Protective Security (Personnel Security) Procedure · Web viewThis procedure will be available on...

D G D 1 7 - 0 1 0

ProcedureProtective Security (Personnel Security)

Contents

Contents……………………………………………………………….……………………………………………………….….

Purpose……………………………………………………………….………………………………………..……………………..3

Scope…………………………………………………………………………….…………………………..………..………………3

Roles and Responsibilities…………………………………………………………………………………..….……..….3-4

Procedure……………………..…………………………………………………………………………………..…..……..….4-5

Section 1-Police Checks & Security Clearances...……………………………………..……………………..……5

1.1 Police Checks…………………………………………………………………………..……………….……….5

1.2 Security Clearances…………………………………………………………………..…………………...5-6

1.2.1 Positions of Trust (POTs)……………………………………………………………..…………….……6

1.2.2 Designated Security Assessed Positions (DSAPs)……………………………..…….……....6

1.2.3Security clearances as a condition of employment…………………………..……..….…..6

1.3. Security Awareness Training…………………………………………………………………….......…7

1.4 Process for Obtaining a Security Clearances …………………………………………………….7

1.5 Refusal or Withdrawal of a Security Clearance………………………………………...….…7-8

1.6 Ongoing Personnel Security Management (‘Aftercare’)…………………………….….…..8

1.6.1 Changes in Personal Circumstances……………………………………………………….….…..8

1.7 Revalidation of clearances…………………….………………………………………………….….…..8

Section 2.Security Awareness Whilst Travelling Overseas on Official Business………..…….…8-9

2.1. Prior to Travel…………………………………………………………………………….………………….…9

2.2 During Travel……………………………………………………………………………………………………..9

2.3 After Travel………………………………………………………………………………………………….…….9

Section 3. Contact with Non-Australian Citizens and Official/Overseas Delegations…..……...9

Doc Number Issued Review Date Area Responsible Page Version

DGD17-010 Feb 2017 Feb 2020 BSS- CSSE 1 of 15 1.2

Do not refer to a paper based copy of this policy document. The most current version can be found on the ACT Health Policy Register

3.1 Contact with Non-Australian Citizens…………………………………………………………..9-10

3.2 Contact reporting Scheme……………………………………………………………………………..10

Section 4. Protection of People………………………………………………………………………………......……11

4.1 Employees……………..…………..……………………………………………………………...….…11-12

4.2 Court issued Protection Orders…………………………………………………….……….....……12

Implementation……………………………………………………………………………….....……………………..…….12

Related Policies, Procedures and Legislation………………………………….…………………......……12-13

Definition of Terms………………….…………………………………………………………………………….….....….13

Search Terms…………………………..……………………………………………………………………………….....……13

Attachments…………………………………………………………………………………………………………….....……13




Purpose

Due to the sensitive nature and confidentiality involving information and records related to a health services environment, combined with the information and data relevant to the operations of government business, the ACT Government has introduced a framework of security protocols encompassing Personnel Security (PERSEC) known as the ACT Government Protective Security Policy Framework (PSPF), From this framework the government has also developed the ACT Government Protective Security Vetting Policy 2016

In accordance with the ACT GOV Vetting Policy, and the ACT Health Protective Security Policy, this Personnel Security Procedure outlines the ACT Health framework of Personnel Security (PERSEC) protocols based on the agency’s security risk assessments, covering issues of staff identification and verification and identified roles subject to security clearances to ensure the agency’s information, data, resources and assets are protected and protocols developed to ensure the personnel security of staff, contractors, students and volunteers.

The protection of classified information and resources across ACT Government includes limiting access to those people whom the ACT Government assesses to be of suitable character, and whose work responsibilities specifically require them to access these resources. ACT Health determines suitability for such access to its employees through a robust assessment process.Scope

This PERSEC Procedure applies to all employees, students, contractors and volunteers of ACT Health and requires an integrated management approach between the ACT Health Agency Security Advisor (ASA), People and Culture Branch (P&C) and all business units to manage the ongoing requirements of Personnel Security across ACT Health.

