Police warned over shifting information to Microsoft cloud services
The shift to Microsoft cloud services has started in Wellington.
But a privacy impact assessment says if staff accidentally let someone into the data, the consequences could be "death of individuals, extensive injury and hospitalisation".
It lists ways to make it safer.
The tech upgrade changes how vast amounts of restricted, sensitive information is handled, from on-site at police stations using 2013 Microsoft technology, to off-site at Microsoft's 'cloud' of computer servers.
The data can identify individuals.
"Should this become compromised, there could be severe detrimental impacts on the wellness and safety of individuals, as well as the reputation of the NZ police 'brand' and erosion of trust from the public and government," said the May 2022 assessment, newly released to RNZ under the Official Information Act.
"The information that will be stored, processed and transmitted by the service has been classified as up to RESTRICTED, and will include sensitive and personal information. Compromise of information classified RESTRICTED would likely impact NZ police's reputation and operation."
It detailed several risks arising from the upgrade against each of the 12 Privacy Act principles - one severe 'red' one, and several 'orange'. It also listed 31 measures police should take.
"This assessment identified that the proposed use of Office 365 service exposes NZ police to a Very High level of privacy risk. It identifies a total of 12 privacy risks for NZ police through the expected use of the service, one of which was rated as Very High and eight which are rated as High," it said.
"If the privacy risks highlighted in this report are not managed to an appropriate level, NZ police is exposed to privacy threats that may result in Very High health & safety impacts and reputational damage."
But if the controls were taken, then the upgrade would be "within its risk appetite".
It is not clear how many of these measures police were now instituting at the trial stage of the upgrade. "The technical delivery of this work has been relatively smooth, with the products and processes working well," NZ police told RNZ.
The assessment report listed a dozen different laws police and Microsoft must comply with.
It noted Microsoft and Spark will run the new system for police, and that this was another point of risk.
One risk was that a foreign government or law enforcement agency could ask Microsoft for New Zealand police data. The US has a Cloud Act that allows for this to happen, though it is not known if the power has been exercised as it does not have to declare it.
The cloud upgrade has been on the cards for years but police have hit roadblocks on the tech front, including from [last year's public sector funding cuts, RNZ has reported.
The cloud privacy assessment was started in 2019, but a trial only began in September in Wellington.
Just five out of 32 workgroups in Wellington district have gone live so far.
"The initiative is continuing to fine-tune the framework," police said in the OIA response last week.
A 2022 security risk assessment of the move said Microsoft and its cloud datacentres had an "extensive security toolset" and "layers of defence-in-depth".
The cloud upgrade is part of moves to try to relieve what reports have called "unsustainable" pressure on frontline officers as well as to conform to Privacy Commissioner orders to stop the police illegally taking and storing photos of young people. They amassed tens of thousands illegally up till 2020, as RNZ exposed.
It is in line with successive governments' push for all agencies to shift to cloud services, which has proved a boon for Microsoft, Amazon and Google, and an incentive for the former two US tech giants to build new datacentres in this country.
A second police tech upgrade - to digital notebooks from paper notebooks at the front line in 2023 - aimed to add photo handling features this year.
An assessment of this, also released under the OIA, also found a "high" risk, but that this was more easily managed. It laid out 41 measures to take.
Police did not formally consult the Privacy Commissioner about either the Digital Notebooks and Microsoft moves, though privacy and security risk assessments were run on both, they told RNZ in the OIA.
They have had no reports done on how the seven-month-old Wellington pilot was going, but would at the end, they said.
The cloud work was being done largely in-house, with just one contractor hired for $288,000.
