We recognise that how we manage and protect personal information is important for maintaining your trust and confidence in us.
Our technology and processes
We have been purposeful in making decisions on how licence holders are able to register their firearms and other arms items. We know it’s significantly more complex to keep paper forms and documents private and secure, so you will not be able to register using a paper form.
Any personal information you provide for the Registry will be held and managed in accordance with the Privacy Act.
The Arms Information System, which supports MyFirearms and the Firearms Registry, has been classified at RESTRICTED under the Protective Security Requirements (PSR). The PSR outlines the Government's expectations for managing staff, physical and information security.
This RESTRICTED classification recognises the potential national security impacts of an unauthorised release of the information held in the Registry. It therefore requires strong protections to safeguard the information from unauthorised access.
This level of classification means we have implemented a range of security controls to help protect the confidentiality and integrity of the information held in the Registry and ensure we can maintain its availability. These are similar controls to what you would see at your bank, and includes things like:
- strong data encryption of all information stored in the Registry
- robust authentication, including two-factor verification
- limits on what data can be accessed by staff in different roles, and what can be accessed via MyFirearms
- maintaining records of what actions are taken in the system, both by Police staff and users of MyFirearms, and processes to review these records for suspicious or unusual activity.
The Arms Information System has been through multiple security assessments by Government approved independent security consultants – the same security professionals regularly conduct these assessments across New Zealand businesses, including banks, telecommunication providers, government departments and insurance companies.
In accordance with the Government’s ‘Cloud First’ policy, we have chosen to use a cloud-hosted service over a traditional ICT system. AIS is hosted by Amazon Web Services in Australia, in the Asia Pacific (Sydney) Region. Its data security and privacy requirements have been assessed against government standards for the use of cloud-hosted services.
The only people who have access to the Registry are staff who need it to do their jobs. This will include Police and Te Tari Pūreke staff and authorised suppliers.
All our staff with access to the Arms Information System undertake privacy and security training and are bound by employment conditions and/or contractual agreements related to confidentiality. This access is audited and subject to the same professional conduct standards that apply to other Police systems. Audits included both planned activity and randomised checks.
Strict protocols are in place regarding access to the Police network and Police IT systems, and the Registry is no different. All Police staff with access to the Arms Information System must pass Police vetting processes and can only access it using a Police device while on the Police network.