The Department of Internal Affairs is developing a suite of guidelines to help agency web practitioners and managers establish a fit-for-purpose approach to managing information and services online, and make informed risk management decisions. The guidelines support Action 1.3 of the ICT Strategy and Action Plan to strengthen the integrity of government web presences. They include tools and checklists that focus on online security and privacy risk management, managing information and data on the web, and strategic online management guidance.
Flashback to 1994: Nelson Mandela becomes President of South Africa, the Winter Olympics are held in Lillehammer, Norway and the first New Zealand Government web site was launched by Colin Jackson at the Ministry of Commerce and Nat Torkington at Victoria University. (Colin’s recollections from that time are on YouTube).
The growth of the New Zealand Government’s web space in the 20 years since then has been somewhat organic.
In many ways, its growth is reflective of the sprawling, organic growth of the wider web since its inception in 1989. On the one hand, this has fuelled the diversity and innovation of the web in general, but it also poses challenges for government.
What’s ‘good practice’?
It’s hardly surprising that this has led to considerable diversity in what we in government consider ‘good practice’ on the web — to the extent that ‘good practice’ can sometimes be overlooked while efforts are directed to getting a project over the line and closed off.
For example, some agencies take care to make information accessible to people with disabilities, while others may be less aware of how to do so. In practice, our obligations are laid out in the New Zealand Government Web Accessibility Standard.
While some agencies take a robust approach to securing their online channels, others may trust that their vendors will take care of it. Your Chief Executive — not your vendor — is ultimately accountable for the security of the information you manage. Are you aware of the threats your sites face?
Some agencies have robust assurance processes around managing users’ personal data online, while others may be less clear about their obligations. Are you familiar with your obligations under the Privacy Act?
New Zealanders need to have trust and confidence that government takes all aspects of privacy and security seriously. At a time when the web is part of New Zealanders' everyday life and government seeks to deploy more and more services to citizens online, falling short of good practice isn't good enough.
New guides available
As web professionals, we’re at the front-line of the Government’s online presence, ideally placed to spot where agencies could use the web better and more effectively, and call it out.
We have no shortage of policy, standards, strategy and legislation to adhere to in our work online.
We need clear guidance that abstracts the essence of those policies, standards, strategies and legislation into a form that Government staff with responsibilities for online products can easily understand.
Agencies have had an evolving suite of guidance on accessibility available since the first release of the Web Guidelines back in 2001. Today, the Web Standards are accompanied by guidance on other web-related topics such as social media and domain name management.
The additional guidance being released today describes an approach to managing privacy and security risk online. It draws on the New Zealand Information Security Manual, Security in the Government Sector and the Privacy Act 1993 and its Information Privacy Principles. It does not absolve us of these obligations; rather, its purpose is to help web teams and business owners understand how the formal policy and legislation applies to the web, and to make informed risk-management decisions — or know when to seek expert advice.
Also released today is a collection of online management good practice principles. This draws from a number of the principles behind the Rethink Online strategy, and its purpose is also to help you make informed decisions around the management of your online presence.
They have been developed with the invaluable assistance of security, privacy, and web professionals from a number of government agencies. The guides form part of an evolving suite, and we're interested in hearing your feedback about their application.