A cyber-security expert is sounding a warning about government organisations use of a Facebook business tool, 'Workplace by Facebook'.
The New Zealand Transport Agency has adopted Workplace by Facebook as its internal communications tool, and other agencies, including the Social Development Ministry are trialling it.
However the Privacy Commissioner said those using it had to abide by strict safety rules set by the government's chief digital officer.
Director of Waikato University's Cyber Security Research Lab, Doctor Ryan Ko, said while Facebook claimed to be compliant with international standards, users could never know exactly how their data might be being harvested by the company.
"On [Facebook's] websites they mention they are compliant with several standards so they are accountable to several global standards like ISO 27,001 and American standards SOC 2 and SOC 3."
"But the way the data is being harvested internally can never be known directly to the users at this point because the ... software they are providing for the users, is just telling them the real-time activity monitoring and so on but doesn't provide a full provenance of what has happened to the data of the entire lifetime, [for example] what you have clicked on."
"Those things are just collected and the scary thing is when someone malicious uses the data, that's where the mess starts."
Dr Ko said if he was in the government's shoes, he probably wouldn't be considering non-New Zealand companies for the storage and processing of data.
"The [information] on Facebook may be housed in servers in many different countries around the world and sometimes the exact location is not disclosed to the client so that's a problem where, because data is stored in another country, it's under another jurisdiction."
"[That means] people such as the Privacy Commissioner and the Courts of New Zealand are limited in what they can do to bring somebody to account so this is a problem because if technical implementation is in the cloud, it is stored all over the world, it falls in a different jurisdiction and basically New Zealanders are sitting ducks."
However Privacy Commissioner John Edwards told Nine to Noon there were some important differences between Facebook's social media product and its business offering.
"Facebook is free and always will be because you're paying with your information. The other product is a commercial product and one of a suite of cloud services increasingly being embraced not only in government but across the economy and that's not inherently a bad thing."
Mr Edwards said public agencies should make sure they were meeting the requirements set by the government's chief digital officer, including not to post on any public cloud service information classified above a certain security level and also to look closely at the provider's terms and conditions.
"When my Norwegian counterpart looked at [Workplace By Facebook] in 2016 he said although [it] encourages dialogues on terms and conditions, the standard terms are at times unclear and may allow Facebook to use personal data for commercial purposes.
"So it's really important for a company or government agency to understand what's going to happen with that data and then to limit what can go on it according to that."
Mr Edwards said it would be utterly unacceptable for third parties to be able to access government information to assist with lobbying or a business pitch, so it was up to agencies to do thorough due diligence and impact assessments before using any such product.
He said organisations using the Facebook tool also had other protections besides legal ones.
"There's technical protections as well so you can enquire about how the data is stored, is it encrypted at rest, is it encrypted in transmission, who holds the keys for that encryption."
"Those are the kinds of enquiries the government's chief digital officer invites any government agency to go through and assess according to their risk."
Mr Edwards said a planned reform of the Privacy Act would have more focus on the obligations of agencies when they transferred information out of jurisdiction, which meant the liability chain would be even more clearly linked back to the New Zealand-based agency.