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
Techday NZ
6 hours ago
- Techday NZ
GitHub Copilot users surpass 20 million as AI tools surge in demand
GitHub Copilot now reports more than 20 million users and widespread adoption by over 90 percent of the Fortune 100, reflecting growing demand for AI-enhanced development tools across the software industry. The figures, shared as part of Microsoft's Q4 FY25 earnings update, show a significant increase from the previous quarter, where user numbers stood at 15 million. The platform also highlighted that its Copilot Enterprise customer base increased 75 percent quarter-over-quarter. Growth and adoption AI-enabled projects on GitHub have more than doubled over the past year. The GitHub Code Review agent is now used to perform millions of code reviews each month on the platform, indicating sustained engagement from both new and existing users. The release of new features over recent months, including a fully autonomous coding agent, has aimed to expand options for developers to automate routine coding jobs. This tool is designed to allow programmers to assign low- to medium-complexity tasks or issues and monitor their completion through GitHub's pull request system, with comprehensive security measures in place. How the coding agent works Developers can assign an issue to Copilot, either via the web, mobile, or the GitHub CLI, as they would a team member. The agent then initiates a secure development environment using GitHub Actions, applies a retrieval augmented generation method powered by GitHub code search, and pushes progress to a draft pull request. Every action taken by the agent is logged, providing insight into the agent's decision-making process. Additional security controls ensure that any code proposed by the agent must be reviewed and approved before integration. Existing policies such as branch protections remain intact, and any deployment workflows are only triggered after human approval. The autonomous coding agent uses vision models to interpret images attached to issues, such as screenshots or mockups, and can access additional context and data through GitHub's Model Context Protocol (MCP). This allows it to adapt to a variety of coding standards and requirements within different repositories. The Copilot coding agent is opening up doors for human developers to have their own agent-driven team, all working in parallel to amplify their work. We're now able to assign tasks that would typically detract from deeper, more complex work - allowing developers to focus on high-value coding tasks. - James Zabinski, DevEx Lead at EY The Copilot coding agent is available to Copilot Enterprise and Copilot Pro+ customers, with support extended to a range of development environments including Xcode, Eclipse, JetBrains, and Visual Studio from June 2025. Developer feedback The GitHub Copilot coding agent fits into our existing workflow and converts specifications to production code in minutes. This increases our velocity and enables our team to channel their energy toward higher-level creative work. - Alex Devkar, Senior Vice President, Engineering and Analytics, Carvana The new coding agent is designed to respect organisational policies and rulesets. It is limited to interacting only with branches it creates, and any required code reviews or approvals set within a repository remain in effect. Its internet access is also limited to a configurable list of trusted destinations. Company perspective GitHub Copilot has crossed 20 million users – up more than 5 million from last quarter. We're also seeing explosive AI growth on GitHub, with AI projects more than doubling over the past year. And it's all because of grit. It's no secret the market Copilot introduced has heated up. Over the past year, incredible startups and founders have built and scaled great products that found real traction. The true measure of a company is never drawn during its hype wave, but by its resilience when pressure tested. Hubbers across GitHub put their heads down, treated pressure as a privilege, and we innovated. This past year, we shipped over 230 updates to GitHub Copilot – becoming the first multi-model solution at Microsoft, in partnership with Anthropic, Google, and OpenAI. We enabled Copilot Free for millions and introduced the synchronous agent mode in VS Code, all the way to Spark and the coding agent native to GitHub. I could not be more proud of my colleagues. Even with all the constraints we've faced, we proved that a little grit wins the game. - Thomas Dohmke, CEO at GitHub GitHub has stated its intention to continue expanding features to provide developers with increased flexibility and efficiency, promising further updates over the coming months.
NZ Herald
10 hours ago
- NZ Herald
Microsoft quarterly profits soar on AI and cloud growth
Technology giant Microsoft said its profit soared above expectations in the recently ended quarter, driven by its cloud computing and artificial intelligence units. Microsoft reported profit of US$27.2 billion ($33.4b) on revenue of US$76.4b, some US$29.9b of which was brought in by its Intelligent Cloud business. 'Cloud and AI [artificial
Otago Daily Times
12 hours ago
- Otago Daily Times
Thousands of shoplifting complaints not investigated across NZ
