Civil service warned: do more to protect privacy

The privacy commissioner's annual report tells government departments they must do better when dealing with personal and sensitive information.

Privacy commissioner Marie Shroff released her report for the year ending June 30, 2009 showing critical failings in government departments' handling of information.

A nationwide public opinion survey showed concerns over personal information and privacy have grown especially for the internet and business.

"The past year has seen a marked increase in complaints and inquiries," said Ms Shroff.

People are concerned or make complaints when health information is disclosed without their knowledge or is incorrect, banks have disclosed their information, or government agencies have shared personal information.

There were 806 privacy complaints this year, up 22 per cent from last year.

"I have given the public sector a wake-up call to better protect privacy, in the wake of data breaches and surveys indicating that privacy standards are not as good as they should be."

The report found government agencies holding sensitive classified information had tighter controls than those holding personal data.

Ms Shroff was concerned some agencies with poorer practices were flagship departments holding the personal details of millions of New Zealanders.

"I am forced to the conclusion that personal information about New Zealanders is not being treated with the same care and respect as other sorts of 'classified' or 'sensitive' information."

The commissioner said she was repeatedly hearing about cases where government agencies were losing data.

"It concerns me when I am not advised of these incidents at the time, but instead discover them through alternative channels."

Examples of the most high-profile cases of lost data include Housing NZ documents mistakenly sent with eviction notices revealing the address of a senior manager to gang members and forcing her to leave her home under police protection. And Massey University's intranet exposed thousands of students' personal details including IRD numbers, exam results, addresses and phone numbers.

Another issue was the use of portable storage devises (PSDs). PSDs were available to staff at 95 per cent of agencies and nearly two-thirds allowed the use of personal devices for work.

Recent overseas incidents show how easily PSDs - such as USB sticks and CDs - containing sensitive information can be lost. Last year in Britain a USB stick was lost containing the details of more than 6000 prisoners.