Australian Government - Attorney-General's Department

Protective Security Policy Framework

Skip breadcrumbHome » Personnel » Ongoing assessment of personnel

13 Ongoing assessment of personnel

Purpose

This policy describes how entities maintain confidence in their personnel's ongoing suitability to access Australian Government resources, and manage the risk of malicious or unwitting insiders. It is critical that entities are aware of changes in their employees' circumstances and workforce behaviours. This awareness is facilitated by effective information sharing and a positive security culture, recognising that security is everyone's responsibility.

Effectively assessing and managing ongoing suitability ensures that entities' personnel, including contractors, continue to meet eligibility and suitability requirements established at the point of engagement. This includes continuing to meet an appropriate standard of integrity and honesty.

Requirements

Core requirement

Each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate.

Accountable authorities are responsible for determining their entity's risk tolerance and managing the security risks of their entity, including as they relate to the ongoing suitability of personnel to access Australian Government resources.

Sponsoring entities and authorised vetting agencies play a critical role in assuring ongoing suitability of personnel occupying positions that require access to security classified resources or additional levels of assurance. The supporting requirements detail the respective responsibilities of sponsoring entities and vetting agencies for assessing the ongoing suitability of security cleared personnel.

Supporting requirements

 

Supporting requirements for ongoing assessment of personnel
# Supporting requirements

Requirement 1.
Security clearance maintenance Note i

  1. Sponsoring entities must actively monitor and manage the ongoing suitability of their security cleared personnel, including:
    1. collecting, assessing and sharing information of security concern
    2. conducting annual security checks with all security cleared personnel
    3. monitoring compliance with, and managing risk in relation to, clearance maintenance requirements for security clearance holders granted a conditional security clearance and reporting non-compliance to the authorised vetting agency
    4. reviewing eligibility waivers at least annually, before revalidation of a security clearance, and prior to any proposed position transfer.
  2. Vetting agencies must:
    1. share information of security concern about security clearance holders with sponsoring entities
    2. assess and respond to information of security concern about security clearance holders, which includes reports from sponsoring entities
    3. review the clearance holder's suitability to hold a security clearance, where concerns are identified (review for cause).

Requirement 2.
Security clearance revalidation

Vetting agencies must reassess a clearance holder's suitability to hold a security clearance by:

  1. considering their integrity (ie the character traits of maturity, trustworthiness, honesty, resilience, tolerance and loyalty) in accordance with the Personnel Security Adjudicative Guidelines (see the PSPF policy: Eligibility and suitability of personnel Annex A)
  2. revalidating minimum personnel security checks for a security clearance outlined below
  3. resolving any doubt in the national interest.

 

Minimum requirements for revalidation of security clearances
Check Security Clearance Level

Baseline Vetting

Negative Vetting 1

Negative Vetting 2

Positive Vetting

Revalidation undertaken at least every:

15 years.

10 years.

5 to 7 years.

5 to 7 years.

Updated personal particulars

✓ Check required.

✓ Check required.

✓ Check required.

✓ Check required.

Entities must confirm any changes to a clearance holder's personal particulars using identification documents verified with the issuing authority by using the Document Verification Service for Australian issued primary identification documents.

Background check covering period since previous vetting

✓ Check required.

✓ Check required.

✓ Check required.

✓ Check required.

Referee checks

✓ Check required.

✓ Check required.

✓ Check required.

✓ Check required.

Digital footprint check

✓ Check required.

✓ Check required.

✓ Check required.

✓ Check required.

National police check

✓ Check required, no exclusion.

✓ Check required, full exclusion.

✓ Check required, full exclusion.

✓ Check required, full exclusion.

Financial history check

✓ Check required.

✓ Check required.

✓ Check required.

✓ Check required.

Financial statement check

Not applicable, check not required.

✓ Check required.

✓ Check required.

✓ Check and supporting documents required.

Financial probity check

Not applicable, check not required.

Not applicable, check not required.

Not applicable, check not required.

✓ Check required.

ASIO assessment

Not applicable, check not required.

✓ Check required.

✓ Check required.

