It might sound strange but complaints are the lifeblood of our office. We receive them, vet them and investigate them. And because we are the Office of the Privacy Commissioner, people need to have absolute confidence in the security of our complaints process.
The Privacy Act gives you the right to complain to us if someone breaches your privacy. It’s an important right, both for you personally and for our society as a whole.
We get 700 to 800 complaints a year about alleged breaches of privacy. To make it easier to access this service, we introduced this year a facility on our website that allows any user to lodge a complaint with us online.
Privacy and security
The information we receive in a complaint about an alleged breach of privacy is often sensitive and personal. For that reason, a primary consideration for us in designing the online complaints system was to ensure that we can give our users a high level of confidence about the privacy and security of the information they submit.
With that in mind, our web developers SilverStripe developed a module for us that encrypts the information when it is lodged online. The information is then securely transferred to our internal mail systems and decrypted on receipt.
Our website is hosted on the Common Web Platform, a shared web service delivery platform used by New Zealand government agencies. A key benefit of this shared platform is the reusability of software code.
Open source code
We are making our solution for the secure transmission of information available as an open source resource in the same way that we have benefited from solutions developed by others.
It makes sense to us to share any code that might be reusable, or indeed improved, in the interest of encouraging good information security, improved knowledge sharing and open innovation across both the public and private sectors. We are happy to be able, with the support and assistance of SilverStripe, to share this technical solution.
For the more technically minded, our complaints encryption module uses GPG or “Gnu Privacy guard”. It is compatible with the OpenPGP standard and with Symantec’s PGP tools.
Developers can sign and encrypt the content for an email (including file attachments) before the email is sent. This requires a transfer of public keys between the sender and recipient, and requires GPG software to be installed on the website server.
Image credit: American Scoter Duck by James John Audubon