Many government departments risk accidentally disclosing sensitive personal information because of poor controls on staff use of 'portable storage devices' (PSDs) such as USB memory sticks, Privacy Commissioner Marie Shroff says.
A survey of the 42 main government agencies, undertaken by the Office of the Privacy Commissioner recently, shows PSDs are widely used but that there are real gaps in security procedures and practices.
Methodology
The New Zealand survey was largely based on the survey undertaken by Privacy Victoria (Australia) which released its results in January 2009[1].
We selected 42 state sector organisations for participation in the survey:
- 35 Public Service Departments;
- 6 Non-Public Service Departments; and
- 1 Crown Entity.
At the end of February, we sent covering letters with an enclosed survey to each Chief Executive Officer (or equivalent) explaining the purpose of the survey. At the same time, we sent an electronic version of the survey to each CEO’s Executive Assistant, requesting that they forward the survey to the staff member nominated by the Chief Executive to complete it.
The survey consisted of 34 questions. These fitted into the following categories:
- general, scene setting;
- hardware controls;
- software controls;
- policy controls;
- encryption; and
- risk management.
Of the 42 agencies surveyed, 37 responded in time to be included. Four submitted late responses and one agency did not respond.
The survey results are presented in two parts. In the first part, we show the combined results of the 37 agencies. The second part provides a comparison of results after agencies were separated into three groups:
Group 1 Agencies that hold large amounts of personal information
Group 2 Agencies that primarily hold classified or sensitive information
Group 3 Agencies that hold relatively small amounts of personal information
Appendix 1 lists the agencies under each group.
Key Results
The survey results show that ‘portable storage devices’ (PSDs) are widely used by government and that there are real gaps in procedure and practice.
Thirty-five out of the 37 agencies who responded to the survey make PSDs available to staff – most commonly USB sticks – with nearly two thirds of agencies also allowing staff to use their own. We are particularly concerned about the use of personal PSDs in the workplace because of the increased risk of losing one outside of work, or disclosure of sensitive information (for instance, through lending a PSD to a friend, or removal of agency information when a person leaves the agency).
While 75% of agencies say they have documented policies to restrict or control the use of PSDs, the existence of a policy is not enough to show that adequate safeguards are in place. Other more detailed survey questions focusing on policy controls showed that:
- 44% do not have procedures for disposing of obsolete PSDs;
- 46% do not have procedures covering the deletion of data from PSDs;
- only 22% are able to track transfers of data to PSDs; and
- just over half of the agencies surveyed provide their PSD users with encryption solutions but only eight agencies make encryption mandatory.
On the positive side, it is pleasing that 70% of agencies surveyed have procedures to report the loss or theft of a PSD.
The use of software controls is more widely used (57%) to limit the use of PSDs than hardware controls (32%). Thirty percent of agencies use both hardware and software controls. Nineteen percent of agencies responded that they plan to implement new software controls while only 8% are considering implementing new hardware controls.
Ten percent of the agencies who responded do not have any hardware, software, or policy control on the use of PSDs. Some agencies have recognised they have weak controls on the use of PSDs and are taking steps to introduce tighter controls.
Agencies that primarily hold classified or sensitive information have significantly tighter controls over the use of PSDs than other agencies. This was not a particular surprise. However, it is worrying that agencies that hold the largest amounts of personal information had fewer controls. It appears that personal information is not being accorded the same care as information that is “classified” or “sensitive” information.