared and disposed of still apply.
Staff working with or supporting MPs or the judiciary who need to handle or access classified information as part of their role are not covered by the exemption and are required to hold an appropriate security clearance.
1.7 Key responsibilities/obligations for holding a security clearance
- In addition to holding a clearance, employees must have an official need to know (as opposed to an interest in the subject or just like to know what is going on) to view, share or discuss any classified information.
- Discussions involving classified information must be conducted in an appropriate location where the conversation cannot be overheard and where appropriate physical security controls are in place
- Where classified information is to be discussed or shared at a meeting, attendees should be notified prior to the commencement of the meeting that classified information will be discussed. Those not cleared to the appropriate level are to be asked to vacate the room for the duration of the classified discussion.
Contact the Protective Security Team in DPC to check the clearance status of meeting attendees.
- Information must be protected from unauthorised access, use, modification, destruction and disclosure at all times.
- The physical environment where classified information is being accessed or stored must meet the requirements specified in the Protective Security Policy Framework (PSPF).
- Clearance holders must report any breaches of security (applicable to the management of classified information) to their supervisor/ security staff. Breaches must also be reported to the Director, CSEMB to determine if the breach affects the status of the clearance holder’s security clearance or has any broader security consequences.
- Clearance holders must advise the Protective Security Team at DPC when they leave their role or transfer to another organisation.
The Protective Security Policy Framework (PSPF) is the Australian Government’s overarching policy framework for protective security. It provides guidance to entities to support the implementation and ongoing management of protective security governance and personnel, information and physical security.
1.8 Annual security check
DPC has an obligation to monitor and manage clearance holders’ ongoing suitability to hold a security clearance. This is done by conducting an annual security check which includes:
- Compliance with general security clearance obligations, in particular
- Reporting:
- Significant changes in a clearance holder’s circumstances
- Any security incidents
- Suspicious, ongoing, unusual or persistent contacts
- Completing internal security awareness training
- Reporting:
- Addressing any workplace behaviours to identify any areas of concern held by the clearance holder or/and the clearance holder’s supervisor/organisation.
Clearance holders are notified of the annual security check via their last advised .vic.gov.au email address. Non-response will result in the security clearance being made inactive.
An inactive security clearance can usually be made active by completing the annual security check and submitting a Change of Circumstances form and Annual Security Check form.
1.9 Advising of changes in circumstances
Clearance holders have an obligation to advise significant changes in their circumstances whilst holding a security clearance. DPC uses this information to assess ongoing suitability and eligibility and maintain up to date records. If unsure about what to report, contact the Protective Security Team at DPC.
DPC has a Change of Circumstances form that makes it easy to advise of any changes. Some of the reportable changes include if you:
- change your name or identity, address, contact details, financial situation, relationship or domestic circumstances, citizenship or nationality, or political or religious beliefs.
- or a close relative travel or move to a foreign country.
- have been charged or convicted of a criminal offence
- are involved in disciplinary procedures or a security incident
- have been issued a new passport.
Note: Reportable changes are explained in more detail in the Change of Circumstances form.
1.10 Security clearance transfers
VPS clearances
Existing Victorian Public Servants (VPS) staff holding a security clearance who change jobs and who still need their clearance in the new role, must submit a change of circumstances form and complete security awareness training with the new department or agency.
AGSVA or Victoria Police clearances
Security clearances are generally transferable between DPC, Victoria Police and Commonwealth and Victorian government agencies who use AGSVA.
Note: Some Commonwealth agencies do not allow transfer of Personal Security Files (PSF) from their agency.
Contact the Protective Security Team at DPC for more information about transferring a security clearance or to request a Consent to Release PSF form.
1.11 Recognition of existing security clearances
A valid national security clearance issued by another vetting agency can be recognised by DPC if:
- it is within the current clearance period which is not more than:
- 15 years, for Baseline clearances
- 10 years, for NV1 clearances
- 7 years, for NV2 clearances
- there are no concerns regarding the suitability of the clearance holder accessing security classified resources
- the clearance was not granted based on an eligibility (citizenship or background) waiver
- there are no specific maintenance requirements in place
- the clearance has not ceased (i.e. been denied, has time-based conditions on reapplication, or where the clearance holder is ineligible to hold or maintain a security clearance).
