MSD caught with its privacy pants down

A review has found MSD paid scant attention to privacy before pushing go on a portal to collect client data. Photo: Shane Cowlishaw

An independent report has highlighted yet another litany of IT errors by MSD in protecting people’s privacy. Why can the Ministry not learn from its mistakes?

The Ministry of Social Development (MSD) paid little more than lip-service to privacy before going ahead with a portal to collect sensitive client information, it has been found.

It was revealed last month that an IT system set up to allow providers to submit data contained a gaping hole that allowed them to view folders other than their own.

While only 10 providers had uploaded information, the invite had been extended to 136. The system was quickly shut down as a furious Social Development Minister Anne Tolley ordered a review.

The portal was intended to play a key part in the Government’s data-driven social investment policy.

MSD had announced measures requiring NGOs to hand over the sensitive information about their clients, or face the possibility of having their funding cut.

The discovery marked a bad week for MSD; the following day the Privacy Commissioner released a scathing report into MSD’s demands for client data.

He was critical of a lack of analysis of the impact of the policy and the vagueness of how the data would be used, while lambasting the use of spreadsheets which did not have robust privacy protection.

In a somewhat cynical move MSD released the latest independent review at 3.30pm on Tuesday afternoon, a day when many journalists were distracted with the Government’s housing announcement.

Tolley received the report last week and has been considering it.

Undertaken by former Deloitte chairman Murray Jack, it found the following:

  • the initial problem was essentially human error, with the wrong permissions allocated on the shared workplace system (SWS) used by providers to upload their data;
  • after the problem was discovered, MSD accidentally deleted their own permission from the system and had to ask Datacom to restore it - once restored, it was discovered all users had been granted access and the system was pulled;
  • not enough attention was paid to privacy during the project, and an impact assessment was completed late;
  • MSD failed to draw on experience from within its own ranks and from other agencies; and
  • staff were covering dual roles while working on the transitions of Child Youth and Family to the Ministry for Vulnerable Children Oranga Tamariki, adding additional pressure while they juggled two jobs.

Jack noted that privacy needed to be considered early in projects like this, something that had not happened here.

The process had also lacked thoroughness, as the temporary system that was being used was familiar, leading to complacency.

“We believe there was insufficient rigour in the process that led to SWS being implemented as the temporary solution.

“Because it was an existing platform, already in use for a range of other initiatives, this decision was not treated in the way 'go-live' decisions are generally made and governed.”

This breach is not the first time MSD has been caught with its privacy pants around its ankles.

In 2012 a review was ordered after a serious problem was revealed with its public kiosks in Work and Income offices, which could be used to access detailed private information.

At the time MSD assured the public it took its privacy seriously, but refused Newsroom an interview to talk about its latest misstep.

In a statement, chief executive Brendon Boyle said there were some “useful lessons” to be taken from the report.

“MSD and the Ministry for Vulnerable Children, Oranga Tamariki will take the lessons learned from this independent review and ensure they are applied throughout both organisations. The protection of client data is a high priority.”

Boyle confirmed an employment investigation based on the issues identified in the report was ongoing.

Tolley was more forthcoming in her statement, saying she was extremely disappointed in what had happened considering MSD’s track record.

“I have made it clear to the chief executive that I expect these lessons will be taken on board.”

Privacy Commissioner John Edwards said while the review addressed the portal issue, it did not have the remit to look at the client level data policy which needed to be assessed.

“What it does show is the risk of going too fast with this type of thing,” he said.