Ministry of Social Development slated for privacy and security failures in controversial data collection project

Social Development Minister Anne Tolley. Photo/Mark Mitchell

An employment investigation is underway at the Ministry of Social Development after a review into a blunder involving client information in a controversial information-sharing programme slated the ministry for its management of that programme.

The review was into an April incident in which one organisation was able to access an organisation's folder on a new IT system for social services providers to share personal client data with the Government.

Although no personal information was in the folder accessed, the loophole forced the ministry to close down the portal which was a critical part of a new Government policy requiring social organisations to share individualised client information - such as what help they were getting, names, addresses and family members - with the Government to be eligible for government funding.

The review found the incident was the result of human error. One provider was mistakenly been given access to another provider's "library" of information. In removing that access, the ministry accidentally removed its own access as well. The attempt to restore it by a Datacom consultant resulted in all providers being given permission to access that folder.

However, the review was also critical of the wider set-up of the programme and the Ministry of Social Development's management of it, including a failure to consider security and privacy issues early and fully. "Privacy needs to be considered early and be a consistent thread throughout projects like this."

The review found because the ministry was using a pre-existing system as an interim measure for the data gathering while a permanent IT system was worked on, it had not undertaken the usual checks and testing in setting up a new system.

It had also come at a time of significant change, including the change from Child, Youth and Family to the Ministry for Vulnerable Children and the review said many staff were doing dual roles - working on the data sharing strategy as well as their usual everyday duties. That meant there was an unclear governance structure.

"This posed some additional pressure and lack of clarity on the scope of responsibilities for some of these roles."

Brendan Boyle, chief executive of the Ministry of Social Development, said while the review confirmed there was no privacy breach of personal data, "it is concerning that there was potential for this to occur".

He confirmed he had started an employment investigation - but also pointed to the tight time frames the ministry was working under to get the Government's programme up and running.

He also noted comments about privacy assessments and the failure to fully test the system. "While the timeframes for delivering this project were tight, more focus was needed in these critical project areas."

Social Development Minister Anne Tolley said she was "extremely disappointed" at the number of concerns the review had highlighted with MSD's management.

"There was a lack of appropriate checks and testing to confirm the system's readiness. Privacy considerations and security risks were not properly identified and mitigated in a timely manner."

She said some of those risks could have been avoided if the team charged with the project had sought help from the wider ministry and other agencies. "I understand that an employment investigation by the chief executive is now being undertaken as a result of the review."

She said the ministry should have overseen the project better given previous IT issues within the ministry. That included a breach in which a member of the public had been able to access others' personal information using the Ministry's public computer "booths".

At the time of the breach Tolley said she was "furious".

The information sharing strategy was a key part of the Government's "social investment" approach, which aims to target support where it is most needed - but was controversial. The policy requiring organisations to hand over sometimes sensitive personal details was criticised as "excessive and unnecessary" by Privacy Commissioner John Edwards, who said it could deter people from seeking help. Groups such as Rape Crisis and Budget Services had also criticised it.