✓ Check required.

Security interview

Not applicable, check not required.

Not applicable, check not required.

✓ Check required.

✓ Check required.

Psychological assessment

Not applicable, check not required.

Not applicable, check not required.

Not applicable, check not required.

✓ Check required.

A revalidation covers the period since the initial clearance or last revalidation was completed, unless there are significant concerns that raise doubts about the previous assessment.

Supporting requirements notes:
i Additional security clearance maintenance for Positive Vetting clearance holders are contained in the Sensitive Material Security Management Protocol – Personnel Security – Positive Vetting Guidelines (SMSMP-PVG). The SMSMP-PVG is available to entity security advisors.

Back to top

Guidance

Assessing and managing ongoing suitability

The potential for insiders (employees, contractors and others with access to Australian Government resources) to betray the trust placed in them presents an enduring security risk. Insiders who compromise security may be unwitting or malicious. Possible motives are complex and can be driven by a mix of personal vulnerabilities, life events and situational factors.

While pre-employment screening and security clearance vetting (as described in the PSPF policy: Eligibility and suitability of personnel) provide an assessment of a person's suitability at a point in time, ongoing awareness of changes in personnel's circumstances and workplace behaviours is essential to manage the risk of insider threat. The core PSPF requirement on ongoing assessment of personnel mandates entities assess and manage the ongoing suitability of their personnel. This means entities are responsible for ensuring their personnel remain suitable to access Australian Government resources for the entire period of their engagement.

Effective assessment of personnel's ongoing suitability relies on entities encouraging and facilitating reporting of concerns, as well as collating and assessing information on personnel from a range of sources, including their management and colleagues. The way entities assess and manage ongoing suitability will depend on:

  1. the type of personnel (employees and contractors, security clearance holders or uncleared personnel) within the entity
  2. their access to classified and unclassified Australian Government resources
  3. the entity's tolerance for security risks
  4. any risks that may be specific to the position
  5. the individual's personal risk profile.

Table 1 identifies entity procedures to assess and manage the ongoing suitability of personnel. Some of these may be built into existing performance management procedures. The Attorney-General's Department recommends entities' procedures for assessing and managing the ongoing suitability of personnel include periodic employment suitability checks, as well as mechanisms to support reporting of concerns.

 

Table 1 Procedures for assessing and managing ongoing suitability
Procedure Uncleared personnel Note i Security cleared personnel

Building personnel security into performance management.Note ii

✓ Minimum procedure for core requirement.

✓ Minimum procedure for core requirement.

Periodic employment suitability check. Note iii

✓ Minimum procedure for core requirement.

✓ Minimum procedure for core requirement.

Annual security check. Note iv

Procedure recommended to support the core requirement.

✓ Minimum procedure for Requirement 1a.

Contact reporting obligations. Note v

Procedure recommended to support the core requirement.

✓ Minimum procedure for Requirement 1a.

Security incident reporting and follow-up. Note vi

Procedure recommended to support the core requirement.

✓ Minimum procedure for Requirement 1a.

Collecting and assessing information on changes in personal circumstances. Note vii

Procedure recommended to support the core requirement.

✓ Minimum procedure for Requirement 1a.

Annual reviews of eligibility waivers. Note viii

Not applicable, procedures not required.

✓ Minimum procedure for Requirement 1a for holders of a clearance subject to an eligibility waiver.

Specific clearance maintenance requirements.Note ix

Not applicable, procedures not required.

✓ Minimum procedure for Requirement 1a for holders of a conditional clearance.

Positive Vetting maintenance obligations in accordance with the SMSMP-PVG.

Not applicable, procedures not required.

✓ Minimum procedure for Requirement 1a for Positive Vetting holders.

