MEDIA RELEASE
5 June 2013
Review of Publicly Accessible Information Systems released
Privacy and information security standards in the State services are being tightened and a plan of action is underway
following a review of publicly accessible computer systems.
State Services Commissioner Iain Rennie requested the review in October after a security breach at Ministry of Social
Development Work and Income kiosks. It was carried out by the Government Chief Information Officer (GCIO) Colin
MacDonald, who is Chief Executive of the Department of Internal Affairs.
“The report found that security and privacy process are underdeveloped in many agencies. Citizens have a right to
expect government agencies will protect their personal information and we need to work harder to maintain that trust,”
says State Services Commissioner Iain Rennie.
“Government Department Chief Executives and Crown Entity Boards are accountable for delivering on the action plan to
bring the public sector up to best practice standards in the required timeframes.”
The review covered 215 publicly accessible information systems across 70 government agencies. These systems included
kiosks, sign-in systems at reception desks, and internet access to services requiring information to be entered online.
Most government networks and systems are not publicly accessible.
Agencies were required to assess their publicly accessible systems and assurance processes for information privacy and
security. In their responses twelve agencies identified a weak point in the security of one of their systems that
someone deliberately trying to gain access could potentially have exploited.
“Action has been taken and the systems are now secure. There is no evidence any of these weak points lead to a breach
of privacy or information security”, says Mr MacDonald.
The review found that security processes within many agencies were under-developed and relied too much on the skills and
capabilities of staff and suppliers.
“We need to lift our game. Every agency needs to be managing security risks and taking active steps to make sure their
people’s good technical skills are backed up with effective policies and processes. This requires strong ownership at
the highest levels of management,” says Mr MacDonald.
The following actions have been taken or are underway:
· Agencies were instructed by the GCIO before Christmas to take immediate actions to strengthen privacy and
security processes.
· Immediate requirements included making an executive-level manager in each agency responsible for robust
practices and processes.
· Agencies had to produce evidence by April 2013 of a detailed risk assessment of their publicly accessible
systems.
· Agencies had to decide by April 2013 whether to increase their ability to address privacy and security
challenges, or find alternative arrangements such as using capability in other agencies.
· Agencies are required to provide security assessments to the GCIO by the end of July 2013 and again by the end
of March 2014 along with reports about the steps they have taken to address privacy and security issues.
“The ability to conduct our affairs online is part of modern life. People increasingly expect to access government
services when they want and where they want. We need to meet these expectations while ensuring people can be confident
their information is secure,” Mr MacDonald says. ‘We take these responsibilities very seriously.”
The State Services Commission and the GCIO are also working with agencies to address privacy breaches caused by emails
containing confidential information sent mistakenly to the wrong person.
“While not in the scope of the GCIO Review of Publicly Accessible Systems, these issues are critical and all departments
have reported on the actions they are taking to improve performance,” says Mr MacDonald.
Further information is available on the State Services Commission website at www.ssc.govt.nz/GCIO-publicsystemsreview including:
· The GCIO Review into Publicly Accessible Systems report
· Relevant Cabinet Papers which include the plan of actions agencies are required to carry out
· Timeline of actions
ENDS