Newsroom Pro's 8 things at 8: A scathing data privacy report; one fun thing

Anne Tolley is furious at the MSD privacy breach. Photo: Lynn Grieveson

In today's email we take a deeper look into the scathing assessment of the Government's first attempt at the data mining needed for its social investment approach.

1. A scathing report

Newsroom's National Affairs Editor Shane Cowlishaw went through Privacy Commissioner John Edwards' 49 page report in detail yesterday and found a scathing assessment of the Government's first attempt at the data mining needed for its social investment approach.

Firstly, Edwards found the Ministry of Social Development had promised to do privacy and security risk assessments before introducing the policy, but neither were completed before it launched the process.

As if to prove the lack of robustness and preparation, MSD had to shut down its system on Wednesday night after a gaping hole was found. Social Development Minister Anne Tolley was furious.

When asked by Newsroom about the failure of MSD to produce both a privacy and security risk assessment, Tolley's reaction was the same.

“Well that’s a good question to ask. As I say, I’m furious.”

Here's Shane's full analysis of the report and the reaction on Newsroom Pro.

2. 'Just send in a spreadsheet'

One of the more astonishing findings is that MSD simply told NGOs to collect their information, which includes name, address, gender, date of birth, ethnicity, iwi, plus details of any dependents, on a spreadsheet and then upload it to a central system. This individual client level data (ICLD) is the glue that holds the social investment approach together.

Spreadsheets lack built-in security protections and Edwards also had concerns about the central data system that they were being uploaded to.

This is the money quote from Edwards: "I am concerned that the IT system that underpins the collection and use of ICLD is underdeveloped and potentially vulnerable to data breach."

Edwards rightly points out that the MSD's data collection plans will be the first of many as Government agencies seek greater information as a condition of receiving a service: this is the whole premise of the social investment approach.

"As such, there is a need to proceed with caution and only implement the policy once robust security and information management processes are in place."

Edwards' report showed the MSD went ahead well before that was in place. A classic case of ready, fire, aim.

3. To opt out or to not opt out

One of the key aspects of the report is whether or not MSD should have allowed NGOs to opt out.

Edwards makes the point that allowing NGOs to opt out could have made the data set stronger because some may have chosen to provide false information rather than forego funding.

Allowing opt-outs would have ensured the data was not corrupted by false information and give MSD better information on trust in the policy, he wrote.

Shane notes that Edwards found that references to an opt-out for clients was actually included in early advice to the Minister, but had dropped off and by December.

Edwards noted he was unsure whether this was because of direction from the Minister or a change at MSD.

4. 'So vague as to be dangerous '

Edwards was particularly critical of the vagueness of MSD’s explanation about how the data would be used and who would have access to it.

This meant NGOs themselves were at risk of breaching the Privacy Act through their inability to explain to clients why their data was being collected.

Amazingly, MSD explained the policy differently as it progressed and had not explained if the data would be shared later with other departments.

5. So what happens now?

Anne Tolley is pushing ahead though with the plan to collect detailed data that is not anonymised.

"If you want to know the services are getting to all the people who need them, that there’s no duplication - we know there’s a lot of duplication already - you need to know who they’re dealing with so you can see and identify where the gaps are,” Tolley said.

They key response though will be from the 2,300 NGOs who need to cooperate and provide the data.

There is a risk of a Mexican standoff because without the NGOs, the Social Investment Approach is redundant. The Government's big drive was to involve NGOs to break the monopoly of the Government departments. Bill English's central argument is that NGOs will be better at providing the services than bureaucrats, but it only works when the NGOs have confidence in the data collection process and the data mining works.

No NGOs and no data means no Social Investment Approach.

Rape Crisis and womens refuge organisations have already boycotted the data collection demand.

6. A lack of trust

The quote of the report is from a submitter to Edwards' Inquiry:

"This is starting to have a police state feel to our democracy – the safety of the women that refuges work with can easily be compromised by their information being available electronically. The threat of only funding an organisation if they report on the clients’ names is going to push domestic violence back underground and will affect the safety of the women and children that women’s refuges work with.”

Given the various data breaches inside the Government agencies in recent years and the botched first attempt at data mining, there is clearly a lack of trust that needs to be won back before the Government's Social Investment Approach can get traction.

In my view, the Edwards report reinforces that lack of trust and exposes the big gap between the rhetoric pumping up the Social Investment Approach idea and the reality of what has been achieved.

7. Food for thought

The US Bureau of Labor Statistics has published a chart showing employment in various information industries since 2001. It shows newspaper industry jobs have more than halved to under 200,000 between 2001 and the election of Donald Trump because of the collapse in advertising and circulation revenues in the Internet era.

Causation or just correlation? Americans are certainly worrying openly about the decline of the fourth estate's role in holding power to account. Subscriptions to the New York Times and the Washington Post have surged since Trump's election.

8. One fun thing

Bill English should know he's really made it when something he does makes it to the US late night comedy shows. John Key's gaffes were a regular feature of John Oliver's shows, and who can forget Steven Joyce's appearance.

Last night Jimmy Kimmel picked up on Bill English's Wednesday night dinner of tinned spaghetti (and pineapple) pizza. Kimmel joked that English was declaring war on both Italy and Hawaii, and should be impeached. Here's the clip.