ACT Health employees, contractors, students and volunteers are required to adhere to this procedure, which is complementary to, and should be read and implemented in conjunction with, the ACT Health Protective Security Policy and the ACT GOV Vetting Policy.




http://injacs/PSPF/SitePages/Home.aspx



Roles and Responsibilities

Role ResponsibilityDirector General Determine the Directorate’s governance

for Personnel Security Determine and endorse security clearances

for positions as recommended by the Agency Security Advisor

Senior Executives Positively influence the protective security behaviour of their personnel

Report any security concerns to the Agency Security Advisor

Agency Security Advisor Identify positions and roles within Health that require a security clearance and forward recommendations to the Director General.

Manage the security clearances register of the directorate.

Manage ongoing operational and administrative issues associated with security clearance holders.

Deliver protective security awareness training to all ACT Health staff.

People and Culture Branch Undertake all recruitment screening and police checks as part of the recruitment processes.

Record security clearance positions on recruitment files and follow recruitment guidelines specific to security assessed positions.

All staff Abide by the requirements of this Procedure

Report any suspicious contacts from foreign/over-seas persons to the Agency Security Advisor.

Staff holding security clearances, to advise the ASA of all intended overseas travel, whether official or personal.




Procedure

The ACT Government (and therefore ACT Health) collects, receives, exchanges and develops valuable information. Some of this information may need a security classification due to its sensitivity for the government and government agencies, or due to its commercial or privacy value for the people to whom it refers.

To protect the security of information and other official resources only personnel whose work responsibilities require access to the information should have access. This is known as the ‘need-to-know’ principle.

As well as controlling access to the information or resources, ACT Health needs to have confidence in the people who have access to the information. ACT Health must ensure employees, contractors and clients:

Are eligible to have access. Have had their identity established. Are suitable to have access. Are willing and able to comply with the standards that safeguard those resources

against misuse.

A key element of protecting these security classified resources and information from potential compromise is the security vetting procedure for staff members with access to those materials. Security vetting is conducted to ensure that an applicant is both eligible and suitable to be granted, as well as maintain, a security clearance. Personnel Security includes three major components:1. Identification of suitable staff to access agency information, resources and assets

(Vetting); National Police History Checks (NPHC) Referees checks Employment History checks National Security clearances (where deemed necessary)

2. Educating staff about their security responsibilities (security awareness, education and ethics); and

3. Monitoring and evaluation of staffs’ continuing suitability (ongoing NPHC where necessary).

Section 1. Police Checks & Security Clearances.

1.1 Police Checks




The minimum standard of identification verification for all potential ACT Health employees, staff, volunteers and students is the National Police History Check (NPHC). This is a mandatory requirement for all:

Prospective permanent appointees, fixed-term, temporary and casual employees, and

Contractors, volunteers and students on placement within ACT Health.

No employee, contractor, volunteer or student may commence work or a placement with ACT Health prior to a NPHC and issuing and assessment of a National Police Certificate. Regular, ongoing NPHC are required for persons within certain areas, for example, programs funded under the Aged Care Act 1997 (eg: Transition Care Program and the Aged Care Assessment Program). ACT Health PSSB instigates NPHC during recruitment and placement processes. Please refer to the ACT Health Policy Police Checks for further information.

1.2 Security clearance levelsACT Health employees who are responsible for the ongoing creation, use, handling, storage and disposal of security classified information and resources are required to hold a security clearance at the appropriate level.

Consistent with the Australian Government Vetting model there are four levels of security clearances within the framework, but only two of these have been adopted by the ACT Government.