1.12 Ongoing security obligations after leaving a role
Clearance holders have ongoing security obligations under applicable legislation (such as the Crimes Act 1914, Criminal Code Act 1995) even after they leave a role that involved accessing classified information. Separation activities to be undertaken by the employer include:
- Removing access to government resources when a person leaves or transfers from a role if the access is not required in the new role.
- Conducting a risk assessment where it is not possible to undertake required separation procedures to identify any security implications.
- Advising the Protective Security Team at DPC that the clearance holder has left the role by submitting a change of circumstances form.
- Advising Protective Security Team at DPC if cessation of employment has resulted from misconduct or other adverse reason and advise other entities whose material was being accessed that a security breach has occurred.
- Obtaining an acknowledgement from the clearance holder that they understand their obligations to continue to protect information accessed whilst in their role.
- Reminding the clearance holder of their contact reporting responsibilities even after leaving a role. This includes reporting contacts from former colleagues who show a suspicious, persistent or unusual interest in their work or that of the entity.
- If the clearance holder is moving to a new role within the Victorian Government, where the clearance is still needed, a change of circumstances form must be completed to keep the clearance active. If the clearance is not required it can be made inactive until needed, as long as it is within the remaining term.
1.13 Temporary access to security classified information
In limited circumstances and following a risk assessment, staff requiring urgent and critical access to security classified material who don’t hold a current security clearance at the required level may apply to be granted temporary access to security classified material by the Delegate, DPC.
Short-term access
Short term access allows access to security classified information for a maximum period of three months in any twelve and, where the person doesn’t hold a current clearance or holds a current Baseline clearance, may only be granted to the level of SECRET. Any requirement for short-term access to TOP SECRET material requires the candidate to first hold a current NV1 security clearance. Staff granted short- term access are required to complete and lodge an application for a full security clearance during the short-term access period.
Provisional access
Staff undergoing vetting and awaiting the outcome of their application may, following a risk assessment, be granted provisional access by the Delegate, DPC until their application is finalised. Provisional access can only be granted up to the level of SECRET.
Recognition of Temporary Access by other agencies
Some Commonwealth agencies may still restrict access to security classified material to staff granted temporary access by DPC. This can sometimes be mitigated by early consultation with the Commonwealth regarding verification and recognition of the clearance or access status of attendees.
Contact the Protective Security Team at DPC if temporary access is required.
1.14 Vetting
All security clearance applications undergo a vetting process to assess the suitability and eligibility of the candidate to access security classified resources.
DPC outsources vetting processes to a third-party specialist provider to conduct vetting, suitability and eligibility assessments and to make a recommendation on whether the clearance should be approved.
Vetting is conducted to national standards and includes Australian Security Intelligence Organisation (ASIO) security assessments (for NV1 and NV2 applications).
Security clearances issued by DPC are recognised as a national security clearance and may be transferred as required.
1.15 Vetting fees and aftercare costs
Vetting fees range between $400 to $1700, depending on the level of clearance and are payable by the clearance subject’s work area, as well as any associated costs, such as expedited clearance requests or travel and accommodation costs for face-to-face interviews. Should a clearance subject’s employment cease before vetting is complete, the requesting work area is still expected to pay vetting costs.
The higher the clearance the more in-depth vetting is required and the longer it takes to be completed. Times taken to complete vetting also depends on the complexity of each individual application.
Table 2 provides some indicative timeframes for processing the different clearances from the time a completed application is received by the specialist vetting provider.
