Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Privacy for agencies

What is an online transfer in information matching?
Why do you need to apply to use online transfers?
When should I contact the Office of the Privacy Commissioner (OPC)?
What documentation does OPC need first?
What technical details need to be included in documentation?
What level of security and encryption is needed?
What details should be in an application letter?
How long is an online approval valid for?
What happens once an approval is granted?
What conditions might be online approval contain?
Compliance Auditing: Online Transfer Approvals Who should perform the audit?  
What are some key concepts auditors should follow?
How should audit findings be documented?
Why is management sign off of the audit report necessary? 
 

What is an online transfer in information matching? An online transfer is the electronic transfer of information between agencies, commonly over an encrypted internet connection. Online access to information held by another agency is also considered an online transfer.

Why do you need to apply to use online transfers? The Privacy Act 1993 prohibits the transfer of information online except with the Privacy Commissioner's approval[1]. The approvals include conditions designed to ensure that agencies have suitable safeguards to protect data while it is being transferred or accessed.

When should I contact the Office of the Privacy Commissioner (OPC)? Ideally, agencies should consult with us at least three months prior to the planned use of any online transfer system. Consultation can happen at any time. However we can only grant an approval after legislation is passed.

What documentation does OPC need first? We prefer that agencies provide a draft design document of the online transfer system before submitting an online transfer application. This allows us to confirm that the documentation is of a good standard and that the intended design meets the required security standards.

The design document will form part of the Technical Standards Report[2] ('TSR') which governs the operation of the information matching programme. If this is a new programme, the online specifications will be an integral part of the TSR. For an existing programme the online transfer details can be appended to the existing TSR as a 'variation report'.

What technical details need to be included in documentation? The design document will ideally include a diagram of the online transfer system, along with details of the processes (electronic and business) involved in the transfer of the data. The document will also specify the security techniques used, including details such as:

  • file and/or transportation layer encryption/decryption specifications
  • use of digital signatures/public and private key certification
  • password length and complexity
  • file access rights including details about the use of any generic user accounts
  • firewall rules
  • the transport mechanism
  • compliance with security and messaging standards (NZ Information Security Manual v1.0)
  • use of existing secure transportation systems (such as SEEMail).

What level of security and encryption is needed? The Commissioner requires the mandatory use of encryption for all online transfers to mitigate the risk of inappropriate disclosure of information either by accident or by intentional act.

The NZ Information Security Manual v1.0 / December 2010, published by the Government Communications Security Bureau (GCSB) is the authoritative source for NZ government agencies to follow for ICT security.

Information matching information most closely aligns to information classified as 'In Confidence'. However, the operation of most information matching programmes involves sending sensitive personal information of many thousands of individuals at one time. To mitigate the risks with such large transfers we expect information to be treated as 'Restricted' for the purposes of determining information security and information handling.

What details should be in an application letter? Application letters for online approvals are usually completed by the 'user agency' - the agency using the information to take some action based on the results of the programme. The user agency is the agency primarily responsible for updating the TSR.

An online transfer application letter should:

  • state the name of the information programme and its legislative authority
  • include a finalised design document of the online transfer system
  • include contact person details for us to any direct technical questions
  • be signed by someone in a senior position who can assume responsibility for ensuring that any approval conditions are met.

To avoid delays we recommend you provide the application to us at least six weeks prior to your expected go-live date.

How long is an online approval valid for? Our practice is to grant first-time approvals for 12 months. If there is evidence of safe operation, verified by a satisfactory audit report, the following approvals are usually for three years.

What happens once an approval is granted? Once the online approval is granted, if the TSR does not already contain an accurate description of the online system, the TSR must be updated. The online approval may also include conditions which are required to be reflected in the TSR. Either the existing TSR can be updated or a 'variation report[3]' can be attached to the existing TSR. Whichever process is used, a copy of the new documentation must be forwarded to the Commissioner.

What conditions might an online approval contain? Online transfer systems continue to evolve with new modes of transfer such as business to business (B2B) links and managed web services models becoming more prevalent. Online approvals are tailored to meet each unique situation. However, there are some common approval conditions which apply to most online transfer systems. For instance:

  • The data extraction programs and other processes associated with the transfers ensure that only information relevant to the match is exchanged
  • Procedures are in place to provide reasonable assurance that information transmitted and received via any service provider is valid and has not been compromised
  • Transfers of data will be done in accordance with the details contained in the TSR and that any updated TSR or Variation Report is forwarded to the Privacy Commissioner.

Several online transfers use the government secure email system (SEEMail). The following are examples of conditions imposed on those transfers:

  • Dedicated mailboxes will be used exclusively for the purpose of these transfers
  • Access to mailboxes is restricted to persons authorised to operate the information transfer
  • The SEEMail system is used for all transfers of information authorised for this match
  • The data extraction programs and other processes associated with the transfers ensure that only information relevant to the match is exchanged.

Compliance Auditing: Online Transfer Approvals All online approvals require the completion of an audit of the online transfer system. The purpose of the audit is to obtain evidence to enable us to be satisfied that the online transfer system is being operated in compliance with the approval.

Who should perform the audit? Ideally the auditor will have an auditing qualification and/or proven experience in auditing or risk assurance. The auditor must have adequate knowledge and skills to perform the audit in an effective and efficient manner and be independent of the function being audited.

What are some key concepts auditors should follow? Auditors should collect sufficient information in order to draw reasonable conclusions on compliance. Incomplete or excessive amounts of information may hinder the ability to come to a conclusion.

Auditors may not be able to audit to the level required to guarantee that an agency is compliant as this may be uneconomic. It may be necessary to rely on certain assurances 'signed off' by a senior person in the agency.
Where documentation suggests a non-compliance issue, it is wise for the auditor to see what happens in practice before coming to a formal conclusion.

How should audit findings be documented? Audit observations and findings emerge through a process of comparing 'what should be' with 'what is'. Where there is a difference, an assessment of the impact and the effect related to the variance should be completed.

Where the auditor feels that they have been unable to obtain sufficient and appropriate evidence upon which to base their conclusions, this should be reflected in their statement of assurance.

The report should be fair and balanced and presented in an unbiased tone, noting where management has taken actions to correct deficiencies and recognising exemplary performance.

Why is management sign off of the audit report necessary? Agency management must be given the opportunity to respond to findings. This is to:

  • reduce the risk of conclusions that may be inappropriate
  • ensure there are no misunderstandings or misinterpretations of fact
  • ensure that the auditor is aware of all relevant information.

Action plans should be agreed with management before final sign off.
May 2011


[1] Privacy Act 1993, Schedule 4, rule 3 [2] See Privacy Act 1993, Schedule 4, rule 4 [3] See Privacy Act 1993, Schedule 4, rule 4(4)