Dear Government Chief Privacy Officer Katrine Evans,

According to the Digital.govt.nz website (https://www.digital.govt.nz/digital-gove...):

The GCPO is responsible for:
- providing leadership by setting the vision for privacy across government
- building capability by supporting agencies to lift their capability to meet their privacy responsibilities
- providing assurance on public sector privacy performance
- engaging with the Office of the Privacy Commissioner and New Zealanders about privacy.

I am a NZ citizen. I am seeking very clear and specific information as to the methods, programmes or applications that have been approved by the DoIA (e.g., Government Chief Privacy Officer & Government Information Security Officer) for the sending/receiving private information (e.g., health information, court documents) electronically, which meet the NZ standards, regulations, and legislative requirements.

We all know that email is not safe from interception or unauthorised access. Yet, it has been my experience that many agencies use this method for sending private, sensitive information electronically, while not taking any type of security measure.

For your convenience, I've listed some of the relevant legislation and standards below.
Section 22 (IPP 5) of the Privacy Act 2020 states:
Storage and security of personal information
An agency that holds personal information must ensure—
(a) that the information is protected, by such security safeguards as are reasonable in the circumstances to take, against—
(i) loss; and
(ii) access, use, modification, or disclosure that is not authorised by
the agency; and
(iii) other misuse; and
(b) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.
(1) A health agency that holds health information must ensure—
(a) that the information is protected, by such security safeguards as are reasonable in the circumstances to take, against—
(i) loss;
(ii) access, use, modification, or disclosure that is not authorised by the agency; and
(iii) other misuse;
(b) that, if it is necessary for the information to be given to a person in connection with the provision of a service to the health agency, including any storing, processing, or destruction of the information, everything reasonably within the power of the health agency is done to prevent unauthorised use or unauthorised disclosure of the information.

The Health Information Privacy Code 2020 includes two more clauses to rule 5.
(c) that, where a document containing health information is not to be kept, the document is disposed of in a manner that preserves the privacy of the individual.
(2) This rule applies to health information obtained before or after the commencement of
this code.

Health information and other information security standards include, but are not limited to:
• Ministry of Health: HISO 10029 and HISO 10064;
• Center for Internet ecurity (CIS)
• CERT NZ Top Ten:
• Cloud Security Alliance (CSA) Cloud Controls Matrix:
• Health Insurance Portability and Accountability Act (HIPAA) (US):
• ISO 27001 Information Security Management Standard:
• ISO 27002 Information Technology – Security Techniques – Code of practice for
information security controls
• ISO 27799 Health informatics – Information Security Management in health using
ISO/IEC 27002:
• New Zealand Information Security Manual (NZISM):
• Protective Security Requirements (PSR)(external link)
• National Cyber Security Centre
• Information security management protocol(external link)
• New Zealand Government Security Classification System

This is also a request for all risk assessments undertaken by the DIA (any of the Government Chiefs) for the use of email to transfer private information (e.g., health information or court documents) by NZ Agencies (e.g., MoH, Health NZ, ACC, MoJ, ...). If your office has not conducted any risk assessments for any government agencies, then I request your assistance and ask you transfer this part of my request to the proper agency/organisation.

Thank you.
An