Office of the Privacy Commissioner | Media release: Government agencies smartening up on PSD controls
Government agencies have generally improved security around portable storage devices' (PSDs) such as USB memory sticks - but there are still some key agencies that have less than desirable controls, Privacy Commissioner Marie Shroff says.
'There is a real risk of accidentally disclosing sensitive personal information when using small, lightweight PSDs that can store vast amounts of information but are very easily lost or stolen,' Ms Shroff says.
A recent survey by the Office of the Privacy Commissioner of 42 main government agencies found an estimated 120 organisation-owned PSDs had been lost or stolen in the previous 12 months. PSDs include USB sticks, iPods/MP3 players, smart phones/PDAs (personal digital assistants) and notebooks.
Overall, the survey found two thirds of the 42 government agencies appeared to have adequate controls on PSDs compared with less than half when surveyed a year ago.
'There are some standout improvers, particularly the Parliamentary Counsel Office and Treasury, and many others that have made good improvements. However, a small number of significant agencies should be doing better but have made little or no improvement.
Of the government agencies which have the largest holdings of personal information, progress on implementing controls to manage and monitor PSD use was as follows.
Progressed to commendable - Inland Revenue, Ministry of Social Development, New Zealand Customs Service, ACC;
Progressed to adequate - Ministry of Education, Ministry of Justice;
Still below par - Department of Labour and Ministry of Health (improvements made but more controls necessary).
'There is clearly still room for improvement,' Ms Shroff said. 'But overall I am pleased to see an increase in controls to manage and monitor PSD use.'
For example:
29 of 42 agencies that responded to this year's survey prohibited the use of personal PSDs for work purposes (14 of 37 agencies last year).
76 percent used hardware or software controls (59 percent last year).
79 percent keep a PSD register (62 percent last year).
The survey was conducted in March as a written questionnaire to 42 main government agencies.
Download PSD survey report 2010
ENDS
For further information, contact Cathy Henry, Office of the Privacy Commissioner, 021 509-735
Note:
The Privacy Commissioner, Marie Shroff, will be launching the survey results in her welcome speech to the Privacy Forum: 'The Future of Privacy', at the Intercontinental Hotel, Grey St, Wellington. The Commissioner will be speaking at 9am.
The Privacy Commissioner will be available for interviews from 10.30am, Wednesday 5 May.
The PSD survey report will be available from midday at www.privacy.org.nz
Tips for safe use of PSDs
Have a formal policy on PSD use that is actively and effectively communicated to staff.
Make staff are aware of the need to report the loss or theft of a PSD, and know the procedures for doing so.
Clearly explain to users how and when to delete data from PSDs.
Use encryption for all PSDs that are likely to store personal information.
Strictly limit the use of personal PSDs, in combination with providing suitable corporately-owned PSDs.
5 May 2010