A damning report from the Privacy Commissioner has raised serious concerns about MSD’s demands for client data. What will it mean for the Government’s wider social investment approach?
Among the hundreds of submissions to the Privacy Commission’s inquiry into data collection, one comment summed up the public concern more than others.
“If MSD knows my budget is so tight, will they take my children off me?”
It illustrates the fear behind the questions people are asking; why does the Government want my personal information and what will it do with it?
An increase in the collection of highly confidential data about social service users is at the centre of National’s social investment approach.
It wants to use new technology to crunch the information down, so it can target money at the regions, and groups of people, that need it most.
The Ministry of Social Development is leading the charge, introducing a policy that requires more than 2300 NGOs it funds to hand over their client’s data in order to receive funding.
The information is detailed, consisting of name, address, gender, date of birth, ethnicity, iwi, plus details of any dependents.
Many organisations who deal with New Zealand’s most vulnerable people felt uncomfortable with the policy. Their complaints to Privacy Commissioner John Edwards led to him launching an investigation, and the result is not flattering to the Government.
What does the report say?
Edward’s report identifies a litany of problems with MSD’s approach.
It says there appeared to have been little or no analysis of the impact of the policy or possible unintended consequences.
Making it mandatory to provide personal information could lead to a gap in the data when people refused. Or, instead of refusing, they could provide false information, which would corrupt the process of targeting funding.
Privacy Commissioner John Edwards was scathing in his assessment of the policy. Photo: Shane Cowlishaw
“There are many legitimate reasons that a person may have for needing help but prefer to forgo it because of the perceived risks associated with passing the information to MSD, for example, a domestic violence victim whose partner or cousin works for MSD. These people may become invisible to the Government.”
Allowing a percentage of people to opt-out of providing information could solve this problem and even be beneficial as it would give MSD useful insights into trust of the policy and what type of people were opting out, the report says.
Curiously, it notes that references to an opt-out for clients was included in early advice to the Minister but had dropped off and by December it had been made clear that providing client information would be mandatory. Edwards notes he is unsure whether this was because of direction from the Minister or a change at MSD.
Security of the information and MSD’s ability to protect it was also a concern for Edwards.
In talking to MSD for the review and analysing documents provided to the Minister, he discovered MSD had stated it was working on a Privacy Impact Assessment to identify risks, alongside a separate Security Risk Assessment.
Neither of these were completed.
MSD had told NGOs that initial data would be collected on a spreadsheet, a system lacking built-in security protections, before being uploaded to a secure central system that Edwards also held concerns about.
“I am concerned that the IT system that underpins the collection and use of ICLD is underdeveloped and potentially vulnerable to data breach,” he says in his report, which was released the morning after Social Development Minister Anne Tolley revealed just such a breach.
Finally, the report is heavily critical of the vagueness of MSD’s explanation about how the data would be used and who would have access to it.
Ironically, this meant NGOs themselves were at risk of breaching the Privacy Act through their inability to explain to clients why their data was being collected.
MSD explained the policy differently as it had progressed and had not explained if the data would be shared later with other departments.
The report's main recommendation is for the data to be instead collected by Statistics NZ, which he says has a good track record of protecting its data.
“This policy represents a new direction for the Government, and is likely to be the first of many occasions when agencies might seek greater access to personal information as a condition of receiving a service," Edwards writes.
“As such, there is a need to proceed with caution and only implement the policy once robust security and information management processes are in place.”
Scrap it altogether
Opposition parties have responded with calls to bin the social investment policy altogether.
Labour’s Social Development spokeswoman Carmel Sepuloni said MSD’s policy had been poorly handled and highlighted the need for people to opt-out without it impacting funding for serve providers.
“This really does throw a spanner into the works with regards to the whole government social investment approach because it is about Bill English’s big data grab and collecting this information and apparently it’s supposed to make social services better and be cost effective for the Government but actually what the Privacy Commissioner is telling us is it will deter people from accessing services.”
Sepuloni’s counterpart at the Greens, Jan Logie, called for an immediate stop to the practice.
Referring to a written question she asked Tolley last year in Parliament, she said Tolley had told her officials had met with the Privacy Commissioner and no concerns were raised.
“Confidentiality is an absolute cornerstone of the work that community groups and NGOs do, and should be protected,” Logie said.
But it’s highly unlikely this report, as strongly-worded as it is, will halt the social investment juggernaut.
Increased data collection is a lynchpin of the Government’s approach in the area and has long been trumpeted as the way to improve the effectiveness and cost efficiency of funding social services.
Tolley herself gave no hint that the report would lead to a backing down on the approach, although she said she was willing to talk to social agencies to help address some of their issues.
She said she understood the concerns behind Edwards' call for anonymised data, which would be acceptable if the data was being collected simply to investigate effectiveness, but said the Government wanted to know about coverage and where services were needed.
“If you want to know the services are getting to all the people who need them, that there’s no duplication - we know there’s a lot of duplication already - you need to know who they’re dealing with so you can see and identify where the gaps are.”
While she was open to hearing about ways Statistics NZ could be involved, Tolley said she understood that the only way they could do so would be for the data to be anonymised and that did not achieve the policy’s purpose.
It is clear, however, that Tolley is far from impressed with MSD.
On Wednesday it was announced a gaping privacy hole had been identified in the system set up to collect the data from NGOs.
It was shut down immediately on Tolley’s orders and she said she was furious at the news.
When asked by Newsroom about the failure of MSD to produce both a privacy and security risk assessment, her reaction was the same.
“Well that’s good questions to ask. As I say, I’m furious.”
MSD declined to be interviewed, instead releasing a blanket statement acknowledging it was “taking a close look” at the issues identified and remained open to “refining” its processes.
Edward’s report was scathing, but he also noted that the data mining approach was one that, if used properly, could be beneficial.
On the same day his report was released, the Inland Revenue Department issued a tender seeking to assemble an open panel of providers who could offer advanced analytics products and services.
“Inland Revenue sees advanced analytics as a way to improve customer experience and would like to attract new ideas from organisations who have an offering in this broad area.”
It shows big data is here to stay, but the debate about how it’s used is only beginning.
WHAT THE SUBMITTERS SAY
** “We surveyed 17 of our clients (adult male survivors of sexual abuse) and all said that they would cease all involvement if their personal details were to be shared with any government department.”
“Many of our clients are actively being stalked, and others have relocated to a confidential address for their safety. We advise these clients not to share their details with anyone. Confidential contact details are an important part of our work and clients may well decline the services they need.”
“Families understandably feel that the reasons they come to our organisation should be confidential. They will be very reluctant to engage if they feel data about them will be shared with any number of Government Departments, many of whom seem to have fairly woeful records when it comes to maintaining confidentiality across such large amounts of information.”
“This is starting to have a police state feel to our democracy – the safety of the women that refuges work with can easily be compromised by their information being available electronically. The threat of only funding an organisation if they report on the clients’ names is going to push domestic violence back underground and will affect the safety of the women and children that women’s refuges work with.”
“Rape and sexual abuse is a very personal and sensitive matter – our survivors would rather not have information like this available to people unknown to them.”
“Often people with limited resources feel they’re expected to have less right to a private life – it feels like the Government picking on poor people because they can.”*