Level of security clearance | Timeframe (may vary) |
---|---|
Baseline | 4 to 12 weeks |
Negative Vetting Level 1 (NV1) | 6 to 12 months |
Negative Vetting Level 2 (NV2) | 6 to 12 months |
Positive Vetting | Processed by AGSVA – 12 to 18 months |
1.16 Security clearances for contractors and non-VPS staff
Non-VPS staff or third-party providers are not eligible to hold a security clearance unless they are sponsored by a government agency. Sponsorship is provided by the department or agency engaging the contractor/third party. Following a risk assessment, and taking into consideration physical, personnel and information protection, the agency head (or delegate) provides assurance via letter to the Director, CSEMB that the agency will:
- abide by the PSPF for the management of personnel requiring access to security classified of sensitive material
- notify the Director, CSEMB of any breaches of security pertaining to classified information and including personnel, information or physical security breaches
- notify the Protective Security Team at DPC should the contractor leave the role they have been sponsored for
- store security classified material
- the contractor has access to appropriately and in accordance with the physical security requirement of the PSPF, particularly if material will be stored offsite
- monitor and manage security risks and report any breaches to the Protective Security Team at DPC
- once sponsorship is agreed, the application process proceeds in the same manner as VPS clearance applications.
2. Information security
Security classified information is material that, due the damage it could cause the Victorian or other Australian Government if released, has a security classification applied to it.
2.1 Identifying information that needs to be classified
Information that requires some form of protection and special handling identification requires a protective marking or security classification. The marking indicates that the:
- information has been identified as sensitive or security classified
- level of protective procedures that are to be provided during the use, storage, transmission, transfer and disposal of the information.
2.2 Assessing the value of the information to the organisation
In order to appropriately classify information, the organisation first needs to assess what the damage or risk would be if their information was compromised.
Assessment of damage affecting the national interest, organisation or individuals can be made by using the Business Impact Level (BIL) assessment tool in the PSPF. The tool assists in the consistent classification of information and the assessment of impacts on government business.
It can be found on the Protective Security Policy Framework
PSPF business impact levels.
Consequence of disclosure | Classification level |
---|---|
Compromise of the information's confidentiality could cause damage to the national interest, organisations or individuals |
PROTECTED |
SECRET | |
Compromise of the information's confidentiality could cause exceptionally grave damage to the national interest, organisations or individuals | TOP SECRET |
The Office of the Victorian Information Commissioner (OVIC) has a BIL tool for the classification of state interests that may be used however, implementing physical, information or personnel security measures should always follow the standards of the PSPF.
Once the BILs have been determined, personnel and physical storage requirement for the information will become clear.
If you need assistance in determining your BILs please contact the Manager, Protective Security at DPC.
2.3 Protective markings and security classifications
The Australian Government uses the following protective markings to classify its information:
- PROTECTED
- SECRET
- TOP SECRET.
Other markings of UNOFFICIAL and OFFICIAL can also be used however they are not security classifications. OFFICAL information can also carry a dissemination limiting marker of OFFICIAL: Sensitive or information management markers indicating ‘rights’ to access the information:
- OFFICIAL: Legal Privilege
- OFFICIAL: Legislative Secrecy
- OFFICIAL: Personal privacy.
Information marked OFFICIAL doesn’t require special access, handling or storage protections. However, all OFFICIAL information is an asset and should be treated in proportion to its value, importance and sensitivity.
Information marked PROTECTED, SECRET and TOP SECRET restricts access to personnel holding a valid security clearance and requires special handling and storage arrangements which are dealt with throughout this guide.
Security classified material generated by the Commonwealth or other jurisdiction must be handled according to the requirements of the originating jurisdiction. If in doubt, the handling and storage requirements described in the PSPF should be applied.
Some Victorian departments use the same or similar protective markings as the Commonwealth, however different handling arrangements may apply. Staff need to be mindful about sharing material generated locally with other jurisdictions, where security classifications or handling requirements may differ.
2.4 Caveats and accountable material
Caveats are warnings that the information has special protections in addition to the security classification.
There are four broad types of caveats:
- sensitive compartment information (codewords)
- foreign government markings
- special handling instructions
- releasability caveats.
The three Releasability caveats – Australian Eyes Only (AUSTEO), Australian Government Access Only (AGAO) and Releasable to (REL) – limit access to information based on citizenship plus an official need to know and the holding of an appropriate security clearance.
