This document contains access, security and privacy protocols for the Human Resource Capability survey (terms and conditions for use are contained in Appendix 4). The survey data are managed according to three key criteria.
1 Information is handled securely and professionally, according to established and transparent standards.
2 No information that could identify a particular individual is ever released from the survey.
3 The survey complies with relevant legislative provisions and established ethical standards.
The SSC uses four methods to ensure that these criteria are met.
1 Only designated custodians of the data have access to data at the unit record level
2 Survey data are managed in a secure environment
3 We apply robust statistical methods to ensure that no individual could be identified from any report from the data
4 A specific confidentiality agreement binds the custodians of the data to these protocols. This supplements established conduct and security commitments.
Purpose of the Protocols
The Human Resource Capability (HRC) survey is an annual collection of anonymous Human Resource (HR) data. The purpose of the survey is to examine the employment characteristics of the New Zealand Public Service 1 . The survey data assist the State Services Commission (SSC) to monitor the effect of HR and Equal Employment Opportunity (EEO) policies and to provide advice on departmental performance and personnel management.
The protocols cover access to, and security of, these data. They deal both with matters of personal privacy and the protection of personal information, and with the publication of data about employing departments.
The survey is anonymous 2 , but this alone does not prevent the identification of some individuals. In a small number of instances there could be a capacity to indirectly identify an individual based on a unique combination of characteristics. The protocols ensure the protection of personal information by restricting the number of individuals who have access to the data, and by placing statistical limits on reports from the data.
SSC has consulted with Statistics New Zealand, the Crown Law Office and departments in developing the protocols. The protocols are public and we encourage departments to make staff aware of them. This document is also published on the SSC's website 3 and departments are encouraged to download this document on to their own Intranets.
The access and security protocols for the HRC collection are guided by Principle 11 (h)(ii) of the Privacy Act:
That the information-
(ii) Is to be used for statistical or research purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.
The survey consists of anonymous information collected at the unit record level. This means that there is a separate record for each employee rather than summary tables. The information covered by the protocols is collected annually and includes:
- demographic data, such as age and ethnicity, including data provided by employees for the purpose of developing and monitoring equal employment opportunity programmes
- employment status (such as full-time/part-time, individual/collective, fixed-term/open-term)
- occupation, and job size
- leave data
- separations and recruitment.
This information is collected on an annual basis as at 30 June.
1 The collection covers Public Service departments listed under schedule one of the State Sector Act, the civilian and sworn staff of NZ Police, the Parliamentary Services, Office of the Clerk of the House, the Parliamentary Counsel's Office, the Security Intelligence Service, Audit Office, and the NZ Defence Force civilian staff.
2 Names, addresses and other direct personal identifiers are not included in the data collected by SSC.
Implementation and Breaches of the Access, Security and Privacy Protocols
The State Services Commissioner is responsible for implementing the protocols. The custodians of the data have signed a confidentiality agreement that specifies compliance with these protocols.
Failure to comply with these protocols will be subject to established Public Service disciplinary procedures. Prompt and rigorous action will be taken to review any allegation of conduct or process that breaches these protocols.
Individuals or organisations contracted by the State Services Commission to carry out work using the unit record data will be subject to the Commission's standard confidentiality agreement, which includes the following statement:
You must keep confidential, during the contract period and afterwards, all matters relating to this Assignment and shall not, at any time, disclose any information whatsoever, other than in proper fulfilment of the Assignment. All working papers, reports and any other papers or information produced or obtained in any manner whatsoever in carrying out this Assignment shall be the property of the Commissioner.
Penalties for breaches of this provision are contained in Appendix 1.
Methods of Minimising Risk of Disclosure
Departments submit the data to the SSC through a website and using encryption software. The encryption method ensures that data cannot be altered or viewed while it is being transferred.
For data management purposes, supplying departments provide a unique identifier for each record. In most cases, this identifier will be the payroll number. Direct identifiers such as names and addresses are not provided. Only supplying departments can link these identifiers to particular individuals and this information is not provided to the SSC. The identifiers are used to validate the data.
The steward and the custodians of the information are the only people who have access to the unit record data. The State Services Commissioner is the steward of the information. The custodians of the data are authorised staff members, designated from time to time by the Commissioner, and may include contractors and secondees granted access to work with this data for legitimate purposes. They have access to the unit level data for the purposes of further in-depth analysis and to manage the data.
The data are stored at the SSC. The database is subject to the SSC's storage and backup protocols, and only the database administrator has direct access to its tables and structure.
From time to time, authorised users of the data (either employees or contractors) may require a copy of the dataset for analysis (off-site access). The guiding principle here is one of "safe custody". The SSC must be assured that the data is going into safe custody before access is granted. The general principles that the SSC expects a contractor or an employee to follow to implement a secure environment for off-site use are attached as Appendix 2.