Table 1 notes
i Entities may choose to apply assurance measures for security cleared personnel to all entity personnel, based on the assessment of and tolerance for risk. Effective ongoing assessment of personnel may trigger consideration of other risks including fraud, corruption and breaches of legislation (including provisions in the Public Service Act 1999, eg the APS Code of Conduct). Note that, in the absence of an authorised vetting agency, entities will have to assess and manage security concerns for uncleared personnel themselves.
ii For guidance on building personnel security into performance management, see Performance management.
iii For guidance on periodic employment suitability checks, see Periodic employment suitability checks.
iv For guidance on annual security checks, see Annual security check.
v For guidance on contact reporting obligations, see Contact reporting obligations.
vi For guidance on security incident reporting and follow-up, see Security incident reporting and follow up.
vii For guidance on collecting and assessing information on changes in personal circumstances, see Collecting and assessing information on changes in circumstance.
viii For guidance on annual reviews of eligibility waivers, see Annual review of eligibility waivers.
ix For guidance on specific clearance maintenance requirements, see Specific clearance maintenance requirements.

Back to top

Security clearance maintenance

Security clearance maintenance requirements are in addition to ongoing suitability measures that apply for all personnel.

Ensuring the ongoing suitability of security cleared personnel to hold an Australian Government security clearance is the joint responsibility of vetting agencies, the sponsoring entity and the individual clearance holder. Requirement 1 details the respective roles and responsibilities of vetting agencies and sponsoring entities for security clearance maintenance; this includes specific clearance maintenance requirements for holders of conditional security clearances and clearances subject to eligibility waivers. For security cleared personnel:

  1. sponsoring entities are responsible for assessing how information relates to an entity's security risks, as well as a person's suitability for employment by the entity. This is particularly relevant where there are entity-specific employment requirements, such as a zero-tolerance drug and alcohol policy.
  2. authorised vetting agencies are responsible for assessing how information relates to an individual's suitability to hold a clearance.

The core PSPF requirement on ongoing assessment of personnel mandates that entities share relevant information of security concern. The assessment of whether information is relevant or of security concern can only be made by the entity assessing that concern. Requirement 1 clarifies that sponsoring entities and vetting agencies must share all information relating, or appearing to relate, to the ongoing suitability of personnel so the entity receiving the information can determine whether it is relevant.

Performance management

Entity performance management programs provide an avenue for supervisors and line managers to assess and report on the ongoing performance of personnel. Performance management programs may also be used for the assessment and management of ongoing suitability, including identifying personnel who display behavioural concerns such as disregard for entity security procedures.

Entities are encouraged to embed security considerations into their annual performance appraisals by seeking confirmation from:

  1. individuals that they have reported any change of circumstances, such as:
    1. changes to details provided during the pre-employment screening (eg criminal charges)
    2. inappropriate contacts or contacts of concern
    3. real or perceived conflicts of interest
  2. line managers that there are no unreported security concerns about the individual.

The Attorney-General's Department recommends entities provide line managers with guidance on identifying behaviours of concern and engaging in effective conversations about personnel security within the context of performance management. Examples include confirming compliance with mandatory security awareness training, and ensuring understanding of reportable incidents and the contact reporting scheme. It is also important to identify gaps in knowledge about security, particularly where specialist knowledge or training is required to address entity-specific risks or in relation to compartmental briefings.

Where security concerns are identified as part of performance management, entities are encouraged to undertake additional employment suitability checks to assess whether the concerns are relevant to the person's ongoing suitability to access Australian Government resources. Identifying security concerns may trigger incident reporting obligations under the PSPF Governance core requirements.

For security clearance holders, security concerns could affect their suitability to hold a security clearance. Where concerns are identified, the Attorney-General's Department recommends that clear processes be developed for line managers to provide this information to security advisors responsible for entity personnel security, and for the security advisors to provide the information to the vetting agency.

Central human resources areas may also have knowledge of performance concerns through line manager reporting or analysis of employment data, such as unexplained absences or unplanned leave. These performance concerns could be indicators of other personal issues that can lead to security concerns, for example alcohol or drug abuse, or financial difficulties. The Attorney-General's Department recommends developing procedures and providing guidance for human resources areas to support information sharing arrangements and assist with identifying and communicating information.

The relationship between performance issues and security concerns is complex. It is important that entities do not misuse the security clearance process to address performance issues (eg referring security concerns to the vetting agency in the hope that a security clearance may be withdrawn). Performance management processes or investigations do not preclude entities from providing the authorised vetting agency with information about security relevant performance issues.