If a caveat includes the letters REL followed by country names, for example REL UK, NZ, it means the information is also 'RELEASEABLE’ to appropriately cleared United Kingdom and New Zealand personnel only (in addition to Australian personnel).
2.5 Applying protective markers to information
Security classifications and caveats are to be clearly identified by the originator of the information. For hard- copy material, it is preferable that text be in capitals, bold, large font and a distinctive colour (red is preferred). Markings are recommended at the centre top and bottom of each page.
Any security classified information being verbally shared requires disclosure of the classification and confirmation that the audience has the appropriate security clearance and the need to know.
Where paragraphs in a document are individually classified the document as a whole is to be classified according to the highest classified paragraph.
Information can only be declassified by the generator of the material. Information (such as a paragraph or section) taken or copied from a security classified document must retain its originating classification and is not recommended without the authorisation of the document owner.
2.6 Emailing classified information
Classified material may only be transmitted on a system classified to the security level of the information being transmitted.
Department email and document storage systems are generally not security rated. Likewise, third party providers such as consultants or IT providers do not generally have certified physical, information or personnel security measures in place to store or handle security classified information.
To email PROTECTED or SECRET information, partly or wholly generated by the Commonwealth, a protected and secure network must be used.
If you need to send or receive Commonwealth security classified material at PROTECTED or SECRET, please contact CSEMB.
Victoria Police and some Commonwealth agencies based in Victoria also have secure network capability.
Information carrying a security classification of SECRET, whether generated at the State or Commonwealth level must never be transmitted using an unrated, unsecured network.
Victorian government generated PROTECTED and SECRET Cabinet-In-Confidence material has specific transmission arrangements in place. For more information, please contact the Cabinet Office at DPC.
2.7 Sharing classified information
PROTECTED or SECRET classified documents may be passed, uncovered, by hand, within a discrete office environment, provided the person passing or receiving the information holds the appropriate clearance and has an official need to access the information. Table 4 provides an overview of distribution methods for security classified information.
Originator | Classification of material | Distribution |
---|---|---|
State department or agency or material classified using the Victorian Protective Data Security Framework (VPDSF) | PROTECTED | Internal – via email (assess each transmission on its own merits) and in line with local transmission policies |
State department or agency or material classified using the Victorian Protective Data Security Framework (VPDSF) | SECRET or TOP SECRET |
External – in person* or by certified courier and appropriately packaged and handled |
Commonwealth department or agency or material classified using the PSPF | PROTECTED, SECRET or TOP SECRET |
Internal and external – by hand delivery* or by certified courier and appropriately packaged and handled |
* SHOULD hold appropriate security clearance to access the material and, if required, be able to securely print, store and dispose of the material.
** MUST hold appropriate security clearance to access the material and, if required, be able to securely print, store and dispose of the material.
As the standard for distributing state generated material is less than for Commonwealth generated material and where there is any risk of damage, it is strongly recommended that the Commonwealth distribution requirements are adopted. They are described more fully in the PSPF.
Information must always be protected from being viewed or accessed by unauthorised personnel. It should be kept covered and always stored in accordance with clear desk policies and in an appropriate security container.
2.8 Sharing information with third party providers
The ability of third-party providers to appropriately protect information should be carefully considered when sharing security classified information with them.
2.9 Recording the movement of classified material
The creation, movement and destruction of hard copy documents, classified SECRET, SHOULD be recorded in a classified document register (CDR). Documents at higher security classifications MUST be recorded in a CDR.
DPC strongly recommends recording the creation, movement and destruction of all security classified hard copy documents as good security practice. Material declared by the originator as an accountable document (e.g. where multiple copies need to be marked as copy X of Y) MUST be recorded individually in the CDR and dealt with the same as SECRET material.
Accountable material is particularly sensitive information requiring strict access and movement control. The CDR registers the title, date, classification, copy numbers and distribution of a document. It also records the destruction of a document.
Hard copy security classified material must be stored according to the standards in the PSPF including secure storage containers and appropriate physical security zones.
