Privacy concerns over use of PSDs in workplace

BY MICHAEL FOX

The security of sensitive and personal information is being put at stake by lax control of portable storage devices in some government agencies.

The claims come as Law Commission president Sir Geoffrey Palmer today flagged proposed changes to privacy rules which could mean more sharing of private information between government agencies.

Privacy Commissioner Marie Shroff today released the results of a survey which looked at the security controls 42 different government agencies had in place over the use of Portable Security Devices, or PSDs, in the work place.

The survey found that an estimated 120 PSDs, which can be used to store and transport information, were lost or stolen in the last 12 months alone.

The commission's main concern is that PSDs, including memory sticks and                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          cellphones, propose a major security risk if they are used to store sensitive information as they can be easily lost or stolen.

"The storage capacity of PSDs has grown dramatically in only a few years, exposing organisations to risks of major data breaches," Ms Shroff said.

"As several high-profile incidents overseas illustrate, these data breaches can seriously damage both the reputation of the agency concerned and the trust that the public has in that agency."

The survey found that some progress had been made compared to last year, with 32 of the agencies surveyed saying they had limits on the use of PSDs in the work place compared to 22 out of 37 in the previous survey.

However, some agencies still had "inadequate controls".

Only 21 agencies had policies for disposing of PSDs and 16 on when stored data should be deleted.

The Privacy Commissioner last year expressed concerns over staff using their own devices for work purposes and said 29 of the agencies now prohibited that.

Agencies such as the Security Intelligence Service and Department of Prime Minister and Cabinet, which dealt with personal or classified information, generally outperformed those that didn't.

Ms Shroff said that last year's survey showed that many agencies needed to improve privacy measures.

"Many government agencies have made a promising start but more needs to be done to protect New Zealanders' personal information," she said.

Changes to privacy law flagged

Meanwhile earlier today in a speech to the Privacy Forum in Wellington today, Sir Geoffrey spoke about the commission's review of the Privacy Act 1993, and the pressures expanding technology can place on privacy.

It was complex subject, and he offered a chocolate fish to anyone who could define privacy.

Sir Geoffrey criticised how some agencies interpreted the Act. Its legal provisions did not do what many people said they did.

"Seldom in the history of New Zealand statute law had so much baseless misunderstanding been perpetuated by so many," he said.

"Some of it seems to have been deliberate. The Privacy Act has afforded many public and private agencies a false excuse for not carrying out their obligations."

That meant it had a bad reputation in some quarters that it did not deserve.

"We have reached the tentative conclusion that the Act needs to be changed to better facilitate appropriate information-sharing amongst Government agencies."

Sir Geoffrey also said both public and private sector agencies were currently under no legal obligation to notify individuals or the Privacy Commissioner when an individual's personal information is compromised - for example lost or obtained by computer hackers.

There were questions about whether organisations should be required to notify individuals their personal information has been compromised and if the Privacy Commissioner should have power to compel an organisation to notify affected individuals.

Sir Geoffrey said the Privacy Commissioner system appeared to be generally sound and working well but the commission "tentatively believed" there were elements of it that were cumbersome and it could be made more streamlined and efficient.

"Essentially we propose a reformed complaints process together with some new enforcement tools," he said.

The commission will publish its final report on the Privacy Act around the end of this year.

- with NZPA

- © Fairfax NZ News