ACT Health has determined that there are two (2) levels of security clearances required for some employees above the normal NPHC (that are conducted as part of the recruitment process). In line with the ACT GOV Vetting Policy these higher level clearances are deemed to be:

1. Positions of Trust (POTs) which require a clearance to the ‘Baseline’ standard;

2. Designated Security Assessed Positions (DSAPs) which require a ‘Negative Vet 1’ clearance.

ACT Health determines the level of assurance it requires against determined positions based on the ACT Health Enterprise Security Risk Assessment (ESRA). The ACT Health Agency Security Advisor (ASA) identifies and recommends to the Director General (DG) all positions identified as requiring a clearance. Once approved by the DG, the ASA establishes and maintains a register of POTs and DSAPs as part of the agency’s protective security framework. This list will remain confidential and can only be accessed on a ‘need to know basis.’

Security clearance levels

Baseline Vetting

Negative Vetting Level 1

Negative Vetting Level 2

Positive vetting




http://inhealth/PPR/Policy%20and%20Plans%20Register/Police%20Check%20Policy.docx

Designated Security Assessment Positions

1.2.1 Positions of Trust (POTs)-: Baseline Vetting – ongoing access to information or restricted resources classified PROTECTED or other situations where an agency might determine it needs a high level of assurance of a person’s suitability to perform a particular role.

1.2.2 Designated Security Assessment Positions (DSAP)-: Negative Vetting Level 1 – ongoing access to information or resources classified PROTECTED, CONFIDENTIAL and SECRET, or other situations where an agency might determine it needs a higher level of assurance of a person’s suitability to perform a particular role;

1.2.3 Security clearance as a condition of employment

If a position is identified as a POT or DSAP this notation is to be included in the position description and the recruitment advertisements. Applicants should be advised if a position requires a security clearance. The recruitment documentation, including letters of offer, must include a clause to the effect of:

“If you are selected for a Designated Security Assessment Position or a Position of Trust you will be required to undergo, and be granted, a security clearance. If a clearance is not granted your employment in the role will not commence or, if already commenced, you may be reassigned to another role not requiring a clearance.”

1.3 Security Awareness Training:

All employees who have been identified as holding a POT or DSAP position must undergo Protective Security Awareness Training upon their appointment available through CAPABILITI or the ACT Health Intranet Security website. (Please refer to the ASA for further information).

1.4 Process for obtaining a Security Clearance

1. When a position is identified by ACT Health as a POT or DSAP the position holder must obtain the necessary security clearance.

2. If the clearance is required as part of a recruitment process then this forms part of the recruitment.

3. Upon selection of either a new employee to ACT Health, or an existing employee transferring to or being promoted to a POT or DSAP, P&C contacts the ACT Health




ASA and inform them of the requirement of the relevant security clearance for the position holder.

4. If the position is designated as a POT the ACT Government processes that internally as part of the recruitment. If the position is a DSAP, the ACT Health ASA commences that process.

5. The ACT Health ASA contacts Justice and Community Safety (JACS) Security & Emergency Management Branch (SEMB) and makes the formal request.

6. The ACT Health ASA receives the formal notification from JACS and the appropriate electronic forms (SVA001) is sent to the applicant from the Australian Government Security Vetting Agency (AGSVA). If the applicant already holds a security clearance from another government department or agency then a request to transfer form (SVA002) is sent to the applicant.

7. The applicant completes all the required forms online and when completed, print them off and provide them to the ACT Health ASA with any and all required documentation.

8. The ACT Health ASA then forwards the application to JACS Security Emergency Management Branch (SEMB).

9. Upon advice from JACS that the security clearance has been approved, the ASA enters all the details into the ACT Health Security Clearance Register and advise P&C that the clearance has been approved.

10. If the request for a security clearance is declined by Australian Government Security Vetting Agency (AGSVA), this is referred back to the Executive Director of P&C for action.

1.5 Refusal or withdrawal of a clearance

If, during the vetting process, AGSVA identifies suitability concerns in relation to the granting of a security clearance then the applicant is offered an opportunity to mitigate the concerns. An explanatory letter is also forwarded to the Executive Director SEMB, who also advises the ACT Health ASA and the Executive Director P&C. If the applicant’s response does not mitigate the concerns to the satisfaction of AGSVA then the Executive Director SEMB is notified before any final decision is made.