2.10 Disposal of classified information
To reduce the risk of security classified material being accessed by unauthorised personnel, information should only be kept for as long as it has business value. When disposing of security classified and sensitive information it must be done in accordance with the requirements in the PSPF.
Information classified SECRET or TOP SECRET must be disposed of using a Class A Shredder and, for TOP SECRET information, the shredding needs to be supervised and the destruction documented in the CDR. Information marked PROTECTED must be disposed of using, at minimum, a Class B shredder.
Classified waste bags and bins are not security containers and should not to be used to dispose of classified information above the level of FOR OFFICIAL USE ONLY/OFFICIAL.
Departments or agencies who do not have the appropriate destruction equipment may contact the Protective Security Team at DPC to arrange for the information to be shredded.
Departments or agencies may have local arrangements in place for destroying Cabinet PROTECTED or CABINET-IN-CONFIDENCE documents.
The PSPF provides detailed guidance on the destruction of sensitive and security classified information which must be followed for any Commonwealth generated material or state generated material containing Commonwealth security classified information.
3. Physical security
Physical security measures are implemented to minimise the risk of information or resources being tampered with, accessed, used or removed without proper authorisation.
3.1 Security zones and control measures
In areas where security classified information and assets are used, transmitted, stored or discussed, the area must be certified and accredited in accordance with any applicable ASIO Technical Note.
Zone name | Zone definition |
---|---|
Zone 1 |
|
Zone 2 |
|
Zone 3 |
|
Zone 4 |
|
Zone 5 |
|
3.2 Working with security classified material in the office
Most VPS staff work in offices that are classified as zone 2; where there is restricted public access however access for authorised personnel is unrestricted. Access is usually controlled by single factor authentication, such as swiping an access security pass.
The risk of unauthorised access to security classified material is heightened in areas with unrestricted staff access. DPC recommends storage of hard copy security classified material be kept to a minimum and avoided if possible, particularly in zone 2 areas.
Storage of PROTECTED material is permitted in zone 2 areas in a Class C container.
Storage of information classified SECRET in a zone 2 area is permitted if a Class B container is used.
Clear desk policies apply in all situations where classified information is in use, including securing classified information in an appropriate security container at all times when the staff member is not at his or her workstation.
Working with security classified information in a public place, or anywhere where the information can be overseen or overheard by un-authorised people should be avoided at all times.
3.3 Working away from the office
Staff working from home (or from any other unsecured area) are essentially working in a zone 1 public access area.
Storage of PROTECTED material in a zone 1 area is to be avoided. If unavoidable it must be secured in a Class C container, commercial safe or vault when not in use. It must be:
- transported securely, and not visible or audible to unauthorised people
- appropriately secured
- protected from oversight or overhearing by others, including family and children
- secured or segregated from agency or department ICT systems if ICTis being used
- not stored or used on home IT equipment where that system is not appropriately secured.
Storage of SECRET material in a zone 1 area (including at home) is not permitted unless exceptional circumstances apply and the originator of the material approves it.
TOP SECRET material is not to be stored, accessed or used in any public or zone 1 area (including at home) or office area less than zone 3.
B class container Compactus3.4 Storing security classified information
Special care must be taken when storing classified information. The zoning of the space or work area where the information needs to be stored will dictate the type of container that may be used to store the information.
The PSPF describes in detail storage requirements for information based on the business impact level assessment.
Table 6 provides an overview of storage container requirements for security classified material. Containers must be approved by the Security Construction and Equipment Committee.
Classification | Security zone of the designated workplace | Minimum storage requirements |
---|---|---|
PROTECTED | Zones 2 and 3 | Class C container |
Zones 4 and 5 | Lockable container | |
Outside workplace | Class C container | |
SECRET | Zone 2 | Not to be stored |
Zone 3 | Class B container | |
Zones 4 and 5 | Class C container | |
Outside workplace | Not recommended to be stored | |
TOP SECRET | Zone 2 | Not to be stored |
Zone 3 | Class A container* | |
Zone 4 | Class B container* | |
Outside workplace | NOT to be stored |
*Time limited storage in exceptional
4. Overseas travel
When travelling overseas, particularly on government business, staff need to be aware of possible threats and protect themselves and the information they hold.
