This snapshot, taken on 07/04/2010, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This is the third of seven Security Policies within the HMG Security Policy Framework (SPF); outlining the mandatory security requirements and management arrangements to which all Departments and Agencies (defined as including all bodies directly responsible to them) must adhere. This policy deals with:
The purpose of personnel security is to provide a level of assurance as to the trustworthiness, integrity and reliability of all HMG employees, contractors and temporary staff. As a minimum requirement all staff are subject to recruitment controls known as the Baseline Personnel Security Standard (BPSS). For more sensitive posts there are a range of security controls, referred to as ‘National Security Vetting’ (NSV): these are specifically designed to ensure that such posts are filled by individuals who are unlikely to be susceptible, for whatever reason or motive, to influence or pressure which might cause them to abuse their position.
Departments and Agencies must employ a risk management approach to Personnel Security in conformity with protective security principles, seeking to reduce the risk of damage, loss, or compromise of HMG assets by application of personnel security controls before and during employment. These controls do not provide a guarantee of reliability and must be supported by effective line management, nor should they be considered an alternative to the correct application of the ‘need to know’ principle or to access and information security controls.
MANDATORY REQUIREMENT 22
Departments and Agencies must, as part of their risk management approach to protective security, assess the need to apply personnel security controls against specific posts and the access to sensitive assets.
The BPSS is the recognised standard for HMG pre-employment screening. It forms the foundation for National Security Vetting and seeks to address identity fraud, illegal working and deception generally. The BPSS comprises verification of four main elements: 1)identity; 2) employment history; 3) nationality and immigration status (including the right to work); and, if a formal NSV clearance is not required for the post, 4) unspent criminal records. In addition, prospective employees are required to account for any significant periods spent abroad. Satisfactory completion of the BPSS allows regular access to UK RESTRICTED and UK CONFIDENTIAL assets, and occasional access to UK SECRET assets, provided an individual has a need to know.
MANDATORY REQUIREMENT 23
Departments and Agencies must apply the requirements of the Baseline Personnel Security Standard (BPSS) to all HMG staff (including the armed forces), and contractors and temporary staff.
In some cases, such as people taken on for very short periods of employment, or where local personnel are recruited overseas, it may not be practicable to meet the BPSS fully. In these instances the decision to accept the risk must be recorded. Verification of identity and right to work is a prerequisite that must be completed before the UK security clearance process is undertaken.
National Security Vetting is governed by HMG's statement of policy, made by the Prime Minister to Parliament on 15 December 1994. There are three levels of National Security Vetting: Counter-Terrorist Check (CTC), Security Check (SC) and Developed Vetting (DV). The need for vetting must be assessed against the requirements of each particular post. Vetting is required for those who have unescorted access to sites or work in close proximity to individuals assessed to be at risk of terrorist attack, who have access to information or assets which may be of value to terrorists, or have constant and frequent access to SECRET and/or TOP SECRET information or other assets, including the protectively marked assets of other nations and international organisations, the compromise of which could bring about the same degree of damage.
National Security Vetting involves a degree of intrusion into an individual's private life and must only be applied in accordance with HMG's statement of policy. For legal and policy reasons, it is not available on demand or on a speculative basis.
MANDATORY REQUIREMENT 24
Departments and Agencies must ensure that National Security Vetting is only applied where it is necessary, proportionate and adds real value.
MANDATORY REQUIREMENT 25
Departments and Agencies must follow the procedures for National Security Vetting as contained in supplementary material within the framework.
Permission for the relevant checks to be carried out is provided by an individual completing and signing a Security Questionnaire, indicating that they have read and understood HMG's policy statement on security vetting. It must be counter-signed by an appropriate member of staff from the sponsor organisation, indicating that checks are required for national security purposes. All organisations undertaking security vetting must ensure that they are covered by the provisions of the Security Service Act 1989 (Section2(3)).
In making vetting decisions, judgement must be exercised taking into consideration all the information obtained during the clearance process. The existence of one or more factors of concern does not necessarily or conclusively demonstrate unreliability or present an unmanageable risk. Vetting officers must take into account the nature, likelihood and credibility of the threat, and the vulnerability, sensitivity and impact of compromise of the particular assets concerned, as well as any mitigating factors. They must also make every effort to establish the facts and resolve any apparent discrepancies which are revealed, or doubts which arise before making a clearance decision. When a security risk is identified the vetting authority must decide whether or not the risk is manageable, and if so, provide advice to line management, taking into account that information may have been revealed or obtained in confidence.
MANDATORY REQUIREMENT 26
Only Government Departments and Agencies, or Police Forces can take security clearance decisions. They must make clear evidence based decisions taking into account all available information. They must be prepared to defend a decision if challenged.
If a clearance is refused or withdrawn for an existing HMG employee or a contractor, the Department or Agency must inform the individual of the fact and provide full reasons for that decision, unless there are demonstrable national security grounds for non-disclosure of the reasons. There is no requirement to inform applicants for employment (staff or contractors) of the fact or reasons for the refusal of a clearance, but this may be possible allowing for considerations of security and confidentiality, as it may impact on future employment applications.
Personnel security is an important element of an effective protective security regime as well as good overall management practice. The security clearance process only provides a snapshot of an individual at a particular time. The BPSS and National Security Vetting are the beginning of an ongoing and actively managed personnel security regime, which requires senior and line management support, awareness and education, and formal periodic reviews of security clearance.
MANDATORY REQUIREMENT 27
Departments and Agencies must have in place personnel security aftercare arrangements, including formal reviews of National Security Vetting clearances and the requirement to remind managers and individuals of their responsibility to inform the vetting authorities of any change in circumstance that may impact on the suitability to hold a security clearance.
Existing employees must be made aware of the organisation's internal appeals process, and, if the decision to refuse or withdraw clearance is upheld, of the option to appeal to the independent Security Vetting Appeals Panel (SVAP). The Panel is available to all those, other than external applicants for employment, in the public and private sectors and in the Armed Forces who are subject to National Security Vetting, have exhausted existing internal appeal mechanisms within their organisations and remain dissatisfied with the result. Separate arrangements are available to staff and contractors of the Security and Intelligence Agencies through the Investigatory Powers Tribunal (IPT). Individuals must be provided with details of how to apply to the Panel and be informed that appeals must be received within 28 days of the individual being informed of the internal appeal decision. In all such cases Departmental legal advisers must be consulted. The Security Vetting Appeals Panel will make recommendations to the Head of Department, who will take the final decision as to whether clearance is granted or not. Departments and Agencies must inform the Panel of subsequent action, but the Panel will not normally become involved in further examination of that action. The Panel is entitled to comment on the adequacy of any internal vetting appeals process.
External applicants for employment are not eligible to appeal against adverse vetting decisions either internally or to the SVAP, although applicants to the Security and Intelligence Agencies may apply to the IPT. Departments and Agencies should be aware that individuals may also seek to challenge vetting decisions through legal avenues.
MANDATORY REQUIREMENT 28
Departments and Agencies must have in place an internal departmental appeals process for existing employees wishing to challenge National Security Vetting decisions.
MANDATORY REQUIREMENT 29
Departments and Agencies must inform Cabinet Office Security Policy Division where an individual initiates a legal challenge in respect of a National Security Vetting decision.
MANDATORY REQUIREMENT 30
Departments and Agencies must record how many, and what type of security vetting clearances (CTC, SC, DV) have been undertaken on an annual basis, and also the number, and the outcome of, internal and independent vetting appeals. This should be included in the annual report to your Head of Department/Management Board.