The Ministry of Social Development, Immigration New Zealand and Land Transport NZ are among several government agencies found to have been transferring data about individuals on CD with neither encryption nor password protection.
Computerworld requested further information last week on the results of a review conducted by the Privacy Commissioner of the security of government agency data-matching programmes. That information reveals multiple instances of lax data protection, with data being transferred either totally unprotected or with low levels of protection.
Multiple agencies were found transferring unprotected data on unqualified and unenrolled voters to the Electoral Enrolment Centre (EEC). These include Immigration New Zealand, LTNZ, the Ministry of Transport and the Ministry of Social Development (MSD).
Tapes were also transferred unprotected from Inland Revenue and MSD to other agencies.
“While the tapes are not protected, relatively few people will have the equipment to read them if they were to go astray,” a spokeswoman for the Privacy Commissioner says.
Agencies found transferring data on CDs without encryption but with password protection include the Department of Internal Affairs (DIA) and MSD. The data being transferred by DIA is variously described as student birth details, identity verification, deceased persons, married persons, unenrolled voters and residence entitlement details.
MSD transferred fine defaulter tracing data in this way.
A spokeswoman for the Privacy Commissioner says the information provided relates to physical transfers of data as the Commissioner is happier with security levels for online data transfers.
As a result of the review, Privacy Commissioner Marie Shroff is requiring encryption be used for future transfers of data between government agencies.
“It’s worth noting that various factors other than encryption are at work here, which means the actual level of security risk will differ between matches,” the spokeswoman says. “We are requiring encryption anyway, though, as it represents the best practicable level of security.”
Not all departments courier the data, she says. And those that do, use a track and trace system. In other cases, including the transfers to the EEC, the information was physically walked from one agency to the other, often with a “no stopping en route” policy, she says.
Some of the transfers involved many records, while others did not.
“The personal information involved is limited; only the information necessary for the match is included. These factors do not affect the appropriate level of security, of course, but they do provide some context for the discussion about the level of risk,” the spokeswoman says.
After mandating encryption for transfers this month, the Privacy Commissioner issued a further statement saying there is a case for legislated data-breach disclosure for government agencies. Such a law would require agencies to notify affected individuals of any data breach or accidental disclosure.