Social Development Minister Anne Tolley has announced an independent review of the Ministry of Social Development's (MSD) individual client level data IT system.
This follows confirmation last week of a privacy breach in the IT system. The IT system was shut down as a result of the breach, pending advice on the use of a different IT platform.
Minister Tolley said "I have now received a briefing from MSD on what led to last week’s technical issue with the portal. It's extremely disappointing that the report appears to raise more questions than answers on the security of the IT system and the governance of the project."
The review started on the 12 April 2017 and is being led by Murray Jack, a former consultant with Deloitte NZ, with support from two IT and privacy specialists from Deloitte NZ and PwC. A report from the review is expected at the end of April.
The terms of reference set out the purpose of the review:
"The review will investigate the circumstances and causes of the issue where a provider was able to view another provider's folder which had the potential to compromise the client's privacy, focusing on:
- The decision to use the portal, including:
- analysis of the available technical options
- work done to ensure appropriate information security was analysed
- The governance and management of the project
- Establishing how the issue occurred and the circumstances that allowed this to happen
- Review the governance around the response to the event itself. Including governance, roles and responsibilities, escalation and communication channels."
While the review is only focused on the IT system, the Ministry has been widely criticised for its overall plan requiring non-government organisations provide individual client level data (ICLD) in order to receive government funding.
ComVoices criticised the inquiry for focusing only on the IT issue. Trevor McGlinchey, ComVoices Spokesperson, said "The just announced enquiry is deflecting us from the real question. The question at the heart of the enquiry should be why are we collecting data that the Privacy Commissioner has said is '…excessive, disproportionate to government’s legitimate needs and therefore inconsistent with the privacy principles'?"
Labour Spokesperson for Social Development Carmel Sepuloni said "The Minister is going about this data collection backwards. Her independent review comes after budgeting services have already had data sharing requirements written in to their contracts, and were already compelled to upload the sensitive information onto a faulty data sharing system."
The Public Service Association welcomed the inquiry but does not support the overall policy to collect ICLD:
"We will co-operate fully with any aspect of the investigation which involves the PSA or its members. However, if the security issues are resolved, this will still not overcome our objections to NGOs being required to provide data on their clients to MSD. We are worried that NGOs working with vulnerable families are being asked to share data of such a sensitive nature and not convinced the gains of doing so outweigh the risks. We note Minister Tolley’s statement that only 10 out of 136 government providers have taken up the opportunity to upload information to the system. Regardless of the findings of the review, we hope this gives the Minister pause to reflect on whether this system should exist at all."
In an interview on Radio Waatea, Māori Women's Welfare League President Prue Kapua said many Māori are already wary about seeking help, and that will get worse if it means their provider becomes an information collector for the government:
"It's hard not to get away from the fact they are sharing (data) and therefore it's about checking up on people, whether it's going to be about prosecutions in various departments and getting information that is going to be used against people. MSD hasn't been at all clear about what their purpose is."
For other responses to the Ministry's plans to collect ICLD see the previous NZFVC story Privacy Commissioner's report criticises MSD collection of individual client level data.
Submitted on Thu, 2017-04-13 09:13