Ben Kepes: Hamish Walker breach a governance failure

Hamish Walker. Photo / Mark Mitchell

COMMENT

There are a large number of professional directors today breathing a massive sigh of relief that they're not on the board of the Auckland Rescue Helicopter Trust.

There are probably only a handful of readers that don't get the connection but, for those few, news broke yesterday that it was the acting (and now ex-acting) chief executive of the trust who leaked the highly sensitive data about Covid patients to Clutha-Southland MP (and now, soon to be ex-MP) Hamish Walker.

This is one of those fascinating political stories that justify what is usually a very boring trait of everyone having an opinion on the topic through their own lens. In this instance, however, there are just so many angles of relevance.

This morning I listened to a fascinating interview with New Zealand's privacy commissioner about the Privacy Act implications of the breach. As someone who works with a number of health-sector entities, I've been having some interesting conversations about health data specifically.

And as someone fairly involved in leadership and corporate governance, that is an angle that has been top of mind also.

This is, obviously, a fast-moving story and as the days and weeks advance, there will be more clarity around who knew what, and who acted inappropriately. What I want to do for a moment, however, is to ponder on timeliness and accepting blame.

It seems only a week or so ago (oh wait, it was) that I was opining on similar themes with regards the David Clark/Ashley Bloomfield situation. My perspective on that topic was simple - Clark had a moral obligation to share the credit, but take the blame for things that occurred under his watch.

This situation would seem to be slightly more complex, with very real legal, as well as moral questions to answer. As such, there is more of a procedural lens through which to observe but, notwithstanding the knee-jerk reactions to claim "due process," it strikes me that the same rules essentially apply.

Todd Muller, the new leader of the New Zealand National Party, admitted this morning that he, for more than 24 hours, had knowledge of the source of the leak, but not gone public with it. Should he have 'fessed up immediately?

Readers will have their own opinions about that but if we look at it through the lens of recent failures on the part of the Covid response, one suspects Muller would have demanded more immediacy from others.

But of interest to all those business leaders and governors out there are the actions of Michelle Boag. Boag received, as acting CEO of ARHT, the detailed list of Covid sufferers.

The fact that this was allegedly sent to her personal email address and not an official ARHT one is of no matter. This was sensitive information, shared with her entirely in the context of her role with the ARHT and it was, as she admits, a gross error of judgement to pass that information on. She had no choice but to fall on her sword.

But what of the board of the ARHT? Where was the audit committee ensuring that all the processes and procedures that the organisation has in place are robust and fit for purpose?

Where were the IT systems that would stop these sort of breaches happening automatically? Who is the privacy officer who has (one hopes) already begun a deep investigation into this incident?

Most importantly, where are the board members who have the final obligation to stand up and take responsibility for this situation?

As anyone who is involved in corporate governance will know, the board employs the chief executive and it is their responsibility to hold management to account.

Much like in the Clark/Bloomfield situation, this means that it is them that should fade into the background when things go right, but stand up immediately when things go wrong. It's early days, but I'm not seeing anyone standing at this stage.

- Ben Kepes is a Christchurch-based investor and entrepreneur.