Skip to content.
|Networking government in New Zealand.

Access rules

Standard: Publishing

All current ratified internal policy and standards documents will be published within the agency as a discrete set.

All current ratified policy and standards documents of direct relevance to the public will be available as a discrete set, via NZGO, and available through any reasonable delivery methods necessary for equitable access for the public.

Other publications of direct relevance to the public should increasingly be available electronically.

Supports Policies: Access rules

Scope and Interpretation

The policy applies to all policies and standards approved through official processes as agency policies and standards.

Ability to retrieve the material as a discrete set means that a simple proven method exists to retrieve all relevant policies and standards. The method must be available to all users and be guaranteed to be complete without producing unnecessary clutter.

Implementation should be simple for small agencies e.g. an internal manual available in paper and/or electronic form, with public material available via the New Zealand Government On-line website (NZGO). "Via NZGO" can mean either published on the NZGO site, or linked via that site.

Other equitable delivery methods must be able to ensure access for the public without transferring costs from the publishing agency.

The agency must be able to demonstrate that:

  • All current internal policies and standards are available to all staff

  • Staff are trained on how to access current policies and standards

  • All current public policy and standards are available to the public via NZGO

  • Delivery methods must include electronic form

  • Members of the public are made aware of how to access current public policies and standards

  • Superseded versions of policies and standards are available, with the contextual information of when they were in effect

  • Updates of internal policies and standards are brought to the attention of staff affected by them

  • Updates of public policies and standards must be clearly identified, so that members of the public can observe them

Draft versions must be distinguished from current policy and standards documents. Superseded or withdrawn policies and standards will be available within the agency, but will be identified as no longer in effect. Any on-line publishing system must not only provide access to the current and complete policy, but also must also be quick to access, so that staff and/or members of the public will choose to access it.

Rationale

Internal policies and standards are key agency documents that should be actively published to ensure that they are up to date, and that they are completely, consistently, and readily available to staff.

For these critical reference documents, extra care and effort will be taken to maximise the ease with which staff can retrieve information, otherwise staff will revert to less authenticated sources of policy and standards. This has special relevance in urgent situations, such as those encountered by operational staff referring to policy while a client is waiting.

Policy of direct relevance to the public must be truly available to the public.

Standard: Security

Security systems that control access to document and data stores must be designed to implement access rules defined by the agency, regardless of the storage medium

Supports Policies: Access rules

Scope and Interpretation

Each agency must develop, document and maintain access rules within legislative and business restrictions. These access rules will include compliance with the security provisions defined by the Department of Prime Minister and Cabinet. See also Generic Business Security Policy for Government published by the State Services Commission.

Any approved data or document stores must be capable of recording and enforcing these access rules, regardless of complexity. For a small office this may be simply using secure directories on a PC, and storing paper documents in a locked filing cabinet. Large organisations may require full-scale databases with several layers of security attributes.

Documents may exist in either electronic or physical format or both, and each agency must ensure that its systems can maintain access rules regardless of storage medium. All staff must be aware of their responsibilities in handling all information, particularly restricted, security-classified, personal and commercially sensitive information.

Ongoing maintenance of access rules is required to allow for changes in legislation and business requirements.

Rationale

Data and business documents held by agencies in approved document stores must be available to all those with a legitimate requirement for access, and protected from unauthorised access. The agency needs to ensure and demonstrate that its information is stored and accessed in accordance with applicable privacy and confidentiality requirements.

Effective implementation of access rules mitigates the risks of breaches of security and/or privacy of information held by the agency. In the event of a breach of security or privacy, the agency should be able to identify its source and nature, recognising that some breaches may be accidental or inadvertent.

Standard: The position, not the person

Security must be on a role basis so maintenance level control of data or documents goes with a position - not with a person.

Supports Policies: Custodianship; Access Rules

Scope and Interpretation

Data elements in a database must be available to people currently holding an authorised access/position and not confined to nominated individuals. Documents must be retrievable by an agency regardless of whether their creators are still employed in the positions they held when they created the document.

The Business Custodian is responsible for ensuring that the standard is put into practice. Any list or database table relating staff and positions must be kept up-to-date.

If a position is dis-established its associated security role(s) must be linked to a current position to ensure continuity of access.

Rationale

Implementation of this standard reduces the risk of lost or unavailable material. The agency needs to have access to all business data and documents:

  • Staff members moving into positions need to have access to all data and documents created by their predecessors

  • Managers need access to the data and documents created by departed staff

  • Staff members moving out of a position should no longer retain access restricted to that pervious position.

Standard: Secure electronic exchange

When exchanging electronic data or documents, government agencies must transmit all security-classified material via secured electronic communications.

Supports Policies: Access rules

Scope and Interpretation

Each agency must have systems in place that protect security-classified data and documents, and must train users on the security classifications and their use.

