Questions raised over how NZTA protects sensitive information

11:31 am on 31 July 2019

The investigation and subsequent reports were completed by Deloitte under a process that was subsequently found to be inadequate and as a consequence NZTA no longer stands by the findings of those reports — which have been removed from NZTA’s website.  NZTA has also apologised to the manager who was the subject of the reports.

Major questions have been asked about how the beleaguered Transport Agency protects its sensitive information.

Man typing on a computer.

Deloitte's review prompted the agency to approach the former head of a business unit to ask about his internet start-up. Photo: 123rf.com

A scathing review by Deloitte found IT controls at the agency's unit were patchy or missing.

"There are gaps in both HR [human resources] and technology practices that make it difficult to monitor the use and distribution of intellectual property [IP]," the report said.

"This exposes NZTA to risk of intellectual property loss or theft."

The review prompted the agency to approach the former head of the unit to ask about his internet start-up.

He set up the app in January this year while still at NZTA, and set up a company in April, after he left the agency in March, at the time the Deloitte review began.

Three senior people who worked under the director of the business unit have taken stakes in the app since themselves leaving NZTA recently, including the former acting head of engineering.

Deloitte did not seek the former manager's input to its review.

It found that the business unit did not properly inform contractors and employees about their contractual obligations around intellectual property.

Some were given greater network access than necessary, put sensitive commercial information in third-party email accounts or used unapproved cloud data storage.

They used their personal devices and personal emails to do work without monitoring, and personally registered some NZTA domain names.

Contractors made up 90 percent of staff at the business unit, which rapidly grew from eight people to 100 as it developed transportation apps.

"The high use of contractors means that a large amount of IP sits with individuals who are only meant to have short-term roles in the organisation," Deloitte said.

The combined effect was "gaps which could be exploited by individuals wishing to use NZTA intellectual property for their own purposes and benefit".

"NZTA data and IP is freely transferrable to the private sphere."

Deloitte declined to comment on whether it had, in fact, investigated if IP had been exploited, as opposed to merely identifying the weaknesses.

The Transport Agency said it was not aware of any cases of IP loss or theft, and that the Deloitte review did not find any, but identified vulnerabilities.

It was strengthening IP clauses in its hiring contracts, and rules around how devices are used, it said.

The Transport Agency refused to give RNZ an interview about its intellectual property security.

A lawyer specialising in intellectual property Virginia Nichols said the Deloitte review showed the problems that could arise from not managing or controlling contractors properly.

"Particularly in a section of Government that is working innovatively, and generating IP, care should be taken to make sure the terms of each contract are sufficiently robust before work starts, so that ownership of IP is held by the department," she said.

"Ownership of IP by the Government is not inconsistent with Open Government. It is, in fact, essential to it, because the Government should not release or share what it does not own or control."

  • NZTA chose American IT firm over cheaper NZ firms, documents reveal