4.1 Before travelling overseas
- Know where you are travelling to and the associated security and personal safety considerations.
- Go to Smartraveller for the up-to-date travel advice and to register the travel, particularly if it’s a personal trip.
- Know the value of the information your organisation holds and what information needs to be protected. Don’t take any information with you, other than what is required for the trip.
- Talk to your Information, Communications Technology team and understand what precautions to take with any departmental devices being taken on the trip.
- Where possible, leave personal electronic devices at home. It is preferable to purchase a disposable phone and limit contact details to those required for the trip.
4.2 Personal security when overseas
- Remain aware of the security risks and unusual behaviours.
- Know how to contact the local Australian diplomatic mission, or which other nation undertakes consular support for Australian citizens.
- Be alert to persistent or excessive offers or gifts that may lead to attempts to elicit information.
- Understand your obligations in relation to accepting gifts and hospitality.
- Always keep control of your electronic devices and information you are carrying. Keep them in your carry-on luggage whilst travelling and don’t store them in hotel safes or leave them unattended.
4.3 After returning from overseas travel
- Report any suspicious behaviour to our agency security personnel.
- Complete and submit a Change of Circumstances form.
5. Managing foreign visitors and delegations
While it is important for government departments to host visitors, it is critical to remember that any foreign official’s primary allegiance and interest is to his or her own country or government.
This allegiance also applies to 'friendly' countries. The importance of securing Victorian or Australian Government assets cannot be underestimated.
VPS staff hosting foreign visitors or delegations should:
- know the value of their organisation’s information and how a visitor might access it
- brief everyone involved in the visit and those whose work areas may be accessed during the visit
- advise staff about what information can be shared as well as what the security expectations and requirements are.
- have enough escorts to ensure visitors cannot move away from the group unescorted
- limit movement into work areas and contain the visitors within designated meeting and public spaces
- plan where, when and how the visitors will be moved during the visit
- ensure escorts know their responsibilities
- clearly identify visitors by using special passes, lanyards or vests
- brief visitors on the security expectations and consequences for non-compliance
- don’t allow visitors to connect any device to the corporate network
- be alert to:
- unusual questions or requests for ongoing contact, such as social contact
- requests to access areas not on the tour/visit schedule
- placement of personal belongings in areas where information may be accessed
- consider providing a list of delegate names, titles and organisation to ASIO and keep a record.
6. Protocol for reporting suspicious contacts
All governments face the threat of espionage where foreign intelligence services seek to obtain access to information that is advantageous to the interests of their country.
Although espionage is generally associated with national security, all governments face the threat of espionage where foreign intelligence services seek to obtain access to information that is advantageous to the interests of their country.
Attempts to obtain information can be pre-planned and involve careful targeting of particular employees. Alternatively, information collection attempts can be entirely opportunistic.
Reporting attempts by foreign government officials or people who may have links to foreign governments is the first line of defence against potential espionage and allows appropriate action to be taken to lessen the risk of harm to the interests of Australian Governments.
6.1 Purpose of the protocol
This Protocol for reporting suspicious contacts helps Victorian Government officials be aware of the risk of potential intelligence activities, particularly by foreign governments and provide a means to report such activity. Contact reporting assists ASIO, through the contact reporting scheme, advise the Commonwealth Government about the threat of foreign espionage to Australian interests, and if necessary, Victoria Police, to take appropriate action.
6.2 Targeting of state government officials
State government officials can be targeted by foreign governments because they have access to national security or other sensitive national government information or to state government information that is of interest to a foreign government.
6.3 Types of information is likely to be targeted
Highly sought-after information does not need to be sensitive or classified. Any information not normally in the public domain may be used to the advantage of a foreign entity to the detriment of Australia and Australian interests.
Official advice suggests that the following types of information are sought by foreign intelligence services:
- information on defence technology
- communications and information technology
- science and technology
- political information
- economic information
- commercial information
- private information, intellectual property or business secrets that could cause harm or embarrassment if obtained by a third party.
