Ministry vows to fix flaws

Brendan Boyle, pictured with minister Paula Bennett, will appoint an information security chief. Photo / Mark Mitchell

Chief promises to act on reports into vulnerability of personal data.

Privacy Commissioner Marie Shroff has described the Ministry of Social Development as a "megastore of personal details" which needs to lift its game to ensure confidence in the public sector is not harmed.

Ms Shroff was responding to the release of the final Deloitte report into information security at the ministry after blogger Keith Ng discovered a security hole in its public kiosks.

That report found that although there was no evidence of a more widespread breach than the Work and Income kiosks, there was no ministry-wide information security approach, a lack of co-ordination and no clear lines of responsibility - including a lack of specific instructions on how to deal with potential information security risks.

That had been one of the causes of the kiosk breach - the security hole was picked up by a computer audit company but never acted on.

Ministry chief executive Brendan Boyle promised to act on all the recommendations in the report, including creating a new role of a chief information security officer to oversee information security.

He said Work and Income also hoped to open up new kiosks from next May after closing its original kiosks when it was revealed sensitive information could be accessed from them because they were linked to the ministry's own system.

Ms Shroff said she was pleased the ministry had accepted the report, which showed strong leadership was needed on the way client information was handled.

"The ministry is a megastore of personal details, and could be leading the way for innovative information holding." But a lack of co-ordination and strategy had let it down, she said.

Pressure on many government departments to deliver services faster and more efficiently could come at a cost, including public confidence.

"It's easy to forget that the 'data' relates to real people - and failing to look after that data can cause harm to those people," she said.

"I have concerns core agencies are not yet switched on to the need to lift current practices and keep the community they serve foremost."

The two Deloitte reports cost a total of $450,000 - the first was into the extent and reasons for the security breach involving the Work and Income public kiosks and the second was a review of information security measures across the ministry.

Yesterday, Labour MP Jacinda Ardern said the report showed a "lax attitude" to handling personal information by the ministry.

She said it would give little confidence that things had changed.

Deloitte interviewed 105 staff out of 9500. "That is hardly comprehensive, yet the report concludes the ministry has 'a strong culture that clearly understands the importance of privacy and security'."

Green MP Jan Logie said that there was a clear need for tightening processes.

"The cost to the taxpayer of the two Deloitte reports has been $450,000 and the replacement of the kiosks will, no doubt, cost hundreds of thousands more.

"The irony of this won't be lost on the poorest New Zealanders who the ministry is in charge of helping."

DELOITTE ADVICE
Recommendations of the Deloitte report:
• Assign a senior manager responsibility for information security.
• Include information security in strategic planning and performance monitoring.
• Improve information security risk management, including more use of security experts.
• More training for contractors and staff on expectations for information security.
• More thorough and consistent assessments of projects before they come into use.
• Involve IT team early in development of new projects.