Health NZ Te Whatu Ora and the Health Ministry not only did no audits, but had no power to do that under their toothless contracts that are now being urgently overhauled.
“There were no controls over files once they were downloaded by the [outside] providers' authorised staff,” the commission said.
Also, the authorities had no safeguards in case the person or group getting the health information had a conflict of interest.
A “failed” system left data open to be exploited, the commission said.
The investigation was sparked by allegations data given to health and social services providers at Manurewa Marae was misused.
That is still being looked into.
However, it is clear the hands-off, no-checks approach to sharing health data prevailed for years despite the Government’s overarching line on personal data – which it has been gathering more and more of – that you can totally trust it with it.
Health NZ on Thursday once again stated it took “the security and privacy of health data very seriously”.
Yet it did not realise its systems were unsafe until the external probe.
“We became aware that our data-sharing agreements could have been stronger through the inquiry process,” Health NZ interim director of data and analytics Stuart Bloomfield told RNZ.
“Our data-sharing agreements provided a robust foundation for data sharing, but they lacked provisions allowing us to seek assurances of, and audit to test, compliance and we are addressing this.”
None of the agreements – DSAs – allowed for audits or to enforce compliance with what, on the face of it, were strict rules around privacy.
The agency also lacked data-handling protocols.
They had started work “immediately” to fix all this, Bloomfield said.
They were adding the ability to audit and to “seek assurances re compliance”.
“We will also be revising our processes to ensure that conflicts of interest are routinely considered.
“We expect to have these measures in within the next six months.”
These weaknesses persisted despite the huge volumes of health data that are shared; how sensitive the law regards health data; or how successive governments' push for more and more personal data has been accompanied by assurances all is safe.
For the past 15 years, health authorities have been telling “all health providers” they must follow the 75 pages of guidelines about protecting health information.
In that time, especially most recently, how the information flows has become much more complex amid myriad digital systems.
Privacy laws make it clear that health data sits in a group where stringent controls must be enforced over how it is used, stored and disposed of.
Te Whatu Ora got as far as ensuring its data sharing met Privacy Act 2020 and Health Information Privacy Code 2020 protections and safeguards, and that it made its expectations to external providers clear.
But then it stopped short of checking if they lived up to the expectations.
They “did not assure themselves that the relevant service providers were meeting contractual expectations”, the commission said.
“It is critical New Zealanders can trust that their personal information is secure and will not be exploited.”
Bloomfield said, “We are not aware of any evidence that Covid-19 data was inappropriately used by any of the relevant recipients.”
‘Sobering reading’
The inquiry made “sobering reading” about a “failed” system, commission head Sir Brian Roche said.
At Stats NZ, the findings have claimed the head of the chief executive who will step down within days.
At Health NZ Te Whatu Ora, there has been no mention of anyone stepping down – that said, the chief executive had already just quit, and the job of the head of data and digital was disestablished in October to save money.
Everyone is under the gun, with accountability being upped on info-sharing across the public sector.
The wider implications are that other government agencies are not keeping enough tabs and audits on people’s information after they share it, as Newsroom has reported.
“It raises a number of issues that go to the core of the confidence and trust required to maintain the integrity and sanctity of information entrusted to government agencies,” Roche said.
His agency is now working on a new standard for information sharing. Health NZ is helping and it kicks in from July.
The Office of the Privacy Commissioner is now looking into the allegations of actual misuse.
The Health Ministry, Health New Zealand, Stats NZ and Te Puni Kōkiri have been asked to temporarily suspend new contracts, renewals and extensions with the three providers.
Health NZ also has its own problems handling personal data internally, even when it did not share it.
Papers previously released under the OIA talk about a confusion of multiple standards and models, “no shared principles standards”, “no ability to track data use to ensure it is being used for its intended purpose or adherence to sovereignty”, and “information is not kept current due to siloed copies [of] personal information”.
Blockages have been noted between doctors and data analysts – and critics of the reset to save $600 million have expressed fears that plans to halve the data and digital team will make that worse.
Sign up to The Daily H, a free newsletter curated by our editors and delivered straight to your inbox every weekday.
