“Atrocious,” said the minister of social development, Paula Bennett, of the failures identified in the first part of the Deloitte report into the data breaches at Winz, released today. Her chief executive said he was “gutted”.
But the most damning assessment came from the privacy commissioner, Marie Shroff. The MSD’s inaction, despite warnings of the absence of “basic IT security safeguards”, was “unfathomable”, she said.
And she went further – in remarks that underline the importance of the second phase of the investigation fulfilling the promise to look into the culture at the ministry.
It “raises questions about the wider culture of handling information within MSD”, she said. And: “Looking at IT security is only one part of the picture. Recent privacy breaches make it plain that a complete mind-shift is needed in some quarters.”
Beyond the kiosk fiasco, she added, “whether there have been wider failures of leadership, policies and strategy about how personal information is handled within the Ministry is still to be seen”.
Shroff’s statement is blunt and lucid, and is worth reading in full. So here it is, from the Privacy Commissioner’s site:
“Government agencies must treat people’s information with the highest standards of respect,” says Privacy Commissioner, Marie Shroff. “But this hard-hitting report – especially since it follows hard on the heels of the ACC report – shows just how far some of our major agencies have to go before we can be confident our information is protected.
“Basic IT security safeguards to protect personal information were missing, from the time the ‘kiosk’ system was built. And it’s unfathomable that the Ministry did not address Dimension Data’s revelations that sensitive personal information was exposed on network shares. The decision about how to handle such a serious problem should have been made at the highest levels of the business. This raises questions about the wider culture of handling information within MSD.
“Looking at IT security is only one part of the picture. Recent privacy breaches make it plain that a complete mind-shift is needed in some quarters. There’s been far too little focus on the fact that there are real people behind the information that government agencies hold. Those agencies need to develop and embed strong leadership, governance structures, policies and practices to manage personal information at every level of the organisation.
“We often don’t have a choice about handing our personal information over to government agencies. The least we can expect is responsible stewardship of that information.
“The problems with the MSD kiosks are now evident. Whether there have been wider failures of leadership, policies and strategy about how personal information is handled within the Ministry is still to be seen. However, I expect the next stage of this review to ask some penetrating questions.
“I welcome the MSD Chief Executive’s acceptance that the Ministry’s performance was inadequate here, and his commitment to examine the Ministry’s systems and culture in the second phase of the review.”