Where contractors require off-site access, the dataset will be limited to information required to complete the contract, and other variables will be deleted.
The SSC relies on departments that provide personal information to ensure, as far as possible, the data are accurate. Validity testing procedures are used to check the data accuracy, and where errors are discovered they are referred back to the supplying departments. The SSC will only alter departmental data with the agreement of the supplying department, as they are the owners of the data. Because the collection is anonymous the SSC cannot alter information at the request of an individual employee, as we have no way of identifying the individual's record.
The SSC produces an annual report from the collection for Cabinet consideration, including statistical analysis and commentary. A version of this report is made publicly available. Regular reports are produced from the collection for the purposes of monitoring EEO progress and personnel management. Reports are also produced to provide information for comparison, for instance, with other public sector jurisdictions.
The SSC also produces a set of reports for departments on the department's own data, and with that provides a set of reports on the public service as a whole. These reports are made available to the department via a secure Internet site, and central agency staff also have access via their Intranets (specific terms and conditions of use apply - see Appendix 4).
From time to time, the SSC also produces other reports. These may form part of advice to Ministers or be intended for publication, and look at trends in HR management across the Public Service. Reports containing department-specific data are available to the department concerned and central agency staff.
The SSC has developed a tool for users to run customised queries of the database, without giving them access to unit record data. This tool is available to SSC staff through the SSC Intranet, and to other users through the Internet. Users in departments can run queries relating to their department and to the Public Service as a whole. Other users (such as researchers) can run queries about the Public Service but not about individual departments. A small number of Treasury staff have access to the DataSlicer tool, on the understanding that SSC is to be consulted before use or release of any information gathered through that tool.
All reports generated from the HR Capability survey are subject to statistical limits that ensure no individual person or organisation can inadvertently be identified from the figures produced. We have developed these limits in consultation with Statistics NZ.
All external requests for information held by the SSC (including information obtained from departments) are covered by the Official Information Act 1982, regardless of the form of the request. All reports that could identify neither a person nor an individual department will be released in response to an official information request.
The SSC is required by the Official Information Act 1982 (section 14) to transfer requests that relate more closely to the functions of another department to the department, unless the department requests the SSC to respond on its behalf. The SSC's view is that all requests for departmental data from the HRC survey would meet this criterion.
From time to time, there may be requests for information on individual departments that could be more efficiently responded to by SSC, on behalf of departments. Where these occur, the SSC will advise departments of the request and offer to provide a response. If departments prefer to respond themselves, the request will be referred on.
The Official Information Act does not compel the SSC to release data on individuals. Section 9 (2) of the Official Information Act provides that personal information relating to an individual may be withheld to:
(a) Protect the privacy of natural persons, including that of deceased natural persons.
From time to time SSC may be requested to provide information to Select Committees. Select Committees have wide powers. A Select Committee may direct that any person be summoned to produce papers and records in that person's possession, custody or control, that are relevant to the committee's proceedings (Standing Order 198(2)). In this respect the SSC is no different to any person or organisation in either the public or private sectors and is obliged to comply with such a request.
In complying with any requests from Select Committees the SSC will advise any departments about whom information is to be released. Where practical, the SSC will incorporate any comment or contextual information that the department wishes to provide as part of the response.
The Cabinet Office Manual 2001 notes that there may be a good reason to prevent information from release to a Select Committee and that a useful test to apply is the criteria in the Official Information Act. While this does not prevent the release of information on departments, section 9(2) of that Act (noted above) allows for information that could identify individuals to be withheld.
Where Parliamentary Questions or Ministerials relate to individual departments (other than SSC) they will be referred to the Minister responsible for that department (under Standing Order 369 and clause 2.26 of the Cabinet Office Manual 2001).
The SSC provides advice to Ministers on matters concerning departments. This advice may be supported by data obtained from the HRC survey. SSC policy is that departments are consulted in the development of this advice and are provided with copies of any advice given. The exception is where there is a specific request from a Minister for the advice to be confidential.
Occasionally SSC will refer to data on a third department when providing advice on a department. Where this occurs the reference to the third department will be removed (and the removal marked) from any copies supplied to the department with whom the advice is concerned.
The SSC will provide any information on departments that is requested by the Minister of State Services and will normally consult the departments concerned before providing this advice. If the request comes from a Minister other than the Minister of State Services, the SSC will refer the request to the Minister responsible for that portfolio (under clause 2.161 of the Cabinet Office Manual 2001).
The SSC collects detailed human resource information from State sector agencies to carry out its functions under the State Sector Act. Section 6 of the Act outlines the principal functions of the State Services Commissioner and these include:
(b) To review the performance of each department, including the discharge by the chief executive of his or her functions.
