A survey of 42 government agencies shows that many risk accidentally disclosing sensitive personal information because of poor controls on staff use of portable storage devices (PSDs) such as USB memory sticks.
The survey, undertaken by the Office of the Privacy Commissioner, shows PSDs are widely used but that there are real gaps in security procedures and practices.
Thirty-five out of the 37 agencies (95%) that responded to the survey made PSDs available to staff -- most commonly USB sticks. Nearly two-thirds of agencies also allowed staff to use their own personal PSDs for work purposes.
Just nine agencies made PSD encryption mandatory, while 43% did not provide encryption solutions of any sort. Sixty-two percent kept a PSD register but only 22% said they would be able to track transfers of data to PSDs.
"PSDs are small, lightweight and easy to use, and can store vast amounts of information, but are easily misplaced or stolen," says Privacy Commissioner Marie Shroff.
"The use of PSDs in the workplace -- both public and private sector -- presents potential security risks, particularly if the devices contain unsecured or sensitive data.
"If you are using your own personal PSD for work, then you are more likely to accidentally take that corporate information with you when you change jobs. Government agencies have a responsibility to try to prevent that sort of thing," Shroff says.
"Though the survey found that 75% of the government agencies that responded reported they had policies to restrict or control the use of PSDs, we are not yet confident that those policies are of a good standard or are well-known by staff."
Only half of the policies included details about how to delete content.
"It is particularly concerning that some of the agencies with poorer practices are flagship departments that hold the personal details of thousands of ordinary New Zealanders," Shroff says.