Applicants unsatisfied with the security clearance assessment outcomes should contact the AGSVA Client Service Centre to be advised of the appeals procedure.

1.6 Ongoing personnel security management (‘Aftercare’)

All security clearance holders must be aware of their responsibilities to report any changes of personal circumstances to the Agency Security Advisor. While not all changes will be of security relevance, there are some changes in circumstance in which the decision to grant a clearance may need to be reconsidered.




1.6.1 Changes in personal circumstances

There are certain conditions that apply to security clearance holders that relate to changes in professional and personal circumstances. Clearance holders should report the following changes:

Entering into or ceasing a marriage or domestic partnership; Any overseas travel; Residence in foreign countries; Relatives residing in foreign countries; Changes in citizenship or nationality; Non-routine communication with employees of foreign governments; Significant changes in financial circumstances; Changes in health or medical circumstances; Involvement in criminal activity; and Security incidents.

1.7 Revalidation of clearances

A revalidation is a periodic review conducted to ensure that an individual is still suitable to hold a security clearance at the granted level. For clearances held with AGSVA, they initiate the revalidation after the required time unless notified by Health through JACS that the employee is no longer in a POT or DSAP or they have left the ACT Government. Baseline vetting clearances are revalidated by ACT Health every five (5) years.

Section 2. Security Awareness Whilst Travelling Overseas on Official Business

The risk associated with official travel overseas and the consequent loss of ACT Government information and/or resources must be considered when travelling. Advice must be sought from the ACT Health ASA (and/or JACS SEMB if necessary) when travelling overseas with ACT Government information and resources, both hard copy and electronic. Accountability and responsibility for the removal of resources remains with the individual officer and their manager. Failure to comply with these procedures may result in a loss of confidence in the ACT Government, with respect to the ACT Government’s ability to take appropriate care of official information and resources. Enquires relating to the application of these procedures can be directed to the ACT Health ASA.

2.1 Prior to Travel

Once travel has been approved by the Executive Director P&C in relation to the approval for overseas travel, refer to the Travel for Official Purposes and Associated Accommodation




Procedure and ACT Government Overseas Travel Fact Sheet (obtainable from the ASA). Requirements from the Travel for Official Purposes Procedure includes:

All ACT Government staff who travel overseas on behalf of the Territory must advise their Agency Security Adviser of their travel plans.

The Security Adviser may consult with JACS Security and Emergency Management Branch to ascertain if a specialist country briefing or overseas protective security Travel Management Services User Guide briefing is required. This may involve ASIO or other Commonwealth agencies.

Employees who hold a national security clearance are required to advise their Agency Security Adviser of all overseas travel, including personal travel. This information will be recorded on their personal security file.”

2.2 During Travel

Do not store or communicate information above the classification of the device. Maintain physical control over devices - it is strongly advised that the device is to

be kept in your possession at all times. Do not connect your device to an un-trusted computer or insert any removable

media. If the travelling officer identifies that equipment has been compromised, turn off

device and remove battery. Advise the ACT Health ASA as soon as practicable. For personnel security threats, the travelling officer is to secure themselves in a

safe place or seek refuge at the local embassy. Utlise DFAT Travel Advisories for specific in country information.

2.3 After Travel

‘Post Overseas Travel Briefing’ only occurs at the request of the travelling officer and/or when the travel destination has been listed as high risk or where an incident has occurred.

Section 3. Contact with Non-Australian Citizens and Official/Overseas Delegations.

3.1 Contact with Non-Australian Citizens Involvement or friendship with a non-Australian citizen can have its dangers. All ACT Government employees should be circumspect in all dealings with foreign nationals, especially when travelling overseas. In particular health professionals often and regularly have contact with overseas counterparts and employees need to be mindful of these interactions.