(f) To promote and develop personnel policies and standards of personnel administration for the Public Service.
(g) To promote, develop, and monitor equal employment opportunities policies and programmes for the Public Service.
(h) To furnish advice on the training and career development of staff in the Public Service.
In addition, section 7 empowers the State Services Commissioner to collect information from departments:
The Commissioner shall have all such powers as are reasonably necessary or expedient to enable the Commissioner to carry out the functions and duties imposed upon the Commissioner under this Act or any other enactment.
The SSC is also required, by Cabinet directives CO(88)11, STA (90) M4/1, STA (94) M12, and STA (96) M2/2, to collect annual employment information from Public Service departments.
Review of the Protocols
The SSC will review the Access and Security Protocols at regular intervals to ensure that they reflect appropriate standards for collecting and using personal information. We will consult, as appropriate, Statistics NZ, the Crown Law Office and the organisations that provide data, when we review the protocols.
Statistics New Zealand, Statistics New Zealand's Microdata Access Protocol, Wellington.
NSW Premier's Department, Corporate Services Reform Team, 1999, The Privacy Code of Practice for the NSW Public Sector Workforce Profile
Appendix 1: Breach / Termination Of Contract
The following sections are included in the State Services Commission's standard agreement with individuals or organisations contracted to provide services to the Commission.
(a) the Consultant is in breach of this Agreement and, having been notified of that breach by the Commissioner has failed to remedy the breach within a reasonable period of time; or
(b) the Consultant is unable for any reason whatsoever to provide the services required under .... this Agreement, the Commissioner may forthwith terminate this Agreement.
Where the Consultant or any of its employees is accused of any misconduct, whether relating to this Agreement or otherwise, which may have the effect of bringing the Commissioner or the State Services Commission into disrepute, the Commissioner may suspend the operation of this Agreement and will comply with the requirements of natural justice before terminating the Agreement.
The Commissioner reserves the right at any time to postpone, cancel or abandon the whole of the work or any part thereof, provided that in such an event the Consultant shall be entitled to payment for work actually done plus any costs .... incurred up to the date of termination.
Upon termination of this Agreement the Consultant shall forthwith return to the Commissioner all working papers, reports and any other papers and information relating to the assignment other than copies permitted under Clause 5.2 [All working papers, reports and other papers or information produced or obtained in any manner whatsoever in carrying out this assignment shall be the property of the Commissioner. Provided that the Commissioner shall allow the Consultant reasonable access to such papers, reports and information and may, at the discretion of the Commissioner, allow the Consultant to retain copies of any such papers subject to such terms and conditions as the Commissioner may require].
Where the Commissioner is in breach of this Agreement and having been notified of that breach by the Consultant has failed to remedy the breach within a reasonable period of time, the Consultant may forthwith terminate this Agreement.
Subject to Clause 7.2, [The Consultant shall not be liable to compensate the Commissioner for costs incurred by the Commissioner as a consequence of the Consultant's failure or delay in undertaking the assignment if such failure or delay is due to causes or circumstances beyond the Consultant's control] where there is a breach of this Agreement, and the Commissioner suffers loss, the Consultant shall be liable to meet any costs incurred by the Commissioner either directly or indirectly as a consequence of the breach, whether or not the Agreement is terminated because of the breach.
The Consultant shall not be liable to compensate the Commissioner for costs incurred by the Commissioner as a consequence of the Consultant's failure or delay in undertaking the assignment if such failure or delay is due to causes or circumstances beyond the Consultant's control.
The termination of this Agreement shall be without prejudice to the rights of the parties accrued up to the date of the termination. Specifically, and without limiting the generality of the foregoing, the termination of this Agreement shall not:
(a) relieve or release the Commissioner from making any payment which may be owing to the Consultant under the terms of this Agreement at the date of termination; or
(b) affect those clauses within this agreement which, by their nature, are intended to survive termination.
Appendix 2: Secure Environment Guidelines
From time to time the State Services Commission (SSC) will contract with an individual or an organisation to carry out research using unit record data from the Human Resource Capability Survey (HRC). These guidelines set out the principles that the Commission expects an agency to follow to implement a secure environment for unit record statistical datasets supplied by the SSC for use on an agency's own site.
Off-site access to unit record data will only be granted to individuals or agencies carrying out work on behalf of the SSC. People carrying out research for other purposes will not be granted access to the unit record data. On-site access is preferred to off-site access, and contractors or employees are expected to provide sound reasons why they cannot use the data at the SSC.
Only authorised staff may access unit record datasets. Authorised staff are those:
- whose names are advised to the SSC as requiring access
- who understand their obligations in respect of confidentiality as set out in the Access and Security Protocols for the Human Resource Capability Survey
- who have signed the confidentiality agreement contained in these protocols.
