11 January 2021
Dr Andrew Chen
By email to: [FYI request #14405 email]
Dear Dr Chen
OFFICIAL INFORMATION REQUEST – OUR REFERENCE: IR-01-21-233
I refer to your Official Information Act (OIA) request, submitted via the FYI website
on 6 January 2021, which seeks a copy of the Terms of Reference
document for our organisation’s Security and Privacy Reference Group (SPRG),
together with a list of the current members of SPRG and their positions.
In response, please find attached a copy of the current SPRG Terms of Reference.
You wil see that the membership of the Reference Group is spelt out at para .
In line with the guidance and case notes issued by the Office of the Ombudsman
, I can further confirm the names of those
Police staff who currently hold the positions which confer membership of SPRG.
With the exception of AC: Service and Resolutions - a position not currently fil ed -
they are: AC Mike Rusbatch (Chief Security Officer); Supt Bruce Bird (District
Commander representative); myself; Supt Rob Cochrane (Chief Information
Officer); Det Supt Tom Fitzgerald (NM: Criminal Investigations); Michel e Diston
(Acting NM: Infrastructure); Mike Flahive (Chief Privacy Officer); and Jay Garden
(Chief Information Security Officer).
In closing, I trust you find this response helpful. You have the right to seek an
investigation and review by the Ombudsman of these decisions.
Security and Privacy Reference Group
Terms of Reference
1. The Security and Privacy Reference Group (SPRG) governs the development and implementation of
Police’s protective security and privacy work programmes; helps identify and manage security and
privacy related risks; and guides the development of security and privacy related policies, standards
and guidelines. In doing so, SPRG plays an important role in Police’s wider governance environment.
2. Through effective governance, the Police Executive has committed to maintain an environment which
protects its employees, information and assets. Acting under delegated authority from the Executive,
the SPRG is responsible for ensuring Police has capability in place for implementing and managing
effective Protective Security Requirement (PSR) arrangements within Police, and for maturing the core
privacy expectations for government agencies set by the Government Chief Privacy Officer (GCPO).
3. The SPRG:
3.1 Directs the strategic approach for security and privacy across Police;
3.2 Improves the management of security, privacy and service continuity risks;
3.3 Ensures security and privacy policies, protocols and management requirements align with Police
objectives and needs;
3.4 Ensures Police security and privacy governance, personnel security, information security and
physical security measures meet with PSR and GCPO expectations;
3.5 Sets PSR and privacy maturity objectives and oversees progress towards those objectives.
4. The scope of the SPRG is to ensure appropriate strategic guidance is provided around Police’s security
and privacy efforts, and that the organisation’s annual PSR and privacy work programmes are
successfully delivered. This involves overseeing relationships, security and privacy risks and issues,
planning and business dependencies; all within the wider context of other Police Executive imperatives.
5. In order to achieve the goals of the SPRG, it is critical that advice and documents provided to the Chair
are generated without constraint, and are a free and frank expression of ideas or fact. Operating such
a principle is essential to ensure a range of opinions are available to produce robust and good quality
advice to support SPRG decision making.
Inputs to the SPRG
6. SPRG discussions wil be guided by the fol owing inputs:
6.1 Monthly reports and papers from members, including updates on Protective Security and Privacy;
6.2 Strategic and operational reports from ICTSC, the Infrastructure Group (National Property Office)
and other stakeholder groups;
6.3 Specific proposals for Police to engage with emergent technologies; and
6.4 Other papers as required.
1 | P a g e
7. The SPRG will oversee the following deliverables:
7.1 Periodic reporting to the Organisational Capability Governance Group (OCGG), including making
recommendations as to the privacy, security and ethical implications of proposals to engage with
7.2 Annual security and privacy self‐assessment reporting to the Commissioner and Executive;
7.3 Outcomes associated with Police’s rolling work programmes for protective security and privacy;
7.4 Mandated government PSR requirements and implementation of good privacy practice to meet
8. Members of the SPRG are:
• Chief Security Officer (Chair)
• NM: Criminal Investigations
• AC: Service and Resolutions
• NM: Infrastructure
• District Commander representative
• Chief Privacy Officer
• Director: Assurance
• Chief Information Security Officer.
• Chief Information Officer
9. The Assurance Group’s Principal Advisor: Protective Security and Principal Advisor: Privacy, as well as
the National Criminal Investigation Group’s Manager: Intercept/Technology Operations, are standing
attendees at SPRG meetings, and may be invited to offer observations and other input by the members.
10. Other attendees for specific meetings or agenda items may be arranged with the Chair’s permission. ‘Need to know’ principle
11. In the interest of security, and due to the specialised nature of some Police tasks and the relationships
with other agencies, the ‘need to know
’ principle will apply to some SPRG agenda items and content.
12. The Data and Information Steering Group (DISG) coordinates Police’s strategies, practices and
improvement programmes concerning data, information and ICT services. The SPRG interacts with the
DISG, keeping it informed of information security and privacy matters that might impact on the wider
information strategy, or on any aspect of data and information quality at New Zealand Police.
13. The OCGG holds primary responsibility for the governance of Police’s operational and people
capabilities, including much of the business that is escalated from SPRG. The SPRG maintains close links
with the OCGG and provides it with visibility over its activities. In turn, the OCGG may choose to
escalate certain SPRG‐related matters or topics for consideration by the Executive Leadership Team.
14. Frequency and duration
: Formal meetings will be held every two months, with any urgent, off‐cycle,
matters to be addressed by circulation of papers out‐of‐session. Meetings will be scheduled to run for
90 minutes, but with the expectation that often matters wil be able to be dealt with within an hour.
15. Quorum and Attendance
: Members are expected to attend all meetings. Substitutes may only attend
where members are absent on formal business or leave, and authorities have been formally delegated.
A quorum will be achieved when five permanent members are present.
: Secretariat services for the SPRG are provided by the Assurance Group.
17. Agenda items and papers
: The meeting agenda is managed by the Secretariat on behalf of the Chair.
Agenda items and papers should be provided to the Secretariat at least 5 working days before the
meeting, to allow for circulation at least 3 working days before the meeting. Each item should identify
the sponsor and person/s who will speak to it, and include feedback from any consultees on the paper.
: The Secretariat will circulate draft minutes of meetings within one week of each meeting.
2 | P a g e