Periodic employment suitability checks

Pre-employment screening provides the foundation of good personnel security and reduces the risk of an insider harming business operations. Pre-employment screening checks can be repeated periodically over the course of a person's employment to inform an assessment of ongoing suitability. The Attorney-General's Department recommends entities determine the frequency of these periodic employment suitability checks based on the entity's risk profile as well as specific risks associated with the position, any associated enabling legislation and the entity's operating environment. Table 2 describes a range of recommended periodic employment suitability checks.

 

Table 2 Periodic employment suitability checks
Check Description

Updating personal particulars

Personnel may be asked to periodically update their personal particulars. This could include:

  • updating residential address history
  • updating any qualifications
  • updating employment history for contractors.

It may be useful to verify changes to personal particulars through independent sources, including the Document Verification Service if there are changes to Australian-issued primary identification documents.

Confirming adherence to, or completion of, engagement conditions

Where conditions have been placed on an initial or continuing engagement (eg gaining Australian citizenship), confirm those conditions have been met within specified timeframes.

National police check

If police checks are conducted less frequently than every 10 years, convictions under the Spent Convictions Scheme may not be included. The Attorney-General's Department recommends a police records check at least every 10 years; the frequency may be increased for high-risk positions or personnel.

The Spent Convictions Scheme applies to spent convictions where a waiting period has passed and the individual in question has not re-offended. The conditions that apply to convictions for a Commonwealth, state, territory or foreign offence are:

  • it has been 10 years from the date of the conviction (or 5 years for juvenile offenders)
  • the individual was not sentenced to imprisonment for more than 30 months
  • the individual has not re-offended during the 10 year (5 years for juvenile offenders) waiting period
  • a statutory or regulatory exclusion does not apply.

The scheme also protects convictions that have been set aside or pardoned under Part VIIC of the Crimes Act 1914. An individual whose conviction is protected does not have to disclose the conviction to any person, including a Commonwealth authority.

Credit history check

Where an entity's risk assessment deems that it requires assurance of a person's financial situation, periodic financial screening (including a credit history check) may provide indicators of financial stressors.

Conflict of interest declaration

APS employees have an obligation under section 13 of the Public Service Act 1999 to disclose and take reasonable steps to avoid actual or perceived conflicts of interest. The Attorney-General's Department recommends reconfirming with personnel that any changes in their circumstances have not resulted in any actual or perceived conflict of interest. For further advice, see the Australia Public Service Commission publication Conflict of interest.

Confidentiality agreement

Periodic completion of confidentiality or non-disclosure agreements helps remind personnel of their ongoing confidentiality obligations.

Other entity-specific checks

Personnel who are in positions subject to entity-specific pre-employment checks may have these checks periodically repeated. Examples of entity-specific checks include drug and alcohol testing, financial probity checks and psychological assessments. For information, see the Australia Public Service Commission publication Conditions of engagement.

Back to top

Annual security check

Requirement 1aii mandates that entities conduct an annual security check with all security cleared personnel. An annual security check addresses:

  1. the person's compliance with general security clearance obligations, as well as any specific clearance maintenance obligations associated with a conditional clearance. General security clearance obligations for clearance holders include compliance with entity security procedures, in particular:
    1. reporting:
      1. changes in circumstances
      2. security incidents
      3. suspicious, ongoing, unusual or persistent contacts
    2. completing security awareness training
  2. the person's workplace behaviours to identify behaviours of concern.

An annual security check provides an opportunity to discuss any identified behavioural concerns, improve awareness and understanding of security obligations, and reinforces a positive security culture.

The Attorney-General's Department notes that line managers are well placed to conduct an annual security check as they are likely to have the best knowledge of their personnel's behaviour. Where appropriate, checks may be conducted in consultation with a security advisor or an appropriate representative from the entity's human resources area. This may be particularly relevant where specific clearance maintenance obligations exist.

