Sensitive police information is being moved from police stations to off-site at Microsoft's 'cloud' of computer servers. File photo. Photo: 123rf
Police have been warned that shifting their information to the cloud could have "severe detrimental impacts" if they are not careful.
The shift to Microsoft cloud services has started in Wellington.
But a privacy impact assessment says if staff accidentally let someone into the data, the consequences could be "death of individuals, extensive injury and hospitalisation".
It lists ways to make it safer.
The tech upgrade changes how vast amounts of restricted, sensitive information is handled, from on-site at police stations using 2013 Microsoft technology, to off-site at Microsoft's 'cloud' of computer servers.
The data can identify individuals.
"Should this become compromised, there could be severe detrimental impacts on the wellness and safety of individuals, as well as the reputation of the NZ police 'brand' and erosion of trust from the public and government," said the May 2022 assessment, newly released to RNZ under the Official Information Act.
"The information that will be stored, processed and transmitted by the service has been classified as up to RESTRICTED, and will include sensitive and personal information. Compromise of information classified RESTRICTED would likely impact NZ police's reputation and operation."
It detailed several risks arising from the upgrade against each of the 12 Privacy Act principles - one severe 'red' one, and several 'orange'. It also listed 31 measures police should take.
"This assessment identified that the proposed use of Office 365 service exposes NZ police to a Very High level of privacy risk. It identifies a total of 12 privacy risks for NZ police through the expected use of the service, one of which was rated as Very High and eight which are rated as High," it said.
"If the privacy risks highlighted in this report are not managed to an appropriate level, NZ police is exposed to privacy threats that may result in Very High health & safety impacts and reputational damage."
But if the controls were taken, then the upgrade would be "within its risk appetite".
It is not clear how many of these measures police were now instituting at the trial stage of the upgrade. "The technical delivery of this work has been relatively smooth, with the products and processes working well," NZ police told RNZ.
The assessment report listed a dozen different laws police and Microsoft must comply with.
It noted Microsoft and Spark will run the new system for police, and that this was another point of risk.
One risk was that a foreign government or law enforcement agency could ask Microsoft for New Zealand police data. The US has a Cloud Act that allows for this to happen, though it is not known if the power has been exercised as it does not have to declare it.
The cloud upgrade has been on the cards for years but police have hit roadblocks on the tech front, including from [last year's public sector funding cuts, RNZ has reported.
The cloud privacy assessment was started in 2019, but a trial only began in September in Wellington.
Just five out of 32 workgroups in Wellington district have gone live so far.
"The initiative is continuing to fine-tune the framework," police said in the OIA response last week.
A 2022 security risk assessment of the move said Microsoft and its cloud datacentres had an "extensive security toolset" and "layers of defence-in-depth".
The cloud upgrade is part of moves to try to relieve what reports have called "unsustainable" pressure on frontline officers as well as to conform to Privacy Commissioner orders to stop the police illegally taking and storing photos of young people. They amassed tens of thousands illegally up till 2020, as RNZ exposed.
It is in line with successive governments' push for all agencies to shift to cloud services, which has proved a boon for Microsoft, Amazon and Google, and an incentive for the former two US tech giants to build new datacentres in this country.
A second police tech upgrade - to digital notebooks from paper notebooks at the front line in 2023 - aimed to add photo handling features this year.
An assessment of this, also released under the OIA, also found a "high" risk, but that this was more easily managed. It laid out 41 measures to take.
Police did not formally consult the Privacy Commissioner about either the Digital Notebooks and Microsoft moves, though privacy and security risk assessments were run on both, they told RNZ in the OIA.
They have had no reports done on how the seven-month-old Wellington pilot was going, but would at the end, they said.
The cloud work was being done largely in-house, with just one contractor hired for $288,000.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
