A February mandate from the Privacy Commissioner that government agencies encrypt data during transfer has now largely been met, Privacy Commissioner Marie Shroff says.
In February, the Office of the Privacy Commissioner reviewed how data was being transferred between government agencies and found many files were not encrypted for transfer by tape, CD or floppy disk. The commissioner then required the adoption of encryption “within a reasonable time frame”.
Computerworld revealed in March that agencies such as the Ministry of Social Development, Immigration New Zealand and Land Transport New Zealand were among those transferring data without encryption.
Six months on, Shroff says only three transfers of data matching data out of the 46 are not encrypted.
“I have been advised that all files transferred on CD for authorised information matching programmes are now encrypted," Shroff says. "One file transfer has been shifted to an on-line, encrypted transfer. However, Inland Revenue is involved in three transfers on tape which are not encrypted. The department advises that these three tapes require specialist computer equipment to read them and other security measures are also used to protect the data. Agencies involved in these tape transfers are still discussing options for enhancing security.”
Shroff initiated the review of data matching programme security after the major data breaches in the UK late last year.
“Of course, transfers for the purposes of authorised information matching are merely one stream of intra-governmental data transfers," Shroff notes. "All agencies using and storing data about people – whether public or private sector – should carefully reflect upon the security of that data in each instance, for example by accepting the need for encryption for all portable data storage media."