• New Zealand Government Web Standards 2.0

• New Zealand Government Web Standards 1.0
  • » 1. Images
  • » 2. Colour
  • » 3. Site Markup
  • » 4. Special Purpose Documents
  • » 5. Writing Content
  • » 6. Site Content
  • » 7. Page Layout
  • » 8. Navigation
  • » 9. Style Sheets
  • » 10. Dynamic Content
  • » 11. Tables
  • » 12. Frames
  • » 13. Scripting and Applets
  • » 14. Page Refreshing
  • » 15. Site Behaviour
  • » 16. Site Layout
  • » 17. Archiving
  • » 18. Quality Assurance
  • » 19. Data Tracking
    • 19.1 Data tracking able to be disabled
    • 19.2 Rules governing storage of tracking data
    • 19.3 Client-side personally identifiable data storage
    • 19.4 Encryption of personal information in tracking data
    • Recommendation 19.1.1 Scope of collecting tracking data
    • Recommendation 19.1.2 Server side session state
  • » 20. Authentication
  • » 21. Security
  • » 22. Online Forms
  • » 23. Tendering and Contracting
  • » 30. Site Delivery
  • » 31. Operational
  • » 32. Web Strategy

19.4 Encryption of personal information in tracking data

The Standard

19.4 If encryption of personal information is the sole method used to prevent the information revealing identity for personal information persisted within tracking data as required in standard 19.3, the cryptographic specification of the encryption must meet an acceptable level of security. This can be met by utilising an approved cryptographic algorithm.

Refer to 9-4-encryption-of-personal-information-in-tracking-data/#mce_temp_url#">NZ Government Information Technology Security Manual NZSIT 400 chapter 9, for details of approved cryptographic algorithms.

Refer to FIPS-140 for further guidance.

Guide to this standard

It is not recommended that personal information be persisted in any nature within tracking data on the device on which the user is hosting their browser (e.g. client machine such as a user's personal computer).

Rationale for this standard

It is important not to inadvertently compromise the privacy of personal identity. Storage of personally identifiable information, for example in a cookie, can be insecure and is open to attack from malicious web sites and software, or can be read by other users who share use of a client device.