Extreme care should be taken in any of the following situations and personal involvement should be avoided wherever possible:

Excessive interest in the officer’s employment. Unusual contact with any foreign official. Proposals to maintain contact after an overseas visit. Personal invitations of any type.

3.2 Contact Reporting Scheme

ACT Health is host to various overseas delegations. Such delegations may visit or work temporarily within the ACT Government and may have unsupervised access to information resources. This unfettered access poses potential security risks and raises a number of serious protective security issues. Approaches, both overt and covert, may also be made to ACT Health officials from the local diplomatic or business community. While limited in number and duration, ACT Health also sends officials and staff abroad who may not be aware of the methods used by foreign governments and issue-motivated groups to obtain sensitive information. The ACT Government Contact Reporting and Awareness Scheme is a mechanism by which members of the public service report unsolicited requests for official information by people without a ‘need-to-know’. If any member of ACT Health believes that they have been compromised or approached then they should immediately contact the Health ASA. For further information refer to the ACT Government Contact Reporting & Awareness Scheme and the ACT Foreign Delegations Policy.

The Australian Security Intelligence Organisation (ASIO) manages the Australian Government Contact Reporting Scheme. Specifically, the Scheme assists ASIO in identifying intelligence or hostile activity directed against Australia and its interests, government employees and contractors, and people who hold an Australian Government security clearance. It also helps identify trends, including:

Information which is of interest to foreign intelligence services. Who is interested in this information? The methods the foreign intelligence services are prepared to use to collect the

information.

An ACT Health employee should complete an ACT Government Contact Report when they believe that they have been the subject of a contact, either officially or socially from either embassy or foreign government officials within Australia, or Foreign officials or nationals from outside Australia, and the contact seems suspicious, persistent or unusual in any respect, or becomes ongoing.

Note: Foreign officials could include trade or business representatives.




Additionally, employees should complete a contact report for instances when an individual or group, regardless of nationality, seeks to obtain official information they do not have a need to access in order to fulfill their work function.

If an employee believes they have been the subject of contact by a foreign national that meets the reporting criteria, they should report the incident to the ACT Health ASA.

Section 4. Protection of People

ACT Health’s employees are central to its ability to function and Health is committed to taking all reasonable precautions and procedures to protect all staff. In accordance with the ACT Work Health and Safety Act 2011, and the ACT GOV PSPF, ACT Health takes all reasonably practicable measures to mitigate possible security risks that have been identified through risk assessments, incident reports or by reports of violence or threats of violence reported by staff, whether directly or indirectly linked to the employee’s role with ACT Health.

4.1 Employees

ACT Health utilises risk assessments to determine when increased protection of staff is required beyond the normal protective security measures and procedures already in existence. These may be as a result of threats of violence made towards a staff member/s, a high risk, volatile consumer/patient receiving medical treatment at a Health facility, risks or threats associated with a patient/consumer receiving medical treatment (family domestic violence, drug addiction issues, gang affiliations etc) or possible threats/risk associated with Child Protection matters involving ACT Health.

There are also circumstances whereby staff members have been the subject of personal violence matters outside of work (possibly involving the police or court system) whereby Personal Protection Orders (PPOs) or Domestic Violence Orders (DVOs) may be in place and the staff member has fears of reprisals at their workplace.

In the case of increased security requirements for staff due to any concerns raised or issues identified through intelligence sources, ACT Health implements the following protocols to enhance the security of staff and the workplace: Advise employees of protective security measures and procedures. Inform employees about the purpose of security procedures and employee

responsibilities in implementing these procedures. Advise employees that in responding to a security incident they not take any actions that

would unreasonably jeopardise their personal safety. Inform employees about security incident reporting requirements.

