Part 4: Privacy and security of information

4.1
It is essential that public organisations get the balance right between the accessibility of information and having adequate protections and safeguards. As we have seen in the past, a security failure, using inaccurate information, or a breach of an individual's privacy can lead to the loss of trust and confidence in the public sector.

4.2
There is an increasing focus in the public sector on organisations working together to design and deliver services to people that are better integrated and designed around the needs of individuals. It is becoming more and more evident that this joined-up way of working is necessary to successfully address the more challenging and intractable issues our society is facing, such as child poverty, family violence, or homelessness.

4.3
An important factor in enabling public organisations to work together is the ability to share information that they hold about people. Information sharing allows public organisations to work together to see and understand the whole context of challenges or problems faced by a particular individual. It also helps them work together to find ways to improve that individual's circumstances.

4.4
However, with information sharing comes increased risk. The public sector holds very personal and sensitive information about individuals, such as details about personal relationships, financial status, criminal convictions, and health information.

4.5
People need to have trust and confidence in the way that public organisations use and manage information. Importantly, they expect their personal information to be kept private and secure, and used only for the purposes they provided it for or have agreed to.

4.6
The accuracy of personal information is also important. The more that agencies share information, the greater the potential is for multiple agencies to hold inaccurate information about individuals. The ability for individuals to access and correct personal information held about them is also critical to their trust in the decisions the Government makes about them.

Issues arising when sharing information between public organisations

4.7
Providing access to public services that are designed around the needs of individuals allows people to deal with the Government in a more streamlined and efficient way, rather than having to deal with multiple agencies. It also requires those agencies to shift their focus and work together on the more complex policy issues that need to be resolved. An increasing focus on delivering integrated, joined-up services to people means that public organisations need to improve the way they use and share information.

4.8
The Privacy Act 1993 contains several mechanisms that allow government-held personal information to be shared. The Act sets out exemptions to the privacy principles, allows the Privacy Commissioner to develop codes of practice, enables an information-matching regime, and provides a system where agencies can establish and agree Approved Information Sharing Agreements.

4.9
In his recent Briefing to the Incoming Minister of Justice: Hon Andrew Little, the Privacy Commissioner outlined his view that the legislative settings in the Privacy Act provide ample scope for sharing government-held information. His view, based on feedback from public organisations, is that the main barriers to information sharing are operational. They include issues such as a misunderstanding or uncertainty of the law, lack of interoperability between IT systems, security concerns, cost, and differing priorities between public organisations. They can also include cultural issues, where public organisations are reluctant to share information due to a lack of trust, or do not have a shared vision, set of values, or sense of what they are trying to achieve.

4.10
We saw similar issues in our work. In our 2017 report Using information to improve social housing services, we noted that Housing New Zealand had information-sharing agreements with the Ministry of Social Development and other agencies to obtain the information it needed to place individuals in suitable social housing.

4.11
Despite these agreements, staff in the two government departments were unclear about what information they were able to share. We recommended more guidance and better processes to ensure that the right information was available for placing people in houses.

4.12
In our 2017 report Border security: Using information to process passengers, we noted that the use of multiple databases and legacy IT systems made it difficult for the border agencies to respond to requests for information from one another.

4.13
In 2016, the Office of the Privacy Commissioner set up a Trusted Sharing Consultancy Service to offer expert advice and support to government agencies working on policy issues that have an information-sharing component.

4.14
The creation of the Government Chief Privacy Officer position in the Government Chief Digital Officer's team at the Department of Internal Affairs has also helped to provide an all-of-government approach to privacy. The Government Chief Privacy Officer is responsible for providing leadership, preparing guidance, and helping build privacy capability throughout the public sector.

4.15
We encourage public organisations to use these sources of guidance and support to help develop their privacy knowledge and know-how.

Privacy by design and by default

4.16
As the public sector moves towards a joined-up way of working and designing more integrated and customer-focused services, it will become more important to get the privacy settings right.

4.17
Privacy is an essential consideration when new systems or practices are designed. Both the Privacy Commissioner and the Government Chief Privacy Officer have issued guidance to public organisations encouraging them to take a "privacy by design" approach, embedding privacy into the design of new products and services for people.

4.18
We saw some good examples of privacy by design in our work. In our 2017 report Ministry of Health: Supporting the implementation of patient portals, we noted that patient portals have developed in the context of an established framework of privacy rules and rights, standards, and guidelines designed to protect people's personal health information. The Ministry of Health required public health organisations to carry out privacy impact assessments to receive funding to implement patient portals.

4.19
Similarly, when we talked to agencies about setting up the SmartStart service (discussed in Part 6), we heard that the service was designed around the customer and asks for consent at each stage before sharing information with other agencies.

4.20
For example, it is possible to access generic information about the birth of a baby from the SmartStart website without providing any personal information. If a person wishes to use the website to register the birth of their child, it is made clear that their personal information will be provided to the agencies that register the birth and confirm citizenship.

4.21
Similarly, if someone wishes to use the website to apply for an IRD number or seek information about their entitlement to a benefit, it is made clear that the information will be provided to the Inland Revenue Department or the Ministry of Social Development. By designing the service around the customer, with privacy as the focus, there is no need for legislative change or complex information-sharing arrangements.

Effective security depends on doing the basics well

4.22
Safe, secure, and functional information systems are essential to support the protection of government-held information and underpin ongoing public confidence. The Government has outlined expectations for public organisations in managing personnel, physical, and information security, in the New Zealand Security Intelligence Service's Protective Security Requirements.

4.23
The New Zealand Information Security Manual is an important part of the Protective Security Requirements framework. Managed by the Government Communications Security Bureau, it provides technical guidance for government departments and agencies on information assurance and systems security.

4.24
During our annual audits, we consider public organisations' controls over information systems that are important to the financial and performance information we audit. We expect organisations to have effective controls over these systems to prevent data security breaches.

4.25
Although we do not provide assurance over all controls, we do carry out regular rotational testing on a selection of controls. As part of our Information theme, we took a closer look at the public organisations in the mandate of the Government Chief Privacy Officer and/or subject to the Protective Security Requirements framework. We considered the recommendations we made in 2016/17 about their data security controls.

4.26
Although we did not find any substantial data security issues, we regularly identified basic weaknesses in security controls and procedures. These were often unresolved matters that we had identified in previous audits. Some had been recurring for many years.

4.27
At a summary level, our recommendations are a useful reminder to all public organisations about information assurance and systems security. We recommend that public organisations:

• manage user access to information systems appropriately;
• manage the changes made to information systems, including Masterfile data, to ensure that all changes are authorised and understood;
• keep disaster recovery plans up to date and test them regularly to ensure that critical operations can be recovered quickly;
• implement timely security patches and service packs; and
• regularly review information system policies to ensure that they reflect the changing technology environment and strengthen the governance of the public organisation.