Personal info sent offshore without permission: Shroff

Privacy Commissioner says government and business need guidance on privacy issues relating to cloud

Privacy Commissioner Marie Shroff says personal information collected by government agencies and businesses, often ends up overseas without the individual's knowledge.

Shroff was commenting on results of a survey conducted by the Commission entitled International Disclosures and Overseas ICT Survey. Fifty government agencies and private companies responded to the survey including Air New Zealand, Fonterra, major banks and the majority of government ministries.

"About 50 percent of survey respondents said they sent personal information offshore for a variety of reasons, many [did so] on a regular basis" says Mrs Shroff.

"But the survey also reveals that almost a third don't let individuals know they are sending their personal information overseas, with seven respondents stating people were only told if they asked. So people frequently have no idea their information is being stored or processed overseas."

She says that a vast majority of survey respondents use mobile internet or smart phones, yet didn't appear to understand that this entailed the use of overseas ICT infrastructure.

"Obviously, many businesses and government agencies do not see the use of these devices as involving overseas infrastructure, which it usually does," she says.

Another key finding of the survey is that decisions to use overseas infrastructure were made predominantly on an ad hoc basis.

Most information ends up in Australia and the US, some is held by overseas third-party ICT solution providers in Singapore, India and the European Union.

Shroff says that while cloud computing has major benefits it also carries some risks, which government agencies and businesses need help in understanding.

"This survey has found that both the private and public sectors need guidance in this area. While most organisations have controls to protect the security of personal information in transit, some have no control over what happens once the information is sent overseas or don't know if they have controls."