NZ bans unapproved govt IT suppliers after data breach

New Zealand Prime Minister Jacinda Ardern's Cabinet has clamped down on government agencies using unvetted IT service providers, cracking down on hard on rules around privacy and systems security.

The measures come after another embarrassing data breach at the ministry of Arts, Culture and Heritage, which saw an unnamed supplier leaked hundreds of people's sensitive personal information including birth certificates, passport numbers and drivers' licences.

In a press conference [pdf], Ardern said that with immediate effect, a set of interim decisions were made by Cabinet that set mandatory requirements for government agencies.

The requirements force small agencies to only procure products and services from the all-of-government ICT common capabilities list that names approved providers.

Additionally, the agencies must review current and future planned IT projects, implement common capability security, and adhere to privacy related guidance from the government chief digital officer.

The GCIO's information security standards and policies must be followed, Ardern emphasised.

Agencies have to obtain certification from the GCIO that they comply with the requirements, she added.

Ardern defined small agencies as those with limited IT capability and not by size.

They include important parts of the government, such as the Department of the Prime Minister and Cabinet, the State Services Commission, the Crown Law, and Ministry of Defence among others.

The Treasury, which was embroiled in a data breach scandal recently that leaked sensitive government budget information ahead of the official release, is also listed as an agency that needs to handle privacy and security better.

"My understanding is that the list has not been mandatory, but as I’ve set out, as an interim step, while we work through what needs to occur to prevent this ever happening again, we will now be requiring those small agencies to procure from that list over the near future while we work to ensure the security of all New Zealanders’ data and restore confidence in the systems and the agencies who are providing services to the New Zealand public," Ardern said.