By Sam Sherwood of RNZ More than 5000 complaints of shoplifting below $500 were not forwarded for investigation while a controversial police directive was in place, documents released to RNZ reveal. RNZ earlier revealed a directive was sent to staff relating to police's File Management Centre (FMC) titled 'Assignment Changes - Theft and Fraud'. The directive said FMC was applying "nationally standardised value thresholds" when assessing theft and fraud files. The value thresholds were: General theft $200, petrol drive off $150, shoplifting $500, fraud (PayWave, online, scam etc) $1000, and all other fraud $500. "When assessing files with these offences, you will apply the relevant value threshold and file any file under that threshold regardless of any lines of enquiry or IFA score," it said. Following the revelations Police Commissioner Richard Chambers canned the directive, which he called "confusing and unhelpful" following significant backlash. On Wednesday, RNZ was released a series of documents from police under the Official Information Act. Among the documents was a tally of shoplifting complaints under $500 during the period the directive was in place. It revealed there were 5454 complaints of shoplifting that were not assigned for investigation. In Auckland, only 73 of 927 complaints were assigned, in Canterbury 192 of 742, Wellington 131 of 694. Chambers earlier said he was unaware of the directive until RNZ revealed it. A staffer from the police minister's office emailed Chambers on the evening of 26 May about an RNZ article on the memo. "It would be helpful if we could get some clarity as to what the policy actually is and clear up the messaging around this," the email said. Chambers replied that he had liaise with Rachael Bambery, the executive director of service, victims and resolutions and asked for a briefing to him and the Minister's office to "sort the messaging out". "For the record the messaging about not following up shoplifting complaints under a certain threshold is not correct and unhelpful. A range of information is taken into account when assessing complaints and this will inform what Police does. "We have seen very effective approaches to retail crime in locations such as Tauranga and Gisborne which set the standard in terms of what is achievable, irrespective of threshold." Shortly after another email from a parliamentary email asked to be looped into any communications being sent about the limits on investigating shoplifting. "We can see there's a bit of traction tonight." Chambers replied: "I don't agree with the content, and we need to provide some reassurance and better messaging to retail sector". The following morning Chambers released a statement and said the memo did not meet his expectations on retail crime. The directive Also in the OIA is a document titled 'Service Group Continuous Improvement Project' dated January 2025. The document said to provide a more "efficient and consistent service and to meet increasing demand", the FMC was moving from a regional model to a national model. "This will allow the FMC workload to be triaged, prioritised and actioned by FMC staff across the country, rather than the FMC staff physically based within Districts." The process for assigning volume crime files was "inefficient, with avoidable time delays and double handling". Volume crime cases made up 62 per cent of daily reports, of which 70 per cent were theft, fraud and burglary. It was proposed that the FMC and 105-non emergency teams would assign volume crime cases based on the solvability only, with "streamlined assignment rules" across the Districts. "By standardising processes like assignment rules, FMC can move towards utilising its workforce more efficiently, freeing up capacity to do higher value and higher priority services." The document included the proposed value thresholds. The value thresholds were: General theft $200, petrol drive off $150, shoplifting $500, fraud (PayWave, online, scam etc) $1000, and all other fraud $500. On March 17, Superintendent Blair MacDonald sent the email earlier revealed by RNZ that from 26 March the thresholds would be in place. The documents include an email from 7 April revealing the number of files being assigned for investigation since the rules were put in place 12 days earlier. In the email, the police adviser, said Wellington had the biggest change from an average of 60 per day to an average of 30. The numbers were being compared to baseline data over a 47-day period before the threshold was put into place. During the same period Auckland City had a 26 per cent decrease, Counties Manukau 21 per cent, Eastern 38 per cent, Central 42 per cent and Canterbury 13 per cent. Waikato had a 2.7 per cent increase, which the staffer said was due to filed being reassigned and appearing twice. 'Unable to investigate further' The OIA also includes a template that had been created to send to victims whose crimes did not meet the threshold. The email thanked the victims for reporting their crime but said they "regret to advise, at this time, Police is unable to investigate further". "While we would like to resolve all matters to our victims' complete satisfaction, there are occasions where we cannot. "Investigations are prioritised using a range of factors including legal timeframes and the likelihood of a successful conviction." The email said police appreciated this may be "frustrating and upsetting" to hear, "particularly if you reported the incident recently or provided lines of enquiry". "We will however review your case if our ability to resolve this matter changes." Police Minister Mark Mitchell told RNZ he was "pleased that the Police Commissioner moved quickly to clarify Police's position, initiate a review of relevant cases, and reassure the retail sector and the public that Police will continue to enforce the law with their usual discretion". Review under way Police earlier launched a review to establish how many cases of retail crime were filed while the controversial directive was in place. A police spokesperson earlier confirmed to RNZ the national value threshold applied to the prioritisation of lower-level theft and fraud offences was being removed. "A review is being completed on any cases that may have been impacted by those thresholds to assess whether they should be assigned to districts for follow-up," the spokesperson said. The review will be done by police's data quality team. "Police want to reassure that cases will continue to be managed locally balancing demand, resources and priorities to ensure the best possible service to victims in those communities." Rachael Bambery, Executive Director Service, Victims, Resolutions said it was not correct to assume that all the closures were due to the monetary thresholds for early case closure. Some may have had no information or evidence to follow up on. She confirmed police were completing a review on files that were closed previously due to the monetary threshold. That review was focused on identifying and pursuing any outstanding lines of enquiry.