Entities may include the annual security check as part of their annual performance management process or as a stand-alone requirement. The annual security check does not replace an entity's responsibility to monitor and evaluate ongoing suitability through performance management, including code-of-conduct investigations.

If the sponsoring entities' annual security check identifies any security concerns about a security clearance holder, Requirement 1a mandates entities share that with the relevant authorised vetting agency in addition to reporting any changes in circumstances, security incidents, and suspicious, ongoing, unusual or persistent contact reports as they occur.

Personnel holding a Positive Vetting security clearance are subject to additional requirements for annual security appraisals. These are set out in the SMSMP-PVG.

Contact reporting obligations

Reporting suspicious, unusual or persistent contacts, as well as contact with foreign nationals that becomes ongoing, is one means to address the enduring threat that espionage poses to the Australian Government.

Contact reporting obligations are set out in the PSPF policy: Management structures and responsibilities. These reporting obligations are relevant when assessing ongoing suitability of personnel. Reports of suspicious, ongoing, unusual or persistent contacts may inform an entity's risk assessment in relation to an individual, a position or a work area. Non-compliance with contact reporting obligations is a security concern. In accordance with Requirement 1a, sponsoring entities are required to share information about suspicious, unusual or persistent contacts with the authorised vetting agency in addition to forwarding reports to ASIO.

Security incident reporting and follow up

Managing security incidents and investigations helps monitor security performance, identify inadequacies in security procedures and detect security risks in order to implement appropriate treatments. At the individual level, a history of security incidents (regardless of their individual scale or significance) may raise questions about a clearance holder's suitability to retain access to Australian Government resources.

The PSPF policy: Management structures and responsibilities Requirement 2 mandates that entities establish procedures for managing security incidents. In accordance with Requirement 1a, entities must share information on security incidents relating to a security clearance holder with the relevant authorised vetting agency.

Collecting and assessing information on changes in circumstance

Reporting changes in circumstance helps entities assess personnel security risk based on current and relevant information. Early identification of changes in risk profiles can prevent smaller issues from becoming larger problems. At the individual level, this means encouraging and enabling self-reporting of changes in circumstance by personnel. At the entity level, this means having effective procedures to collect, assess and manage reported changes in circumstances.

Vetting agencies grant security clearances after careful consideration of the whole-of-person assessment at the time of granting the clearance. However, as circumstances change over time, this may affect ongoing suitability of a person to hold a clearance. Changes in circumstances may:

  1. increase a person's vulnerability to coercion
  2. lead to deliberate breaches of security, fraud or corruption
  3. be used by foreign governments, commercial organisations, issue-motivated groups, criminal organisations or others to induce personnel into providing information or goods belonging to the government.

In accordance with Requirement 1a, sponsoring entities must share information on any changes in circumstances of a clearance holder with the relevant authorised vetting agency. Table 3 provides guidance on entity responsibilities for assessing and managing changes in circumstances.

 

Table 3 Guidance on reporting changes in circumstance
Reporting obligation Description

What changes in circumstance to report

Changes in circumstance are reportable where there are:

  1. changes of name/identity (gender)
  2. changes in significant relationships
  3. changes in address or share-housing arrangements
  4. entering into, or ceasing, a relationship (marriage, civil union or de facto)
  5. changes in citizenship or nationality
  6. changes in financial circumstances
  7. changes in health or medical circumstances
  8. changes in criminal history, police involvement and association with criminal activity
  9. involvement or association with any group, society or organisation
  10. disciplinary procedures
  11. drug or alcohol problems
  12. residence in, or visits to, foreign countries
  13. relatives residing in foreign countries
  14. suspicious, persistent or unusual contacts (for information, see Contact reporting obligations)
  15. any other significant changes in circumstance.

This list is not exhaustive. If personnel are uncertain whether the information is relevant, report it to the line manager, Chief Security Officer or a security advisor responsible for personnel security.

How to report changes in circumstances

The Attorney-General's Department recommends entities:

  • make clear the process and responsible area within their entity where clearance subjects report any change in circumstances
  • require clearance holders to report all changes in circumstances to the identified area
  • require line managers to report all changes in circumstances relating to their clearance holder personnel, regardless of whether they believe changes have been notified by the clearance subject
  • encourage all staff to advise line managers of significant changes in circumstances (noting this may not always be appropriate).