Current examples of potentially unsecured communications are:

  • Email transmitted via the internet, both messages and attachments, without encryption

  • Using public switch networks, e.g. a public phone line from home without encryption

  • Fax communications without encryption or where the receiving machine is not secured

When technology permits security, external partners may be given controlled and appropriate access to data or documents in approved stores. Technical solutions will be compliant with NZ Government standards for secure electronic exchange of information.

Rationale

Security-classified documents must be handled and stored to ensure their safety, and protect against loss or unauthorised disclosure.

Standard: Individual privacy and confidentiality

To protect privacy and confidentiality of individuals, agencies will determine which types and instances of data and documents contain details about individuals. Provisions of the Privacy Act and Privacy Commissioner codes of practice must apply. In addition, access restrictions must define authorised user groups and the period for which the constraints apply.

Supports Policies: Access rules

Scope and Interpretation

To assist in ensuring privacy and confidentiality, users will be able to identify whether any data set or document:

  • Contains personal information on an identifiable individual who is the subject, whether or not the person is a member of the agency or external to it

  • Contains personal information on identifiable third parties who are not directly the subject, whether or not those persons are members of the agency or external to it

  • Contains aggregated summary information about individuals, and privacy of the individual is protected

  • Does not contain information about individuals

To preserve privacy, for summary data any linkages must be removed between individual and summary data. In addition, unrestricted access to scan index listings without supplying identifiers associated with a particular individual must be avoided. While there may be a legitimate need for this type of facility, access rules must be applied to prevent unauthorised 'fishing' for personal information.

While the appropriate handling of all information about individuals is the responsibility of all staff, each agency also has a privacy officer legislated under the Privacy Act.

Rationale

Assists the agency in ensuring only appropriate personal information is held and released.

The agency can demonstrate the systems and processes it has in place to ensure the security of personal information held by it. The risk of unauthorised or inadvertent disclosure of personal information to third parties is managed. Provisions of the Privacy Act apply.

Standard: Commercial sensitivity

To protect legitimate commercial interests, agencies will develop and maintain guidelines to determine which types and instances of data and documents contain commercially sensitive material. In addition, access restrictions must define authorised user groups and the period for which the constraints apply.

Supports Policies: Access rules

Scope and Interpretation

Agencies will manage commercially sensitive information to ensure that information held is:

  • Protected from unauthorised access

  • Identifiable and accessible for audit of its storage and use

  • Managed to comply with statutory and documented business requirements

  • Auditable to provide a record of access

  • Not retained unnecessarily

The appropriate handling of all commercial information is the responsibility of all staff. All commercially sensitive information must be clearly identified, guidelines must be in place for its use, and staff must be trained in those guidelines.

Each agency must be able to demonstrate the systems and processes it has in place to ensure the security of commercially sensitive information held by it. In some cases specific agreements with commercial entities may be required.

Rationale

Assists agencies to ensure that commercially sensitive information is secure. Some agencies are such large players in specialist markets that their decisions can affect the viability of commercial companies.

The risk of unauthorised or inadvertent disclosure of commercially sensitive information to third parties must be managed.

Standard: Equity of access

Each agency must develop a strategy and an implementation plan to deliver equity of access to data and business documents, within the agency, between itself and other agencies, and for the public.

Supports Policies: Access rules

Scope and Interpretation

Equity of access differs from equality of access.

Within an agency, staff at any level and at all locations must have access to data and documents such that they can do their work efficiently and effectively.

Equity of access between government agencies could be an issue if agencies legitimately need to access information but encounter difficulties related to their systems, size, etc.

Equal access for the public might be that all government agencies offer the same information to all New Zealanders via the same delivery mechanism, e.g. the Internet. Equity of access might be that all New Zealanders can readily access appropriate government information whether or not they have a computer, phone and modem, and whether or not they live in a major centre. There is a trend for agencies to physically withdraw from small centres and rely on technology to provide services. However, small centres may be technology poor.

Issues of language, culture, age, disability etc may also impinge on equity of access. Agencies should consider the implications of their practices on access in relation to these sorts of issues.

Development of strategy and an implementation plan will ensure that the issue is considered and discussed, instead of using implicit assumptions. This process includes:

  • Who needs to access the information

  • What information they want to access, or could access if they knew it existed

  • What delivery mechanisms they need/prefer to access it

  • What delivery mechanisms exist

  • Gap analysis, including reasons for gaps and strategies to minimise them

  • Reasons for lack of action to address any identified gaps

Rationale

The government drive to electronic government opens up new opportunities to access data and documents, and new access delivery mechanisms. This could both improve and diminish equity of access, depending on awareness and responsiveness of government agencies to issues about equity of access.


[ Previous | Next ]