4.2 Court Issued Protection OrdersDoc Number Issued Review Date Area Responsible Page Version



http://www.legislation.act.gov.au/a/2011-35/current/pdf/2011-35.pdf

In the circumstances where staff members have court issued protection orders for their personal protection and the conditions imposed by the courts include conditions which involve the employee’s workplace and or preclude the defendant from approaching the employee (protected person) at their workplace, the employee should take the following steps:

1. Advise their line manager of the existence of the protection order.2. Inform the Senior Manager Protective Security or Security Operations Manager of

the order and provide them with a copy of the order (in confidence) so that if there are any breaches against the protected person at an ACT Health facility, immediate action can be taken to protect the employee and escalated to ACT Policing.

Upon being informed of an employee’s Workplace Protection Order the Senior Manager Protective Security and or Security Operations Manager:

1. Liaises with the After Hours Hospital Manager in relation to all matters involving the protection of employees and Court issued Protection Orders.

2. Keeps a copy of the protection order on file (in confidence), should the order need to be referred to when dealing with any breaches or escalation to ACT Policing.

In extreme circumstances where there have been serious or ongoing threats of violence against an ACT Health staff member (S), ACT Health liaises with ACT Policing and the Government Solicitor’s Office (GSO) and apply to the Magistrate’s Court for a Workplace Protection Order against the perpetrator to protect staff. For further information refer to the ACT Health Violence and Aggression by Patients or Consumers-Managing ongoing issues SOP.

In the case of threats or acts of violence against ACT Health staff, in consultation with the Senior Manager Protective Security, the affected staff member should submit an incident report through RISKMAN that can then be escalated to ACT Policing if necessary.

Implementation

This procedure will form part of the ACT Health Protective Security Framework and should be read in conjunction with the ACT Health Protective Security Policy (PERSEC). This procedure will be available on the Health Security intranet site for all staff to access.

All ACT Health staff who hold a security clearance will be provided with protective security awareness training via Capabiliti.




http://inhealth/PPR/Policy%20and%20Plans%20Register/Violence%20and%20Aggression%20by%20Patients%20or%20Consumers%20-%20Managing%20Ongoing%20Issues%20SOP.docx

http://inhealth/PPR/Policy%20and%20Plans%20Register/Violence%20and%20Aggression%20by%20Patients%20or%20Consumers%20-%20Managing%20Ongoing%20Issues%20SOP.docx

Related Policies, Procedures, Guidelines, Frameworks, Standards and Legislation

ACT Government Protective Security Vetting Policy 2016 ACT Government Foreign Delegations Policy ACT Health Protective Security Policy ACT Health Violence and Aggression by Patients or Consumers-Managing ongoing

issues SOP. Australian Government Personnel security practitioners guidelines Australian Government Security clearance subjects guidelines ACT Government Protective Security Policy Framework (Personnel Security) ACT Public Service Code of Conduct 2012 Public Sector Management Standards 2006 ACT Government Contact Reporting & Awareness Scheme AS: 4811-2006: Employment screening HB: 323-2007: Employment screening handbook Public Sector Management Act 1994 (PSM Act) ACT Work Health and Safety Act, 2011

Definition of Terms

The use of ’employee’ or ’staff’ in this Procedure refers to: Ongoing and non-ongoing employees of ACT Health. Employees of service providers (contractors) requiring access to security classified

information, resources or restricted areas. Employees of other organisations to which ACT Health provides security classified

information or resources. Volunteers who perform work at an ACT Health facility in any capacity either

through a charitable organisation, a community based organisation or directly through involvement with ACT Health.

Search Terms

Personnel Security. PERSEC Designated Security Assessed Position DSAP Position of Trust PoTs Baseline




Vetting Security clearances

Attachments

ACT Government Protective Security Policy Framework (PSPF),

ACT Government Protective Security Vetting Policy 2016






Protective Security (Personnel Security) Procedure · Web viewThis procedure will be available on...

Documents

Transcript of Protective Security (Personnel Security) Procedure · Web viewThis procedure will be available on...