NZ clamps down on unapproved IT suppliers after data breach

2 September 2019

New Zealand’s government has ordered many of its ministries not to use non-approved web and information communications technology service providers following a major data privacy breach.

The country’s Treasury suffered an embarrassing data breach prior to the Budget when information including birth certificates, driving licences, and passport numbers of 302 people was published online.

The information, which was published inadvertently, was associated with people who had applied to be part of a scheme – Tuia 250 – linked to commemorating the arrival of Captain James Cook in New Zealand waters in 1769.

Prime minister Jacinda Ardern said at her post-cabinet press conference that only those providers who appear on an approved “all-of-government ICT common capabilities procurement list” could now be used by certain departments.

Previously using suppliers on that list was voluntary. Agencies now covered included all government departments deemed to have “small” ICT capabilities.

That definition covered the Treasury, the Department of Prime Minister and Cabinet, the State Services Commission, Ministry of Defence, Ministry of Transport, Ministry of Housing and Urban Development and the Crown Law Office.

It also encompassed the Ministries of Women's Affairs and Pacific Peoples, the Education Review Office and the recently formed Te Arawhiti, which manages relations between the Crown and Maori.

“[Those agencies] must review planned and future ICT projects, implement common capability security and privacy-related government chief digital officer guidance,” said Ardern.

“They must follow the government chief information officer’s information security standards and policies and they must obtain the government chief information officer’s certification that they are compliant with these requirements.”

Ardern said the firm that established the Tuia 250 website – which was not named – was not on the approved procurement list.

“My understanding is that list has not been mandatory but as I’ve set out, as an interim step while we work through what we need to do to prevent this ever happening again, we will now be requiring those small agencies to procure from that list over the near future.”

 Want to stay up to date with the news? Sign up to our daily bulletin.

CIPS Knowledge
Find out more with CIPS Knowledge:
  • best practice insights
  • guidance
  • tools and templates