Security and privacy management

This section of the Web Toolkit provides direction and guidance for business owners, managers and administrators of New Zealand Government agency websites to help them make informed decisions around online protective security and privacy risk management.

It outlines an approach to risk management that can reasonably be expected of government agencies for protecting publicly-accessible sites or services, and protecting the confidentiality of information that users commonly supply to them.

The goal of this guidance is to establish a fit-for-purpose approach to risk management across the New Zealand Government web domain.


  • Website and web service business owners
  • Website managers
  • Website administrators

Topics covered

  • Website security expectations
  • Creating a risk profile
  • Designing for security
  • Related resources

Why you need to know

NZ Government agencies are accountable for ensuring they meet privacy and security expectations and requirements. An appropriate approach to online risk management is integral to meeting those requirements.

When to apply this guidance

Apply this guidance when doing a risk assessment of public websites with information that is Unclassified and In Confidence.

What the guidance covers

This guidance is divided into four sections:

  1. Foundations gives an overview of some privacy and protective security basics which anyone involved with the government web domain (and others) should be aware of. It includes protective security governance structures and roles (as required by the NZ Protective Security Requirements), information classification guidelines and the 12 Privacy Principles of the Privacy Act 1993.
  2. Establishing a risk profile describes how to determine what level of risk mitigation and ongoing assurance your website or service requires in order to design that site or service for security and the protection of personal information.
  3. Designing for protective security and privacy describes ways to ensure security and privacy are built in to design and development processes to ensure that web-based systems are fit for purpose from the outset.
  4. Related resources provides links to other resources which may help you strengthen your protective security and privacy practices, including sample risk assessment processes and guidance from the Privacy Commissioner on handling privacy breaches.

It will be updated as required.

Why this guidance is important

New Zealand government agencies have access to a number of resources relating to online security and privacy including:

It is important that agencies adopt a risk-based approach to online security and privacy management. This helps to ensure that the level of protection and assurance required is appropriate to each site or service, and ensure resources are applied efficiently.

When this guidance applies

This guidance applies to publicly-available websites and services that deal with information which is considered:

  • Unclassified — includes all publicly-available informational websites
  • In Confidence — applied to most personal data provided by users in order to access a service or complete a transaction.

More information: Information Classification.

You should apply this guidance when carrying out a risk assessment on your websites and services, or when planning / designing new websites and services, to:

  • identify the nature and sensitivity of the information the site or service deals with
  • establish the severity of the impact of risks being realised
  • identify risks that could lead to unauthorised access to the system, improper disclosure of user information, or the loss or corruption of the system or the information it holds,
  • estimate the likelihood of such a breach
  • identify the controls necessary to mitigate identified risks to an acceptable level.

When you should seek further advice

This guidance does not alter government agency accountabilities under government security policies, notably the NZ Protective Security Requirements, and core expectations issued by the Government Chief Privacy Officer. It is intended to serve as a guide to obligations as they relate to the web.

If you are a business owner or manager of a government website and have any queries or doubts you should raise them with the person in your organisation that is responsible for privacy (the Privacy Officer) or security (for example your Chief / Departmental Security Officer, Chief Information Security Officer or IT Security Manager). These people will also be aware of any updates or changes to government security and privacy policies.

More information: Security and privacy governance.

You should also seek expert guidance on the application of the NZISM and privacy legislation.

It is recommended that website managers / owners also seek specialist advice for sites and services dealing with business or user information which requires greater protection, such as sensitive personal information or financial transactions.