Context

Purpose

The PESEC-3: Managing separating people policy and guidance will assist agencies to achieve an effective protective security outcome within the people security domain of the TAS-PSPF. They address core requirement 12 and its supplementary requirements.

Core requirement

The Accountable Authority must ensure adequate management of all separating people.[1]

  1. Separating refers to people who leave an agency by transfer, resignation, secondment, contract cessation, termination or long‑term leave.

    [Back]
Supplementary requirements

To provide secure management of separating people, the Accountable Authority will:

  1. ensure access to Tasmanian Government information and assets is withdrawn or modified according to changed government duties.[2]
  2. ensure all agency items are returned accordingly – such items may include, but are not limited to, swipe access, ID passes, keys, IT equipment
  3. withdraw or transfer sponsorship of security‑cleared people, including eligibility waivers and conditional security clearance holders
  4. ensure separating people are reminded of their ongoing security obligations
  5. share information of security concerns with the appropriate stakeholder/s or authorities – this may be the Agency Security Advisor (ASA), the Security Clearance Sponsor, the authorised vetting agency, or the Australian Security Intelligence Organisation (ASIO)
  6. manage any residual risk associated with the employee’s departure.[3]

Agencies must apply prescribed and consistent management protocols for separating and transferring people, ensuring all access to agency information and assets is adjusted or terminated accordingly, safeguarding the integrity of Tasmanian Government information and assets. The TAS‑PSPF outlines what must be implemented by agencies to protect the integrity, confidentiality and availability of Tasmanian Government information and assets.

  1. In the instance of an internal transfer, secondment or long-term leave.

    [Back]

  2. Deed of confidentiality or similar as required.

    [Back]

Guidance

Introduction

When a person leaves (separates from) your agency, they retain their knowledge of your business operations, intellectual property, official information and security vulnerabilities. Managing departures from your agency may reduce the risk of this knowledge being misused. Separating people have greater opportunity to harm your agency deliberately or accidentally, with fewer consequences than if they were still engaged by your agency, due to the limited ability for you to monitor, manage and support these people.

To limit the risks posed to your information, people and assets, your agency must implement risk-based processes to manage a person’s departure from the agency. This includes ensuring that any access, security passes and assets are returned, and that people understand their ongoing obligations.

Separation from your agency includes:

  • resignation or end of contract
  • transfer to another agency
  • termination
  • transfer either temporarily or permanently to another state or Australian Government agency
  • taking an extended period of leave.
Required action: Withdraw or modify access as needed

Throughout their career, people often move within the Tasmanian Government. Sometimes, this is within your agency or to another agency, through the likes of promotion, secondment or transfer. In these circumstances, you will be required to make a risk-based assessment as to the modifications which are necessary regarding a person’s access to all facets of your agency. When considering the person’s ongoing access, you must first assess the movement and if it should be considered as a separation under this policy (PESEC-3).

Assessing the movement of your staff is a critical step in ensuring you protect your agency information, people and assets from compromise and harm. When conducting this risk-based assessment, it is recommended you consider the following:

  • Has the person remained within your agency? If yes, what physical and ICT access changes are required? Modify access as necessary and cancel any access no longer required.
  • Has the person separated (by transfer, resignation, secondment, contract cessation, termination or long-term leave)? If yes, cancel any access immediately upon separation.

Once a person separates from their role or your agency within the Tasmanian Government, their need for ongoing access to official information and resources also concludes. With this in mind, you must remove their access to both physical facilities and resources, including ICT systems. You should also recover any agency property in the person’s possession (e.g. credit card/s, key/s, vehicle).

It is recommended that you categorise the removal of access to ensure you maintain the ability to successfully remove all access that a person may have had. Examples of actions that may be necessary at different phases of separation are provided below.

Before separating:

  • Recover ICT equipment and physical assets.
  • Recover corporate credit cards/ID and other agency property.
  • Recover anything in hard copy - originals and/or copies.
  • Recover uniform/s.

After separating:

  • Deactivate access to ICT systems, including email, telephone, voicemail and any cloud accounts. Ensure any additional external access has also been disabled.
  • Remove physical access to facilities and resources – deactivate any access passes.
  • Change or remove combinations or locks that the separating person had access to.
Required action: Ensure all agency items are returned

It is the responsibility of your agency to ensure a separating person returns all property that belongs to the agency. This includes ensuring all identification cards, access passes and keys are returned (including tools that allow remote access to information systems).