Indicators that may arouse suspicion include:
- an inordinate interest in your official, social or personal activities
- a fascination or strong interest with a particular aspect of your work
- introduction to another person who takes a similar strong interest
- encouragement to participate in questionable or illegal activity
- offers of inappropriate hospitality or gifts.
6.4 When to complete a contact report
Employees should complete a contact report where they have contact with anyone, including foreign nationals, that seems suspicious, unusual or persistent in anyway or becomes ongoing.
Suspicious, unusual or persistent contact by foreign government officials or people who have direct links to a foreign government agency may be an attempt to obtain security or official information. Such contact could occur within Australia or overseas by individuals or groups, and in official or social circumstances.
Contact may be official, as part of a person’s role, social or incidental. It is not necessary to report contact as part of official meetings provided a formal corporate record (e.g. meeting minutes) is produced detailing the topics discussed. However, employees should complete a contact report where anyone, including a foreign national, seeks to establish social contact outside of official meetings, for example, through:
- invitations to attend functions
- written correspondence
- sport & recreation activities
- overseas travel
- visits to embassies, consulates or involvement with trade missions or other international events
- membership of international clubs, institutes, professional associations or friendship societies
- email requests
- phone calls – including unsolicited phone calls where the caller has obtained the employee’s details from an internet site
- training or study (e.g. language classes)
- social networking sites
- introductions via a third party.
Legitimate contact with foreign officials that might be required for your job does not need to be reported and this protocol is not intended to restrict legitimate official contact with foreign governments.
6.5 Submitting a suspicious contact report
Suspicious foreign contact may be reported to the Director, CSEMB. If required, the contact report may be made in writing, either by email or official report.
To request a Contact Report Form, contact the Manager, Protective Security, DPC.
6.6 Information to include in the contact report
- time, date and location of the contact/s
- name and nationality of the foreign contact and their official position, if known
- how the contact occurred, including how it was initiated and the occasion or function
- a summary of the conversation/s that occurred and any specific questioning or areas of interest
- any follow up activities that may have been arranged or other relevant information, such as documents provided, or undertakings made.
Suspicious foreign contacts should be reported even if no official information has been disclosed as the reporting can be used to inform broader patterns of contacts and suspicious behaviour.
You may also consider informing your Manager or the designated security officer in your department or agency.
6.7 After a contact report is submitted
The details of the reported contact will be assessed. If appropriate, the details of the contact report will be provided to ASIO and Victoria Police.
Glossary
Terms and definitions used throughout this guide.
ASIO Technical Note
Minimum guidelines for developing security zones in line with the PSPF.
Contact the Manager, Protective Security at DPC
Class A container
Protects information that has an extreme or catastrophic business impact level in situations assessed as high risk. These containers can be extremely heavy and may not be suitable in some facilities with limited floor loadings.
Class B container
Protects information that has an extreme or catastrophic business impact level in situations assessed as low risk.
They are also used for information that has a high or extreme business impact level in situations assessed as higher risk.
These containers are robust filing cabinets or compactuses fitted with combination locks. Class B container size and weight needs to be considered when selecting a location.
Class C container
Protects information up to an extreme business impact level in situations assessed as low risk. They are also used for information that has a medium business impact level in situations assessed as higher risk by the entity.
These containers are fitted with a SCEC-approved restricted keyed lock and are of similar construction to the lighter Class B containers.
Classified information
Material that a government body deems to be sensitive information that must be protected. Access is restricted by law or regulation to particular groups of people with the necessary security clearance and official need to know.
In this guide, references to classified information refer to handling PROTECTED, SECRET and TOP SECRET security classified information.
Clearance holder
Also called candidate or clearance subject. Sometimes depends on the status of the clearance.
Handing classified information
This guide uses various terms for accessing or handling security classified information.
Unless otherwise stated, handling security classified material or information includes to create, listen to, discuss, read, use, handle, access, store or dispose of security classified information.
Handling security classified material includes dealing with print, electronic and broadcast media, in all stages of its lifecycle, including generation, dissemination, storage and disposal.
