3. Integrate security and privacy proportionate to risk from the outset
- Consider the user and business context when applying access and security classifications.
- Evaluate security risk and privacy obligations and apply the necessary treatments at source.
- Identify the data and information the digital service will be providing or storing and address the security level, legal responsibilities, privacy issues and risks associated with the service (consulting with experts where appropriate).
- Try to make the appropriate consideration of privacy and security an ongoing part of your team culture.
- Ensure digital identity and user validation concerns are considered.
Why it matters
Users expect to be able to interact safely with government and expect their information be protected appropriately. Privacy and security are fundamental requirements throughout all stages of the digital lifecycle and must be built into digital services by default, relative to the levels of actual risk.
Your security and privacy actions must:
- be complete and robust
- be fit-for-purpose to meet all relevant legislation
- preserve the confidentiality, availability and integrity of your service according to your users’ needs.
Know what information is available through your service, and how it can be accessed or changed. Users will expect you to be able to provide this information to them under privacy legislation, and will expect to be able to correct any inaccuracies. There is also an increasing trend towards the ‘right to be forgotten’ in the digital environment. It will be much more efficient to incorporate these considerations from the outset than try to retro-fit them.
Take into account your level of business risk, when deciding on an appropriate level of rigour to balance against user needs, speed and cost of delivery. It is important to understand your risk profile and consult with privacy and security experts where necessary to achieve this. The risk of ‘gold-plating’ services through over-investment is just as inefficient as the risk of fixing under-investment.
How to meet this principle
At a minimum you should demonstrate or describe:
- an inventory of the information and data the service might involve and relevant security classifications
- that you have done proportionate risk analysis and that you have acted as necessary based on that analysis
- that you have reviewed the applicability of the Information Privacy Principles to your service including a Privacy Impact Assessment if required, and the steps you have taken to ensure the Information Privacy Principles have been embedded in the service
- you have appropriate governance and oversight in place to ensure the ongoing appropriateness of privacy and security safeguards and processes
- your procedures for reporting and quickly responding to breaches and incidents
- that you comply with the Protective Security Requirements
- that you have involved privacy and security advisers as needed.
Rules, requirements and directives to follow
- Privacy, security and risk
- Assess the risks of cloud services
- Enterprise Risk Maturity Guidance
- Information Privacy Principles
- NZ Information Security Manual
- Protective Security Requirements
- Identity — RealMe, authentication standards and identification management
- Information classification
- Online privacy training
- Open Web Application Security Project (OWASP)
- OWASP Top Ten 2017
- Security and privacy management
- Security governance roles
- Assess the risks of cloud services: Jurisdictional risks