Under the PSPF policy: Management structures and responsibilities, entities must provide security awareness training and establish procedures for managing security incidents. Consistent with that policy, the Attorney-General's Department recommends security awareness training cover entity procedures to report changes in circumstance in a manner that enables, encourages and facilitates timely reporting.

Who reports changes in circumstances

Where personnel fall into more than one listed category, report in accordance with all applicable categories:

  • Security clearance holders report changes in their circumstances
  • Line managers and contract managers report any concerns with personnel they manage
  • Human resources areas report any employment-related concerns or investigations, including those related to breaches of the Code of Conduct
  • All personnel report concerns about other individuals where it may affect entity security.

The Attorney-General's Department recommends consideration is given to ensuring personnel feel able to report concerns about their managers.

What to do with information on changes in circumstances

When an entity is advised about an individual's change in circumstances, the entity considers that information for the purposes of assessing and managing the ongoing suitability of that individual, and shares information of security concern, where appropriate.

Requirement 1a mandates entities share all reports of changes in circumstances relating to clearance holders with the relevant authorised vetting agency, which may initiate actions in relation to the person's security clearance. The vetting agency will notify the sponsoring entity to allow it to manage any associated risks.

Entities assess all reports of changes in circumstances to identify whether there are any security concerns for the entity, and respond to those concerns in accordance with entity procedure. If there are potential security concerns as a result of changes in circumstances, there are different avenues that can be pursued by the sponsoring entity. These include:

  • security investigations
  • code-of-conduct investigations
  • criminal investigations.

Where an allegation of security concern is received, an investigation by the sponsoring entity or the vetting agency may validate the report. It is important that entities do not prejudice the person in question, as some claims can be malicious. For information, see the Australian Privacy Principle 10 – quality of personal information.

Where a sponsoring entity's investigation brings to light any additional information of security concern, Requirement 1a mandates this information be shared with the relevant authorised vetting agency.

Back to top

Specific clearance maintenance requirements

Where there are ongoing concerns about a clearance subject's suitability to hold a security clearance, but they are not sufficient to deny the clearance, an authorised vetting agency may, after consultation with the sponsoring entity, recommend specific clearance maintenance requirements to mitigate these concerns (see the PSPF policy: Eligibility and suitability of personnel). A security clearance that is subject to specific clearance maintenance requirements is a conditional clearance.

Requirement 1aiii mandates that sponsoring entities monitor security clearance holders granted a conditional clearance to ensure compliance with the specific clearance maintenance requirements and manage any related risks. Sponsoring entities are also required to report any non-compliance to the authorised vetting agency. Requirement 1bi mandates that vetting agencies share information of security concern about security clearance holders with sponsoring entities. In the case of conditional clearance holders, this information is essential for sponsoring entities to effectively identify and manage any risks related to the conditional clearance.

Annual review of eligibility waivers

Requirement 1aiv mandates that sponsoring entities review security clearance eligibility waivers at least annually and before revalidation of a security clearance.

An eligibility waiver is role-specific, non-transferable, finite and subject to review. In other words, the waiver applies only while the clearance holder remains in the position for which the clearance was granted. The waiver does not follow the clearance holder to any other position without review. An eligibility waiver is not open ended and is subject to regular review to confirm that there is a continuing requirement for the waiver.

It is important that personnel with clearances subject to a waiver (as well as their line manager and, potentially, co-workers) are informed of the limitations and conditions of the security clearance. For information, see the PSPF policy: Eligibility and suitability of personnel.

Clearance maintenance for personnel on secondment or temporary assignment

The Attorney-General's Department recommends that entities explicitly agree on security clearance arrangements for personnel who are seconded, or are on temporary assignment, before the secondment or assignment commences. It may be appropriate to transfer sponsorship of the security clearance to the receiving entity for the period of the secondment or assignment (depending on the length of time and the level of access still required to the losing entity's resources). For information, see the PSPF policy: Separating personnel.

