Kiwis' personal details exposed

The personal details of thousands of New Zealanders are at risk because Government departments have poor controls on how staff use portable storage devices, the Privacy Commissioner says.

A survey of the 42 main government agencies, undertaken by the Office of the Privacy Commissioner, shows 'portable storage devices' (PSDs) - such as USB memory sticks - are widely used but that there are "real gaps" in security procedures and practices, Privacy Commissioner Marie Shroff says.

Thirty-five out of the 37 agencies (95 per cent) that responded to the survey made PSDs available to staff – most commonly USB sticks. Nearly two-thirds of agencies also allowed staff to use their own personal PSDs for work purposes.

"PSDs are small, lightweight and easy to use, and can store vast amounts of information, but are easily misplaced or stolen," Ms Shroff said. But their use in the workplace presented security risks, particularly if the devices contain unsecured or sensitive data, she said.

"It is particularly concerning that some of the agencies with poorer practices are flagship departments that hold the personal details of thousands of ordinary New Zealanders."

She said the use of personal PSDs in the workplace was a worry as it they were easy to lose or accidentally disclose sensitive information by lending a USB stick to a friend.

The survey found 43 percent did not provide encryption solutions of any sort while just nine agencies made PSD encryption mandatory.

Sixty-two percent kept a PSD register but only 22 percent said they would be able to track transfers of data to PSDs.

"If you are using your own personal PSD for work, then you are more likely to accidentally take that corporate information with you when you change jobs. Government agencies have a responsibility to try and prevent that sort of thing," Ms Shroff said.

Although the survey found that 75 percent of the government agencies responded reported they had policies to restrict or control the use of PSDs, the commission was not "yet confident" that those policies are of a good standard or are well-known by staff.

Only half of the policies included details about how to delete content.

Only 25 percent of agencies performed an audit to ensure PSD procedures were followed.

Seventy percent had procedures to report the loss or theft of a corporate PSD, but only 27 percent for personal PSDs used for work.

Availability and use of security tools such as encryption, tracking of data transfers, or hardware and software controls was patchy or lacking.

"Agencies that primarily hold classified or sensitive information have significantly tighter controls over the use of PSDs than those that hold the largest amounts of personal information," Marie Shroff says.

"It appears that personal information is not being treated with the same care and respect as 'classified' or 'sensitive' information".

What are PSDs?

PSDs include USB sticks, cell phones, BlackBerries, IPhones, iPods, MP3 players, PDAs (personal digital assistants) and netbooks. They are used for a variety of purposes, including to take work home or information to meetings, as temporary file storage or back-up, or to transfer, sometimes sensitive, bulk data between organisations.

Bureacratic blunders overseas:

* 100 USB sticks, some containing secret information, have been lost or stolen from the UK Ministry of Defence since 2004.

* In December 2008, a USB stick containing details of over 6,000 prisoners was lost by a health agency at a UK prison.

* Details of almost 900 customers, including accounts, phone numbers and addresses, copied on a USB stick was lost by a Bank of Ireland employee in November 2008. The information was not encrypted.

* A recent UK survey, carried out by a data security firm, found an estimated 9,000 USB sticks have been left in people's pockets when they take their clothes to the dry cleaners.

- By ANNA CHALMERS, Stuff.co.nz