Respect for an individual's privacy is almost universally accepted as a fundamental human right. Obligations for organisations are also enshrined in the Privacy Act 1993). The right to protect sensitive information (for example commercially sensitive information), is likewise widely accepted.
Government agencies should have exemplary systems in place to protect these rights. In the Government ICT Strategy and Action Plan to 2017, the Minister of Internal Affairs, Chris Tremain, stated that Government is serious about better, faster and more secure services for New Zealanders, and better protection of New Zealander's private information
In a recent survey, 92% of respondents said it was extremely important government agencies properly protected the information provided to them, 82% said they would be concerned if information they gave for one purpose was used for another purpose. Another survey showed that 60% of respondents did not trust government agencies to protect their personal details.
Clearly when people interact with government agencies they expect them to protect private information. An agency's reputation and credibility in the eyes of the public can be greatly harmed if it fails to do this. These failures often create a great deal of media attention which increases the negative impact on the agency.
Efficient and Effective Government
While expecting protection of private information, New Zealanders also expect government agencies to use private information to do their jobs efficiently and effectively. Systems and processes can be put in place to achieve an extremely high level of protection against inappropriate use of private and sensitive information, but arguably can never achieve 100% protection. Furthermore, achieving extremely high levels of protection will increase costs and will also often reduce the efficiency and effectiveness of the agency in achieving its primary objectives, which are of course about benefiting New Zealanders.
Government agencies must also comply with the Official Information Act 1982 (OIA). This Act cites many reasons to withhold information (including privacy), but has an overarching principle that information should be released unless there is good reason to withhold. The OIA requires careful consideration of these potentially conflicting drivers. Simply removing people’s names from documents being released as a standard procedure does not adequately meet the requirements of the OIA. For many agencies the effectiveness of their policies and procedures, in ensuring compliance with both OIA and Privacy Act requirements, may not be well understood.
Importance of managing private and sensitive information risk
Decisions about managing risk associated with private and sensitive information can have a major impact on overall organisation efficiency, effectiveness and reputation. The strategic importance of these decisions should not be underestimated and responsibility should sit at a senior level in organisations. This expectation for government agencies is highlighted in the Government ICT strategy which states that security and privacy awareness should be raised within organisations and pervade business practice, with clear accountabilities through to executive levels.
While all government agencies will no doubt have risk management plans in place, and also policies and procedures for dealing with private and sensitive information, their effectiveness and efficiency may not be well understood by senior managers. In agencies where this is the case, the risks the organisation is exposed to may not be well managed.
To effectively manage risk an organisation needs to understand the different risks it is exposed to, and apply a sound risk management process to develop appropriate ways to mitigate those risks.
A good first step in identifying risks is to create an inventory of information held relating to individuals and organisations that could be private or sensitive. A thorough review of all parts of the organisation is important, as information may be being used in one part of the organisation, without the knowledge of those who are the primary users in another part of the organisation.
Developing robust risk mitigation
AS/NZS ISO 31000:2009 Risk Management Principles and Guidelines, and other related guidance documents provide well established and internationally accepted methodologies for developing effective risk management systems.
These methodologies require all risks to be identified and defined in terms of the likelihood and consequence. Likelihood and consequence can then be considered together to define overall risk level for each risk. Risk mitigation strategies can then be put in place for each risk based on the defined level of risk, the organisations appetite for risk, and the costs and benefits of the mitigation options.
Prima Solutions can help identify an organisations risks associated with private and sensitive information. We can help develop effective risk mitigation strategies, and we can advise on implementation of those strategies. We have a broad knowledge of risk management and the policies, processes and technology that are relevant to protection of private and sensitive information.
If you think Prima Solutions may be able to help you, we suggest that we meet to discuss your specific issues. We can then tailor a proposal for you to meet your needs.
Prima Solutions is a Wellington based information management consultancy. We are a subsidiary of Onstream Systems, a New Zealand software developer with over 25 years’ experience specialising in information capture, viewing, storage, and redaction software. Onstream software is used by over a million people in New Zealand, Australia, USA, Canada, UK, and Europe. Onstream products are market leaders in local and central government.
Prima Solutions was created by Onstream in response to market demand for a dedicated consultancy service to help agencies with process improvement and risk management - particularly in dealing with private and sensitive information.