Home › Trust and public confidence risks

Trust and public confidence risks

"Trusted State Services" is one of the Development Goals for the New Zealand State Services. This goal is: "New Zealanders have confidence in the people, systems and processes of the State Services and the way services are delivered. They trust that agencies will deliver the services they need to go about their lives."

To establish and maintain this level of trust and public confidence, agencies must continue to protect the quality and security of government information and services, whether or not these services are provided or supported from offshore.  Trust is hard won; it is easy to erode and difficult to re-establish.  Perceived or actual breaches of quality or security in services outsourced offshore will reflect poorly on the governance and competence of the government agency involved and potentially the wider state sector.  It is essential that government agencies are prudent about developing and managing any initiatives which would result in services or data moving offshore.

Trust and confidence in government can usefully be seen as second order effects of good information management practices.  Threats to trust and confidence in government can arise not only from any actual leak or loss of data, but also from people's perceptions about the level of risk to their personal data or other sensitive data arising from government decisions to locate data or data processing services offshore.  Media reports of data breaches outside New Zealand can affect perceptions of the safety of information held within New Zealand as well as information transferred offshore.  In these situations public perception may be a more significant concern than an objective view of risk might suggest.

Government agency ICT relationships with regions, countries or operators that are perceived to be high risk may undermine public confidence in that agency.  Furthermore, such perceptions can aggravate issues when a breach of trust and confidence has occurred, even if appropriate due diligence and risk management has taken place.  For these reasons, it may be advisable to avoid dealings in areas in which the public has low levels of trust. Refer to the annual Global Corruption Report at Transparency International's website as one means of identifying areas of low public trust.

People's privacy (objective risk) or confidence in government (perception risk) can be damaged when government agencies use offshore service providers which are not subject to comprehensive privacy legislation or against which enforcement against data breaches could be difficult.  Concerns relate to:

  • The storage and transmission of personal data, e.g. through hosting websites and undertaking transactional activities such as surveys.
  • The potential collection of personal data by offshore providers of search tools, e.g. through retaining records of people's search requests.
  • The collection and use of personal data for analysis purposes, e.g. web analysis tools which track a user's behaviour on websites.
  • The use of information collected by New Zealand government by other parties for purposes for which it was not collected, such as any use of New Zealand government databases for marketing or consumer profiling, or the aggregation of New Zealand government databases with other data for unauthorised purposes.

These specific mechanisms provide ways for personal data to 'leak' beyond the public sphere. In some cases, the amount of personal information that can leak is relatively small  but small pieces of information can in principle be consolidated to provide more detailed dossiers of information about individuals.  Conversely, even supposedly 'anonymous' information, if collected in sufficient quantities, can unintentionally identify individuals. AOL (an international internet service provider) learned that lesson the hard way in 2006, when it released what it thought was anonymous data on over 650,000 people's search activities, but later found that from such bits of information, a 'mosaic' could be created that could eventually lead to identification of an individual.

Trust and public confidence risks

  • Adverse effect on public trust in e-government services and government in general
  • Loss of autonomy, authority and control, higher risk of data breaches
  • Public perception that service or data offshore is riskier or unacceptable
  • Loss of control over government information because it would be subject to the laws of other countries
  • Trade relationships affected by loss of international confidence in New Zealand systems.

Example mitigations

  • Seek appropriate advice (e.g. from MFAT, DPMC, security agencies)
  • Seek Ministerial agreement before commencing negotiations
  • Seek appropriate legal advice
  • Investigate the scope and powers of foreign legislation over New Zealand data and services and offshore support personnel or providers
  • Ensure effective security management.
  • Avoid offshoring private or sensitive data or services (including remote support) where assurance over the confidentiality of data cannot be assured.
  • Limit the scope of the service provider for downstream outsourcing

[ Previous | Next ]