Privacy and information security standards in the State services are being tightened and a plan of action is underway following a review of publicly accessible computer systems.
State Services Commissioner Iain Rennie requested the review in October after a security breach at Ministry of Social Development Work and Income kiosks. It was carried out by the Government Chief Information Officer (GCIO) Colin MacDonald, who is Chief Executive of the Department of Internal Affairs.
“The report found that security and privacy process are underdeveloped in many agencies. Citizens have a right to expect government agencies will protect their personal information and we need to work harder to maintain that trust,” says State Services Commissioner Iain Rennie.
“Government Department Chief Executives and Crown Entity Boards are accountable for delivering on the action plan to bring the public sector up to best practice standards in the required timeframes.”
The review covered 215 publicly accessible information systems across 70 government agencies. These systems included kiosks, sign-in systems at reception desks, and internet access to services requiring information to be entered online. Most government networks and systems are not publicly accessible.
Agencies were required to assess their publicly accessible systems and assurance processes for information privacy and security. In their responses twelve agencies identified a weak point in the security of one of their systems that someone deliberately trying to gain access could potentially have exploited.
“Action has been taken and the systems are now secure. There is no evidence any of these weak points led to a breach of privacy or information security”, says Mr MacDonald.
The review found that security processes within many agencies were under-developed and relied too much on the skills and capabilities of staff and suppliers.
“We need to lift our game. Every agency needs to be managing security risks and taking active steps to make sure their people’s good technical skills are backed up with effective policies and processes. This requires strong ownership at the highest levels of management,” says Mr MacDonald.
The following actions have been taken or are underway:
Agencies were instructed by the GCIO before Christmas to take immediate actions to strengthen privacy and security processes.
Immediate requirements included making an executive-level manager in each agency responsible for robust practices and processes.
Agencies had to produce evidence by April 2013 of a detailed risk assessment of their publicly accessible systems.
Agencies had to decide by April 2013 whether to increase their ability to address privacy and security challenges, or find alternative arrangements such as using capability in other agencies.
Agencies are required to provide security assessments to the GCIO by the end of July 2013 and again by the end of March 2014 along with reports about the steps they have taken to address privacy and security issues.
“The ability to conduct our affairs online is part of modern life. People increasingly expect to access government services when they want and where they want. We need to meet these expectations while ensuring people can be confident their information is secure,” Mr MacDonald says. ‘We take these responsibilities very seriously.”
The State Services Commission and the GCIO are also working with agencies to address privacy breaches caused by emails containing confidential information sent mistakenly to the wrong person.
“While not in the scope of the GCIO Review of Publicly Accessible Systems, these issues are critical and all departments have reported on the actions they are taking to improve performance,” says Mr MacDonald.
Further information is available on the State Services Commission website at www.ssc.govt.nz/GCIO-publicsystemsreview including:
The GCIO Review into Publicly Accessible Systems report
Relevant Cabinet Papers which include the plan of actions agencies are required to carry out
Timeline of actions
Media enquiries: Tim Ingleton, SSC Principal Communications Advisor (021) 240 781