National interest
The claims, objectives, goals, demands and interests which a nation/state always tries to preserve, protect, defend and secure in relations with other nations.
Protective Security Policy Framework (PSPF)
The PSPF(opens in a new window) assists government entities to protect their people, information and assets and provides guidance to support the effective implementation of the policy across the domains of security governance, personnel security, physical security and information security.
For material that has been generated by the Commonwealth, or that has a national interest apply the PSPF principles apply.
The PSPF is the national standard and should be used when there is any doubt over which Framework is applicable. The information in this guide is based on the PSPF.
Safes and vaults
Commercial safes and vaults provide a level of protection against forced entry. A vault is a secure space that is generally built in place and is normally larger than a safe.
A safe is normally smaller than a vault and may be moveable. Safes and vaults provide varying degrees of protection depending on the construction and may be used to store valuable physical assets.
Security container
A storage container for sensitive or security classified information or assets approved by the Security Construction and Equipment Committee. In this context, usually a Class B or Class C cabinet (filing cabinet, cupboard or similar).
Carries a different level of protection than a commercial safe or vault.
Security Construction and Equipment Committee (SCEC)
SCEC(opens in a new window) is a standing inter-departmental committee responsible for the evaluation of security equipment for use by Australian Government departments and agencies.
Victorian Protective Data Security Framework (VPDSF)
The VPDSF(opens in a new window) provides direction to VPS agencies or bodies on their data security obligations.
It may be used for material that has been generated at the State level.
Victorian Public Sector (VPS)
The VPS(opens in a new window) comprises the Victorian Public Service (Departments, Administrative Offices and Victorian Public Sector Commission) and Victorian Public Entities (Public Health Sector, Government Schools, TAFEs and other educational entities, Police and Emergency Services, Water and Land Management, and Arts, Finance, and Transport).
Resources
A list of resources referenced throughout the guide.
Title | Owner | Reference | |
Protective Security Policy Framework (PSPF) | Attorney General’s Department | Protective Security Policy Framework website | |
Victoria Protective Data Security Framework (VPDSF) |
Office of the Victorian Information Commissioner (OVIC) |
OVIC | |
Clearance Holder Obligations | Australian Security Intelligence Organisation (ASIO) | Contact CSEMB | |
Electronic Devices Overseas | Australian Security Intelligence Organisation (ASIO) | Contact CSEMB | |
Contact Reporting Scheme | Australian Security Intelligence Organisation (ASIO) | Contact CSEMB | |
Managing International Travel | Australian Security Intelligence Organisation (ASIO) | Contact CSEMB | |
Managing Visitors | Australian Security Intelligence Organisation (ASIO) | Contact CSEMB | |
How You Can Be Targeted Overseas | Australian Security Intelligence Organisation (ASIO) | Contact CSEMB | |
Protecting the integrity of our democracy against foreign interference |
Australian Security Intelligence Organisation (ASIO) | Contact CSEMB | |
Culture of Security | Australian Security Intelligence Organisation (ASIO) | Contact CSEMB | |
VPS Code of Conduct | Victorian Public Sector Commission (VPSC) | VPSC | |
Smart Traveller website | Department of Foreign Affairs and Trade | Smart Traveller(opens in a new window) |
Contacts
Details for who to contact in relation to specific issues on protecting and securing Victorian Government information and assets.
ISSUE | CONTACT | DETAILS |
Security breaches Confidential security matters Annual security briefing Protective security advice |
Manager Protective Security, Community Security and Emergency Management Branch (CSEMB), DPC |
|
Cyber security incidents |
Cyber Incident Response Service OR Australian Cyber Security Centre |
|
General security clearance matters | Protective Security Team, CSEMB, DPC | security.clearances@dpc.vic.gov.au |
Reporting suspicious contacts or activity |
Director, CSEMB, DPC OR Australian Government National Security Hotline |
|
Cabinet-in-Confidence material | Cabinet Office, DPC | |
Accessibility | security.clearances@dpc.vic.gov.au |