In accordance with Requirement 1a, the losing and receiving entities are required to share information of security concern about the clearance holder with each other and with the relevant authorised vetting agency. This includes concerns identified after the secondment or temporary assignment concludes.

Ongoing assessment of security cleared personnel

Only authorised vetting agencies can make a determination about an individual's suitability to hold a security clearance. However, vetting agencies can only assess an individual's suitability based on the information available to them – this is why the effective sharing of information of security concern is so important.

Sponsoring entities are the critical repositories of information about a clearance holder's current circumstances and are best placed to provide the most current security-related information to the authorised vetting agency. Vetting agencies can then fulfil their responsibilities under Requirements 1bii and 1biii to assess and respond to information of security concern about security clearance holders. This includes reviewing the clearance holder's suitability to hold a security clearance where concerns are identified through the review for cause process.

Effective information sharing over the life of a security clearance will also make it easier for clearance holders and vetting agencies to compile the necessary information to conduct a revalidation of a security clearance. Where changes in circumstances and other information relevant to determining a person's suitability to hold a security clearance, have already been considered by the vetting agency at the time they occurred, these assessments can inform the vetting agency's determination at revalidation.

Requirement 1bi mandates that vetting agencies share information of security concern about security clearance holders with sponsoring entities. This allows sponsoring entities to manage risks related to the clearance holder's ongoing access to Australian Government resources.

Review for cause

Requirement 1biii mandates that authorised vetting agencies review a clearance holder's suitability to hold a security clearance where concerns are identified. This process is known as a review for cause. Concerns may arise from:

  1. advice from the clearance subject of a change in circumstances
  2. concern raised by the clearance subject's sponsoring entity
  3. a security incident involving the clearance subject
  4. other information or advice of concern received by the vetting agency about the clearance subject.

A review for cause may entail an investigation into specific security concerns in the context of the whole person, or may prompt bringing forward a full revalidation of the security clearance (see Revalidations). In conducting a review for cause, vetting agencies are encouraged to:

  1. assess if a review for cause is warranted
  2. check with the sponsoring entity whether an ongoing investigation is underway that might be compromised by the review for cause and negotiate how to proceed
  3. advise the clearance subject prior to starting any reviews for cause and provide the reasons for the review
  4. undertake the checks required to resolve the concerns that led to the initiation of the review for cause, for example:
    1. targeted checks to resolve an issue
    2. a full revalidation if the concerns are wide ranging
  5. advise both the clearance subject and the sponsoring entity of the review for cause outcome.

Back to top

ASIO-initiated review of ASIO security assessment

All security clearances at the Negative Vetting 1 level and above are subject to an ASIO security assessment. An authorised vetting agency may request an ASIO security assessment for a Baseline security clearance if there are any concerns that may impact on the national interest.

ASIO can initiate a new security assessment at any time in response to new information.

At any time, ASIO may provide preliminary advice to a Commonwealth entity regarding the subject of an ASIO security assessment pending the issue of that assessment.

Section 39 of the Australian Security Intelligence Organisation Act 1979 (ASIO Act) permits Commonwealth entities to take appropriate action (such as suspending a person's security clearance and preventing ongoing access to classified information) if the Commonwealth entity is satisfied, on the preliminary advice from ASIO, that it is necessary to take that action as a matter of urgency due to requirements of security. Section 39 of the ASIO Act requires that any such action is temporary, pending receipt of an ASIO security assessment. Section 39(1) of the ASIO Act prevents Commonwealth entities from taking prescribed administrative action on the basis of preliminary advice from ASIO.

ASIO will liaise with the Commonwealth entity and the relevant vetting agency when intending to provide advice under section 39 of the ASIO Act, including where an ASIO review of an existing security assessment indicates security concerns.

Revalidations

Revalidation assesses a clearance holder's ongoing suitability to hold a security clearance by repeating many of the checks undertaken to determine their initial suitability, and again considering the clearance holder's integrity in accordance with the Personnel Security Adjudicative Guidelines. For information, see the PSPF policy: Eligibility and suitability of personnel Annex A.

