Skip to content.
|Networking government in New Zealand.
You are here: Home » Standards » Web Guidelines » General Resources » Personal Information and Privacy

Personal Information and Privacy

Tracking Data

There are new Standards that cover the tracking of web site user “activity”. For the purposes of these standards and recommendations, this has been labelled as Tracking Data, defined in the Glossary of Key Concepts. The intention is not to disallow such activity outright; there is good reason (principally site usage statistics) why agencies would wish to undertake such activities. The tendency is to allow most activities, but ask the agency to be transparent to the user with such activities.

Refer to the following standards:

  1. Data tracking able to be disabled – standard 19.1
  2. Rules governing storage of tracking data – standard 19.2
  3. Client side personally identifiable data storage – standard 19.3
  4. Encryption of personal information in tracking data - standard 19.4
  5. Security requirements for internet exchange of personal information - standard 21.1
  6. Privacy Statement - standard 16.7

A point of awareness is to consider privacy and the recording of personal information not just with the user of a web session, but extending also to that of data identifying the third person. See definition of third person in Glossary of Key Concepts.

Online Payments

Online payments in New Zealand are via credit card. As of Jan 2007, EFTPOS will also be available.

If your site is to take online payments, all pages relevant to the payments process must be secure, as defined in standard 21.1.

You should contact the bank that your agency utilises for its general banking, for assistance regarding incorporation of online payments facilities in the agency’s web site(s).

Full details of customer’s credit cards should not be persisted. The agency needs to consider the risk (and the need) of doing so. Generally, the first four (4) and last four (4) digits of the credit card number are recorded, if there is need to record them at all, such as if there is any post-transaction customer dispute regarding billing.

In the case of any persisting of payment card details, it should be made clear that this is taking place, what specifically is being persisted and why, in a web location pertinent to the payments process and/or in the disclaimer page.

Card Industry (PCI) Security Standards Council's Data Security Standards

The Payment Card Industry (PCI) Security Standards Council's Data Security Standards (DSS) has data security standards mandated by the major credit card companies that sites will need to be compliant with if taking payments online via credit card.

The Payment Card Industry (PCI) Security Standards Council's Data Security Standards (DSS) includes requirements to:

  • Develop software applications based on industry best practices and incorporate information security throughout the software development lifecycle
  • Develop all web applications based on secure coding guidelines such as the Open Web Application Security Project guidelines

These standards are defined by the Payment Card Industry https://www.pcisecuritystandards.org/index.html

The latest PCI DSS is available for download (PDF v7) at https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf

Online Transactions

Online transactions collect personal information, and often create additional records that include transaction logs and tracking data. It is good practice to perform a Privacy Impact Assessment as part of initial scoping and at key stages during design and implementation. For more information about PIAs, visit the Office of the Privacy Commissioner web page Privacy Impact Assessment Handbook.

Forums

If your agency intends to host an online forum (also referred to as “Bulletin boards”), attention is drawn to 31.1.2. Privacy considerations also require consideration e.g. information identifying another person (defined in the Glossary of Key Concepts). Further assistance on hosting forums is available under Corresponding with the users - Online Forums.

NZ government information outside New Zealand boundaries

Agencies are expected to undertake a risk analysis before entering into any arrangements where NZ Government information would be extended beyond New Zealand boundaries. In particular, it is recommended that agencies consider privacy issues, where personal information is beyond the reach of The Privacy Act 1993.

"Within New Zealand boundaries" includes New Zealand embassies or high commissions and/or agencies based beyond New Zealand shores.

Such cases where this could apply are agencies considering:

  • i. Making use of a third party offshore authentication service
  • ii. Hosting a web site for the agency outside of New Zealand boundaries.

Note that, even if the agency wished to persevere with arrangements for either of the above cases, the NZ government position, though not forbidding the agency's decision(s), would be dissuasive of such actions, for reasons of potential risk of compromising the privacy of data sensitive to the NZ government, regardless of reasons that may be perceived as beneficial (e.g. financial or other) for the agency.

Security

All government web sites must comply with the Minimum Standards for Internet Security in the New Zealand Government. (Section 8, Annex A, Security in the Government Sector.)

Agencies should ensure that hosted sites, both in-house and by external vendors, are covered by a comprehensive documented security policy. This should specify the physical and electronic security of the hosted site routine, and emergency security procedures including reporting security threats and breaches.

Agencies should test the host’s compliance with the security policy, including penetration testing.

Resources

  • Departmental Security Officer or the Departmental IT Security Officer should be consulted before setting up hosting arrangements.
  • Government security publications are available from the Government Communications Security Bureau.