19. Data Tracking
19.1 Data tracking able to be disabled
A web site must provide the option for a user to disable the collection of tracking data at any time during their visit.
Note that this excludes:
- When the tracking data is used solely for maintaining session state of the web site
- Web site activity recorded in web server log(s), where the web site owner uses this data for anonymous statistical purposes.
Guide to this standard
This standard is in the context of the definition of Tracking Data in the Glossary of Key Concepts.
Agencies should not hold unnecessary information about individuals, and are requested to be transparent about the information they are holding/recording about individuals.
Web site owners should consider this standard when looking at methods available for tracking user activity on a web site.
Related Standard(s)
19.2 – Rules governing storage of tracking data
19.3 – Client side personally identifiable data storage
Rationale for this standard
Data persisted on the device on which the user is hosting their browser (e.g. client machine) is in many cases not a secure medium. It is important not to compromise the privacy of personal identity, if such information is being stored on a client side medium.
Web site users express high levels of concern about the collection of information about their activities on the Internet. (Office of the Privacy Commissioner – Privacy Survey 2006). This standard limits the purpose and use of this data, and can protect the privacy of the individual user.
19.2 Rules governing storage of tracking data
If tracking data is being recorded (e.g., such as that held in a temporary client-side cookie), then:
- The agency must place on the site a disclaimer stating (as a minimum):
-
- That tracking data is being recorded,
- What processes are being utilised to collect the data
- How the data will be stored
- The benefits to the user community of the web site resulting from the collection of such data.
- How a user can prevent this data from being collected
- The impact (if any) on the experience the user may have with the web site, if the user chooses to disable the tracking data.
Guide to this standard
This standard is in the context of the definition of Tracking Data in the Glossary of Key Concepts.
Processes utilised to collect the data can be described by an easily understood statement (minimising technical jargon) of how your agency is initiating and establishing the data-recording process for the web site.
For example:
“A script to run in your browser, which creates a file on your computer (referred to in technical circles as a “cookie”) that contains a randomly generated ID. The ID is used to track which pages on our web site you have visited and also assists identifying you when returning to our web site. The file on your computer does not identify you by any personal information. No data in this file can be used to identify you in our agency should this file be compromised by a third party.”
Also include any details associated with the specific reasoning for the recording of such data. For example, utilising a third-party organisation who provide analytical information to your agency via collection of tracking data on your agency’s behalf;
“Information is recorded about the pages you view, and basic information about your computer, such as the type of browser you are using, your screen resolution and your computer's internet address (IP address). This information is shared with Acme-analytics, a company that our agency has employed to provide web site traffic analysis processes for us.”
How the data will be stored can be described by an easily understood statement, minimising technical jargon. For example, in the case of data being recorded for traffic analysis purposes:
“The aggregate data collected is stored in a database managed by Acme-analytics on behalf of our agency (include your agency name). Only authorised staffs within our agency have access to the reports created by the analysis software. Acme-analytics operates and is bound to a strict privacy policy, which they have signed with our agency.”
Related Standards
19.1 – Data tracking is able to be disabled
19.3 – Client side personally identifiable data storage
Related Recommendation
19.1.1 - Scope of collecting tracking data.
Rationale for this standard
Because of the requirement to be able to disable the continued recording of tracking data, a site should not have its functionality dependent on this data. Information about the recording of tracking data and user choices supports the government value of transparency.
19.3 Client side personally identifiable data storage
No directly readable personal information is to be persisted on the device on which the user is hosting their browser (e.g. client machine such as a user’s personal computer).
Guide to this standard
‘Directly readable personal information’ refers to data that would be able to reveal identity of an individual (or individuals) solely via
- reading the data without the need to decrypt the data, and/or
- without combining with other (secure) data
For example, a user name that is encrypted, or a reference ‘handle’ (i.e., a session ID) that can link to more identifiable user details server-side are examples of data relating to personal details that does not reveal individual identity.
An example of information persisted on the device hosting a user’s browser session is data persisted in a client-side cookie in the case of a user hosting their browser session on a personal computer.
If personal information is to be persisted within tracking data using only encryption, it is expected that the cryptographic module specification meets an acceptable level of security (refer FIPS-140, as a guide). Refer also to NZ Government Information Technology Security Manual NZSIT 400, chapter 9, which details approved cryptographic algorithms.
Note: As per recommendation 19.1.2, if it is necessary to maintain ‘state’, server-side session management should be used in preference to client-side session management.
Related Standards
19.1 – Data tracking is able to be disabled
19.2 – Rules governing storage of tracking data
19.4 – Encryption of personal information in tracking data
Related Recommendations
19.1.1 - Scope of collecting tracking data.
19.1.2 - Server side session state.
Rationale for this standard
It is important not to inadvertently compromise the privacy of personal identity. Storage of personally identifiable information, for example in a cookie, can be insecure and is open to attack from malicious web sites and software, or can be read by other users who share use of a client device.
19.4 Encryption of personal information in tracking data
If encryption of personal information is the sole method used to prevent the information revealing identity for personal information persisted within tracking data as required in standard 19.3, the cryptographic specification of the encryption must meet an acceptable level of security. This can be met by utilising an approved cryptographic algorithm.
Refer to NZ Government Information Technology Security Manual NZSIT 400, http://www.gcsb.govt.nz/publications/nzsit/nzsit-400.pdf; chapter 9, for details of approved cryptographic algorithms.
Refer FIPS-140, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf, for further guidance.
Guide to this standard
It is not recommended that personal information be persisted in any nature within tracking data on the device on which the user is hosting their browser (e.g. client machine such as a user’s personal computer).
Related Standards
19.2 – Rules governing storage of tracking data
19.3 – Client side personally identifiable data storage
Related Recommendations
19.1.1 - Scope of collecting tracking data.
19.1.2 - Server side session state.
Rationale for this standard
It is important not to inadvertently compromise the privacy of personal identity. Storage of personally identifiable information, for example in a cookie, can be insecure and is open to attack from malicious web sites and software, or can be read by other users who share use of a client device.
[ Previous | Next ]