If your agency allows transfer of ownership of ICT equipment to separating employees, or the use of personal devices for work purposes, it is recommended that:

  • any business-related documents are archived in accordance with your agency’s record management procedures
  • all agency information is removed
  • all agency software applications are removed and access disabled
  • if deemed necessary, the content of the device's hard drive is erased entirely.

Refer to the box above for examples of actions that may be required for the removal of access before and after employee separation.

Required action: Withdraw or transfer sponsorship of security cleared people

Security clearances require sponsorship from an authorised agency in order to be deemed valid and active, in Tasmania the authorised agency is the Department of Premier and Cabinet (DPAC). As highlighted in TAS-PSPF policy: Recruiting the right people (PESEC-1), you must identify the positions within your agency which require an active security clearance – this means that only while a person occupies one of these roles should they have a valid security clearance.

Your Agency Security Advisor (ASA) must review active agency security clearances regularly and provide confirmation to DPAC that those arrangements are to continue according to position requirements. When a person holding a security clearance separates from your agency, you must carry out the following activities, in addition to those mentioned previously:

  • conduct an exit interview
  • debrief them from any sensitive or security-classified information, which may include caveated and compartmented information
  • withdraw authorisation for sponsorship of the security clearance and notify the clearance sponsor[4]
  • the clearance sponsor is to advise the authorised vetting agency, who will update the clearance status according to separation circumstances.

If the separating person is transferring, either temporarily or permanently, to another Tasmanian Government agency, you must notify the clearance sponsor and where possible, provide details of the transfer.

Where the security‑cleared person is transferring to an organisation external to the Tasmanian Government, you must notify the clearance sponsor that the sponsorship is to be withdrawn. If the security clearance is still required, the person transferring and the receiving entity are responsible for ensuring the sponsorship is transferred correctly.

If your agency receives security‑cleared people from another Tasmanian Government agency, you must notify the clearance sponsor as to whether the sponsorship of the security clearance is still required. This will be referenced against the agency’s identified positions register and where sponsorship is still required, the ASA must provide confirmation to the clearance sponsor.

There may be circumstances where you receive security‑cleared people from sources external to the Tasmanian Government. In doing so, you must ensure sponsorship of the security clearance is transferred to the appropriate security clearance sponsor.

The box below provides recommended actions regarding managing security clearances and personal security files.

Permanent transfer

Actions for the gaining sponsoring agency

Before personal security file actions commence, the gaining sponsoring agency:

  • identifies the level of security clearance required and whether the clearance subject has previously held a security clearance (including the agency that sponsored the previous clearance)
  • obtains the clearance holder’s consent to share information where a current or previous clearance is identified
  • requests permanent transfer of sponsorship of the security clearance – this will trigger the authorised vetting agency to commence permanent transfer of the personal security file.

Actions for the gaining vetting agency

Once it has received a request for the permanent transfer of a security clearance from the gaining sponsoring agency, the gaining vetting agency:

  • requests the personal security file from the losing vetting agency[5]
  • confirms the information in the personal security file meets the requirements for the requested level of security clearance, or commences a new vetting process if the sponsoring agency requires a clearance that is higher than the clearance held
  • identifies and addresses concerns or anomalies in the personal security file at the time of transfer, including determining whether the concerns or anomalies warrant a review for cause
  • confirms the transfer of the personal security file with the sponsoring agency, including if further actions will be undertaken before the transfer of sponsorship is finalised (i.e. sharing any concerns or conducting a review for cause).

Actions for the losing vetting agency

The losing vetting agency:

  • facilitates transfer of the personal security file as soon as practicable following receipt of request from the gaining vetting agency[6]
  • seeks consent from the clearance subject prior to transferring and sharing the personal security file.

Temporary transfer

Only transfer personal security files if necessary, for example:

  • the position in the gaining sponsoring agency requires a higher security clearance
  • the clearance expires during the transfer or secondment period.

  1. You must notify the clearance sponsor if the separation is the result of any misconduct or security incident or concern, which may impact the integrity of the individual’s security clearance. If there is a chance other agencies may be impacted by this outcome, the relevant REs should also be notified.

