Report finds serious failings in MSD data portal

Social Development Minister Anne Tolley ordered the portal shuttered after learning of the privacy problem. Photo: Lynn Grieveson

An independent review into a security flaw that could have exposed sensitive client information has found serious failings by the Ministry of Social Development (MSD).

The review was ordered by Social Development Minister Anne Tolley after the potential breach was discovered last month.

The portal was to play a key part in the Government’s data-driven social investment policy.

It required NGOs to submit client data to the Ministry of Social Development (MSD), with any refusal potentially punished by a withdrawal of funding.

While there was no breach, it allowed one provider to view another provider’s folder while accessing the system.

It was immediately shut down when this was discovered. At the time only 10 providers had uploaded information, although the invite had been extended to 136.

Tolley was furious and was also unimpressed at the fact the portal had been launched before the completion of both privacy and security risk assessments.

It marked a bad week for MSD; in the same week Privacy Commissioner John Edwards released a scathing report into MSD’s demands for client data. He was critical of a lack of analysis of the impact of the policy and the vagueness of how the data would be used.

In a somewhat cynical move MSD released the report in the middle of Tuesday afternoon, a day when much of the press gallery was distracted with the Government’s housing announcement.

Tolley received the report last week and has been considering it.

Led by former Deloitte NZ consultant Murray Jack, the review found MSD failed to draw on appropriate experience from within the Ministry as well as other agencies when developing the system.

The lack of a comprehensive Privacy Impact Assessment was concerning, while the decision to “go-live” had been made without the appropriate checks, the report said.

It found the fact that one organisation had been able to see other folders was due to a human error.

In a statement Tolley said she was extremely disappointed in what had happened, especially considering previous IT failures.

“While this occurred at a time when the Ministry was going through major organisational change, the report highlights that the project lacked the appropriate governance, project management processes, and dedicated project resource.

“I have made it clear to the Chief Executive that I expect these lessons will be taken on board.”

Also in a statement, MSD chief executive Brendan Boyle said there were some “useful lessons” to be taken from the report.

“MSD and the Ministry for Vulnerable Children, Oranga Tamariki will take the lessons learned from this independent review and ensure they are applied throughout both organisations.

The protection of client data is a high priority.”

Boyle confirmed an employment investigation based on the issues identified in the report was ongoing.