Minimum standards, requirements and guidelines to provide a safe and secure work environment for all employees and visitors, including clients and contractors.
All staff must follow occupational safety and health standards published under law and by their agency. Agencies located within the same building must use the same security access control system.
Workplaces need to meet any security requirements published by the New Zealand Security Intelligence Service.
The Protective Security Requirements (PSR) outline the government’s expectations for managing personnel, as well as physical and information security. They include mandatory requirements that all government agencies must implement to:
As part of its role, the PSR aims to ensure that each agency’s security capability aligns with the risk environment they work in. The PSR has developed a security capability maturity model to help agencies work this out. Agencies should use it to self-assess both their current security capability and their desired future state.
The model can be downloaded from the Protective Security Requirements website, along with other tools and templates.
Capability Maturity Model for Protective Security [PDF 743KB] – Protective Security Requirements
To make sure your agency is physically secure, you must provide clear direction on physical security through the development of policy and an agency security plan.
Have in place policies and protocols to:
Fully integrate physical security early into the process of planning, selecting, designing and modifying your facilities.
Make sure any proposed physical security measure or activity is consistent with the relevant health and safety requirements.
You also need to show a duty of care for the physical safety of the public interacting with the New Zealand Government. Where an agency’s function involves providing services, the agency must ensure clients can transact with the government with confidence about their physical wellbeing.
Your physical security measures must minimise or remove the risk of information assets being made inoperable, inaccessible or improperly accessed or used. Develop plans and protocols to move up to heightened security levels in cases of emergency and increased threat.
The New Zealand Government may direct its agencies to implement heightened security levels. Download our high-level framework for incorporating security assessments and responses into a design project for more information.
There are more considerations for co-location projects.
Workplaces are designed with three general categories of space.
Workplace access should be based on the level of security required. Public areas, including reception and some meeting rooms, should maximise sharing between agencies and minimise barriers for external guests. Designated invited areas should allow staff to host guests beyond the public area while minimising disruption to the workplace and maintaining business confidentiality and security for other staff members.
Your agency's private areas should be designed to support staff security and confidentiality.
Where there are specific security requirements, some agencies may want to establish additional secure zones within private areas. These secure zones may incorporate electronic and physical security systems.
You should minimise the number of secured access routes or paths within the work environment. Any building access control systems should be capable of operating advanced encryption, and your agency should use a common system type. This will allow controlled movement between buildings, as settings applied in the systems allow, while providing the physical security required.
The reception counter area should be designed to ensure the safety of staff. This may include barriers, distress alarms and a refuge area.
Closed circuit television implementation and other security measures should be aligned with the Government Standard Building Performance Specifications.
Set up follow me printing capabilities to give staff the flexibility and freedom to work and print anywhere across the agency’s portfolio, as well as to increase document security. Also be sure to set up systems that allow staff to store confidential documents securely and with ease.
Implementing clear desk policies ensures sensitive information is properly secured by staff at the end of each day.
Every public service office must be accessible, and usable, for all staff and visitors.
Each office design or fit-out should cater to the widest possible range of ability, with as few barriers or constraints as possible. You may not be able to achieve a truly universal design or fit-out because of the practical limitations of the building’s physical shape, equipment availability and cost, but any design or fit-out should aim to make the workplace accessible for and usable by all people.
Where practical, your workplace should cater for disabled people through both the physical environment and operational elements. Your agency should provide reasonable accommodation for disabled people.
Agencies should also incorporate the Building Performance 'Designing for access and usability' guidance.
Reasonable accommodation – Ministry of Social Development
Buildings for everyone: Designing for access and usability – Building Performance
Mark arrives at work one morning and is approached in the lobby by a person he does not know. The stranger isn’t wearing appropriate identification and claims to have forgotten his swipe card. He asks Mark to swipe him to Level 7 of the building.
Mark does not do this, but directs the stranger to reception to get new identification and access into the private areas of the building. This is fortunate, as this person was not a staff member and should not have access to invited or private office areas.
When Mark arrives at his floor he heads to a communal work space and notices that a nearby team has signposted the area as requiring a higher level of privacy. Even though Mark is wearing his staff identification and is allowed on the floor, he chooses another area to work from, which will allow the neighbouring team a suitable degree of privacy.
Simple, people-based controls can deal with situations which require greater than normal privacy. When staff communicate their requirements clearly and respectfully, understand others’ requirements and have well understood and accepted flexible work environments; they are able to act in a secure manner without having to be security experts – it’s easy for them to do the right thing.