Bennett: Winz security process 'atrocious'

Social Development Minister Paula Bennett says she is embarrassed by the "atrocious'' performance of Work and Income staff who twice failed to react to warnings that public computer kiosks opened up thousands of people to having their privacy breached.

Ms Bennett said today the Deloitte report into the privacy breach on Winz kiosks had shown a major failure by the ministry.

She refused to comment on whether four staff being investigated in the fallout should lose their jobs, saying that decision was for the chief executive.

"There really was an atrocious operation and process,'' she said.

''... I think [the report] is damning. I think it shows that we didn't have the right processes in place.''

Ms Bennett said she was confident the public could "be assured it will never happen again''.

"This has been a huge lesson for the ministry. We are embarrassed, as the minister I'm embarrassed that this had ever happened and I assure you so are the employees of the ministry.''

Ms Bennett rejected criticism she was passing the buck on responsibility.

"At the end of the day I have a level of responsibility and certainly accountability. What I can't be held to is to blame for something I have no control over.

"I set high standards for the ministry. They have not lived up to them in this case and I want ... to be sure it will never happen again.''

Ms Bennett said the fact the warnings about a major privacy breach were never escalated to more senior staff was "really hard to fathom''.

"It seems incredulous to me that it wasn't escalated to the right people,'' she said.

"I have made it very clear that this has not lived up to the expectations and high quality I expect.''

Ms Bennett said "accountability should be followed through''.

The ministry is investigating whether any of those people whose privacy was seriously breached is entitled to compensation.

The independent report into how private files held by the Ministry of Social Development were accessible through public computer kiosks at Work and Income offices -released today - found security was not adequately considered in their design and implementation.

Ministry chief executive Brendan Boyle today said he was "gutted'' and "sorry'' about the breach after the Deloitte review concluded the ministry was first told about security flaws in April last year, six months before the kiosks opened.

Mr Boyle said 7300 files were accessed and 1432 people's privacy breached, but eight children and two adults had their privacy seriously breached.

"The breach was unacceptable, it was dealt with within hours and people will be held accountable. If we've got some gaps in our system, we have to close them,'' he said.

Among the flaws was an inability to separate the kiosks, used by jobseekers, from the ministry's main server.

The report found the ministry's consideration of security requirements during the design and implementation of the kiosks and its response to concerns identified during testing was inadequate.

It highlights that the ministry was again told of security risks in October 2011 by a beneficiary advocate invited to a training session.

Deloitte chairman Murray Jack said the report recommended new security measures if the kiosks were to be used again, including separating them from the main ministry server.

"Clearly separating the network either physically or logically does cost money,'' he said.

Mr Boyle said four employment investigations were launched as a result of the privacy breaches.

He said there were a range of reasons but the main one was whether staff "acted appropriately with the information they had''.

"It never got to the level of seniority it should have reached.''