Requirement 2 mandates that authorised vetting agencies reassess a clearance holder's suitability to hold a security clearance at specified intervals, depending on the level of the security clearance. Requirement 2 specifies that minimum required checks must cover the period since the initial clearance or last revalidation was completed. This is unless there are significant concerns about the previous assessment that would warrant covering a period up to and including the initial checkable period. For the purposes of assessing whether a clearance subject has an uncheckable background, the relevant checking period:

  1. for Positive Vetting is the greater of 10 years or from the age of 16
  2. for Negative Vetting 2 is 10 years.

The PSPF policy: Eligibility and suitability of personnel states that a clearance subject may be assessed as having an uncheckable background when the vetting agency cannot complete the minimum checks and inquiries or, where able to be made, these checks and inquiries do not provide adequate assurance about the clearance subject's life or background. This means that a person who holds a current security clearance could be assessed as requiring a checkable background eligibility waiver from their sponsoring entity in order for the vetting agency to revalidate the security clearance. In accordance with Requirement 2e of the PSPF policy: Eligibility and suitability of personnel, an accountable authority may waive the checkable background requirement for a security clearance if there is an exceptional business requirement and after conducting a risk assessment. For information, see Eligibility for a security clearance of the PSPF policy: Eligibility and suitability of personnel. In cases where a waiver has been requested, the vetting agency retains the right to decline the clearance request.

Vetting agencies commence the revalidation process sufficiently before the due date so that the security clearance does not lapse. Where new security concerns are identified during the revalidation process, the allowed time may not be sufficient. Requirement 1bi requires vetting agencies to share information of security concern about security clearance holders with sponsoring entities including allowing the sponsoring entity to suspend or limit the clearance holder's access to Australian Government resources until the concerns are resolved.

The Attorney-General's Department recommends vetting agencies contact the sponsoring entity before commencing the revalidation of a security clearance to confirm the continuing security clearance requirements. Entities are responsible for identifying and recording positions that require a security clearance and the level of clearance required. In addition, entities must ensure each person working in an identified position has a valid security clearance issued by an authorised vetting agency. This responsibility extends to where a clearance holder's duties or role has changed. If a higher level clearance is required, a new clearance process will be necessary. For information, see the PSPF policy: Eligibility and suitability of personnel.

Back to top

Information sharing

The core PSPF requirement on ongoing assessment of personnel mandates that entities share information of security concern, where appropriate. This includes sharing information between line managers, human resources areas and security advisors as well as sharing information between sponsoring entities and vetting agencies. This requirement is relevant to information sharing in relation to transfers of personnel, including temporary and permanent transfers within entities and to other entities. Information covered by this requirement includes all information relevant to an individual's ongoing suitability for employment or to hold an Australian Government security clearance. Information sharing may be limited by legislation, including the Australian Privacy Principles and an entity's enabling legislation.

Consent

Sharing relevant information, even when it is sensitive personal information, does not breach an individual's privacy provided that informed consent is received and the information is used for the purpose for which consent was given. It is therefore critical that entities obtain informed consent from all personnel (existing and potential) to share sensitive personal information with other entities and vetting agencies for the purposes of assessing their ongoing suitability. The Attorney-General's Department recommends that consent is obtained at key information collection points, such as pre-employment screening and application for a security clearance, and updated at reasonable intervals, such as when conducting periodic employment checks and revalidation of a security clearance.

In some circumstances, there is a reasonable expectation that personal information will be shared, such as when an individual's information is crucial to rectify a security incident.

Security culture and information sharing

A well-developed culture of security encourages information sharing by personnel about the risks to themselves and their colleagues. Information sharing is dependent on an entity's aim to help manage concerns with their personnel before they escalate into an incident. While the focus is on prevention, entities are encouraged to have a clear, published and consistently enforced security regime that investigates and penalises inappropriate conduct. For information, see the PSPF policy: Management structure and responsibilities.

Back to top

Find out more

Other legislation, policies or contacts include:

​​

<<< Eligibility and suitability of personnel

Separating personnel >>>

​​​​​​​​