Specified government agencies will only be able to contract with approved ICT providers after a serious data security failure at the Ministry of Arts, Culture and Heritage.
Agencies with limited internal ICT resources and expertise will now, for an as yet unspecified period, only be able to engage approved providers on all-of-government ICT common capabilities procurement panels, Prime Minister Jacinda Ardern announced today.
The crackdown is designed to help restore confidence that government agencies can keep citizen data private, safe and secure.
Specified agencies so far include Treasury, the State Services Commission, the Ministry of Defence, the Department of Prime Minister and Cabinet, the Ministries of Womens Affairs, Transport, Housing and Urban Development and the Crown Law Office.
The move comes after personal data, including drivers license, birth certificates and passport details of over 300 people, was left exposed on a new Ministry website due to what was described as a "coding error".
The provider of that website, called Tuia 250 and created to commemorate first contact between Maori and Europeans on land, has not been named.
The information was freely available through a simple web search and, in at least one instance, there has already been an attempt to use that information for fraudulent purposes.
"They must review planned and future ICT projects, implement common capability security and privacy-related government chief digital officer guidance," said Ardern.
"They must follow the government chief information officer's information security standards and policies and they must obtain the government chief information officer's certification that they are compliant with these requirements."