The Government's chief information officer says privacy breaches need to be addressed by senior executives, not left for IT departments to fix.
About 250 people from government departments and private companies attended a conference on data safety in Wellington on Wednesday.
Colin MacDonald is working on a report for Prime Minister John Key identifying how government agencies can better manage confidential information, following several recent breaches which have included the Earthquake Commission (EQC) and the Accident Compensation Corporation (ACC).
Mr MacDonald told the conference that information security and privacy risks are not just IT issues.
"They must be treated as business issues. Senior executive teams need to be involved, they need to understand security and privacy risks as part of their wider risk management frameworks.
"And they should be a regular part of discussions that focus on overall organisation of risk management."
Greg Brogden, senior corporate solicitor for the Canterbury District Health Board, agrees.
"ACC and EQC are good examples of where it's gone to the heart of people's reliance on those organisations and trust in them.
"I think it's recognising that privacy is not just a thing to the side, it's actually core business you've got to get right."