A review of government data-matching programme security has found data being transferred between departments that is not encrypted or even protected by password.
The findings have prompted Privacy Commissioner Marie Shroff to demand government agencies encrypt data when transferring it between departments.
The review was prompted by data breaches in the UK late last year, which saw tens of millions of citizen's records lost in transit between government departments.
According to a statement released today, there are currently 46 authorised and active government data matching programmes. Of those 23 use online computer connections and are required to encrypt the data; four involve the transfer of paper records and the remaining 19 programmes transfer data on computer tape, CD or floppy disk.
“My staff found that all tapes, CDs and floppy disks were transferred within New Zealand by means that we consider to be reasonably secure — typically delivered by staff by hand or, where a courier is used, involving a ‘track and trace’ facility,” Shroff says.
However, she notes, not all the CDs, tapes and disks were encrypted in transit and some did not even have password protection.
“I have indicated to departments participating in authorised information matching programmes that I will require, within a reasonable time frame, all data that is transferred by tape, CD and floppy disk to be encrypted in transit," Shroff says
She says those involved in security practice in other areas should carefully reflect upon the need for encryption for all portable data storage media.
The Office of the Privacy Commissioner has an oversight role in respect of government data matching programmes.