Agencies must take all reasonable steps to provide a safe environment for unit record datasets for the period of the contract. A safe environment means one in which:
- a deliberate attempt by an unauthorised person (whether external or internal) is extremely unlikely to succeed
- unintentional access by an unauthorised person is unlikely
- unnecessary access by systems staff, who may have the ability to access a dataset but not the need, is controlled.
The minimum requirements for access to unit record datasets off site are:
- Data are only stored on local drives, not on shared networks where they could be accessed by unauthorised users or included in routine backups.
- All copies of the unit record dataset are returned to the SSC upon completion of the contract or are destroyed.
- The published results of any research carried out by a contractor must not divulge any more information than the State Services Commission would publish and must comply with the reporting conventions outlined in the Access and Security Protocols for the Human Resource Capability Survey.
Examples of appropriate security measures are:
- password protection with passwords changing regularly
- encrypted storage
- secure PCs, standalone networks
- code of practice for operations staff
- internal authorisation process for access
- internal confidentiality checking process
Appendix 3: Confidentiality Agreement Form
The Confidentiality Agreement is part of the overall framework for ensuring the highest privacy and confidentiality standards apply to the unit record data held under the Human Resource Capability survey. This agreement supplements both the existing provisions in the State Services Commission's Code of Conduct and the rigorous security clearances that are held by all Commission staff.
The Confidentiality Agreement Form is to be signed by any person granted access to the unit record data forming part of the Human Resource Capability survey.
* Downloadable forms of the Confidentiality Agreement Form are attached at the top of this page, above the document title. The form is provided in both Word format, and PDF (Adobe Acrobat).
1 Each person to whom access is granted to the unit record data must complete a Confidentiality Agreement form.
2 An individual who has signed the Confidentiality Agreement Form has no authority to provide a third party with access to the unit record data.
3 A separate Confidentiality Agreement Form has to be signed by every person accessing the unit record data.
4 When access to the unit record data is granted to a person, this person may not use it for a different purpose from that for which the access was granted.
5 Persons granted access to the unit record data must undertake all reasonable steps to guarantee the privacy and confidentiality of the information.
6 If access to the unit record data is secured by a password, this password must not be shared with, or disclosed to, any person who has not been granted access to the data.
7 Where unit record data is stored on a computer's hard disk, or other electronic or hard copy media, the computer or media must be secured in a way that prevents unauthorised access.
8 Authority to access the unit record data is automatically revoked when an individual occupying a position requiring access leaves that position.
9 Any breach of privacy and/or security relating to the unit record data must be reported immediately to the State Services Commissioner.
10 All persons accessing the unit record data must follow the guidelines and provisions contained in the Access, Security and Privacy Protocols for the Human Resource Capability Survey and this document. These protocols are published on the State Services Commission's website and may be updated from time to time.
11 Failure to comply with the provisions contained either in the Access, Security and Privacy Protocols for the Human Resource Capability Survey or in this document will be subject to the relevant disciplinary procedures established in internal provisions or to penalties outlined in the relevant contract for service.
Appendix 4: Terms and Conditions for use of Human Resources Capability (HRC) Survey information by Central Agency staff
From HRC survey data the SSC produces a set of reports for departments on the department's own HRC data, and with that provides a set of reports on the public service as a whole. Central Agency staff can access these HRC reports and ad hoc reports containing department-specific data for statistical and research purposes. Staff using the HRC reports will be trained in their content and appropriate use. Use of information from the HRC survey indicates agreement to abide by the following conditions:
1 HRC survey information should always be used with consultation with Central Agency colleagues and the HRC project team.
2 Departments should be consulted for contextual information where their HRC information is used for analysis.
3 No HRC survey information is to be released to non-Central Agency staff, without the prior approval of the HRC project team.
4 Any HRC survey data on individual departments must not be released to other departments or the public.
5 Any Official Information Act request for departmental data should be forwarded to the HRC team in SSC.
There are some aspects of HRC survey data that should be noted:
- To protect the privacy of individual public servants, count output from the HRC survey has been rounded. This means that the actual counts may slightly differ from reported counts. Therefore the output from an HRC report will also slightly differ from that produced by a department.
- The HRC data is current at its collection point (30 June of each year). Given the time period between the data collection and the data use it may be more appropriate to use current information sourced from the department rather than the HRC data.
- If staff from the Department of Prime Minister and Cabinet wish to access HRC survey data, they should request it of the HRC project team in SSC in the first instance, before going through other Central Agency staff.
More detail on the protocols surrounding security, privacy of, and access to HRC survey information can be found in the full HRC protocols.