    [Back]

  2. Some entities have legal restrictions on the transfer of personal security files. For example, the Department of Defence cannot transfer the personal security files of current and former Regular or Reserve Australian Defence Force personnel and ASIO can only transfer personal security files to other AIC entities. ASIO can only provide a statement of clearance to other vetting agencies. Psychological assessments may only be transferred to another appropriately qualified psychologist and only with the specific consent of the clearance holder.

    [Back]

  3. In some instances, it may not be possible to transfer personal security files immediately. This includes where people are still employed by the losing agency, are under investigation for a security breach or violation, are being revalidated, or are undergoing a review for cause.

    [Back]
Required action: Advise regarding ongoing security obligations

Your agency must advise separating employees of their ongoing security obligations associated with their former position. It is especially important that you remind separating employees about these obligations in relation to intellectual property[7] and where relevant, legislation.[8]

In circumstances where your agency identifies a higher risk associated with a specific position or person, it is recommended that this is managed through an exit interview where you can learn why a person is leaving or reaffirm any ongoing confidentiality agreements or obligations.

People who may have had access to sensitive or security-classified information must be debriefed prior to their separation from your agency. This is particularly relevant in circumstances where the person had access to caveats or compartmented information which require additional briefing and debriefing.[9]

  1. Any intellectual property invented or created as a result of an individual’s employment will remain the property of the Crown, unless otherwise agreed in writing between the Accountable Authority and employee.

    [Back]

  2. For example, Criminal Code Act 1995.

    [Back]

  3. As ongoing access to such information is strictly ‘need to know’, employees no longer requiring access must be debriefed by the caveat or compartment owner.

    [Back]
Required action: Share information of security concerns

Sharing of information relating to security concerns is an important component to the protection of Tasmanian Government information, people and assets. Further, it is the responsibility of your agency to identify who may need to be made aware of such information outside of your agency.[10]

The ASA must be notified of any proposed termination of employment resulting from misconduct. It is recommended that in these circumstances, separation procedures are implemented on the basis of a risk assessment and may include:

  • immediate suspension of duties
  • immediate removal of access to the agency and facilities
  • escorting the person from the premises.

If any risk to another agency has been identified as a result of an incident, termination or during separation, you must notify the RE of the other agency if their interests or security arrangements could be affected.

If the separating person is transferring, either temporarily or permanently, to another state, territory or Australian Government agency, you must provide any relevant information of security concern to the new agency. This action assists combined efforts to ensure the right people have access to government information, people and assets.

In circumstances where there is information of security concern relating to a security clearance holder in your agency, you must provide this to the ASA who must in turn report to the clearance sponsor. The clearance sponsor will report to the authorised vetting agency, which will enable the clearance holder’s suitability to be re-assessed.

The clearance sponsor or authorised vetting agency may report information of security concern to ASIO, where required.

  1. Within legislative boundaries.

    [Back]
Required action: Manage residual risk associated with departure

In addition to their broader function, exit interviews provide the opportunity to remind the departing person of their obligations to protect your agency’s information. At the exit interview, ensure all confidential information and devices have been returned and deactivate all access codes and passwords.

Exit interviews provide a good opportunity for you to:

  • discuss the person’s reason/s for leaving
  • enable the separating person to confidentially express any security concerns relating to your agency procedures or colleagues
  • glean the person’s attitude to your agency and people
  • receive any agency property they hold.

In certain circumstances, employees will depart your agency without completing all required separation activities. This may be due to unforeseen circumstances or where the person refuses to participate.

In circumstances where requirements of the separation process are incomplete, you must undertake a risk assessment for any aspects of the person’s employment that have not been resolved.

If separation activities are incomplete, your agency must ensure all other requirements of this policy (PESEC-3) are applied, for example, removal of access to systems and facilities or cancelling of security clearance sponsorship.

For the purposes of this policy (PESEC-3), separation includes employees taking long-term leave. There is no defined period of time considered ‘long-term leave’. It is recommended that you take a risk-based approach to determine a period of long-term leave based on the risk tolerance and operational requirements of the agency, as well as the nature of the position.

References and resources
Version control and change log

First publication: April 2023

Revision: February 2024

Next review date: December 2024

Change log:

  • V1.0 April 2023
    • Policy issued
  • V2.0 February 2024
    • Definition: 'core requirement' updated
    • Definition: 'originator' updated
    • Definition: ‘protected information’ removed and replaced with ‘security classified’
    • Definition: ‘Responsible Executive’ added
    • Definition: ‘supplementary requirement’ updated
Back to top