A high-ranking public servant is stepping aside following a review into a Ministry of Social Development blunder involving client information in a controversial information-sharing programme.
The review was into an April incident in which one organisation was able to access an organisation's folder on a new IT system for social services providers to share personal client data with the Government.
MSD chief executive Brendan Boyle today announced that deputy chief executive Murray Edridge will be stepping aside from his current duties as acting deputy chief executive.
"Murray is an experienced senior leader within the public sector and has integrity and significant skills," Boyle said.
"Following a report into some of the actions of the Community Investment business group, covered by the investigation into the security and privacy issues relating to the collection of individual client level data, Murray has advised me that he will take responsibility for the actions of his team at the time, despite having no direct involvement in those actions.
"In taking this course of action I commend Murray for demonstrating the integrity and leadership that we have come to know him for."
He said that over Edridge's five years in senior leadership at MSD, he has demonstrated "strong commitment and professionalism" and had led significant changes in "how we support our most vulnerable New Zealanders".
Although no personal information was in the folder accessed, the loophole forced the ministry to close down the portal which was a critical part of a new Government policy requiring social organisations to share individualised client information - such as what help they were getting, names, addresses and family members - with the Government to be eligible for government funding.
The review found the incident was the result of human error. One provider was mistakenly been given access to another provider's "library" of information. In removing that access, the ministry accidentally removed its own access as well. The attempt to restore it by a Datacom consultant resulted in all providers being given permission to access that folder.
However, the review was also critical of the wider set-up of the programme and the Ministry of Social Development's management of it, including a failure to consider security and privacy issues early and fully.
The review found because the ministry was using a pre-existing system as an interim measure for the data gathering while a permanent IT system was worked on, it had not undertaken the usual checks and testing in setting up a new system.
It had also come at a time of significant change, including the change from Child, Youth and Family to the Ministry for Vulnerable Children and the review said many staff were doing dual roles - working on the data sharing strategy as well as their usual everyday duties. That meant there was an unclear governance structure. (edited)
"This posed some additional pressure and lack of clarity on the scope of responsibilities for some of these roles."
Brendan Boyle, chief executive of the Ministry of Social Development, said while the review confirmed there was no privacy breach of personal data, "it is concerning that there was potential for this to occur".
He confirmed he had started an employment investigation - but also pointed to the tight time frames the ministry was working under to get the Government's programme up and running.
He also noted comments about privacy assessments and the failure to fully test the system. "While the timeframes for delivering this project were tight, more focus was needed in these critical project areas."
Social Development Minister Anne Tolley said she was "extremely disappointed" at the number of concerns the review had highlighted with MSD's management.
"There was a lack of appropriate checks and testing to confirm the system's readiness. Privacy considerations and security risks were not properly identified and mitigated in a timely manner."
She said some of those risks could have been avoided if the team charged with the project had sought help from the wider ministry and other agencies. "I understand that an employment investigation by the chief executive is now being undertaken as a result of the review."
She said the ministry should have overseen the project better given previous IT issues within the ministry. That included a breach in which a member of the public had been able to access others' personal information using the Ministry's public computer "booths".
At the time of the breach Tolley said she was "furious".
The information sharing strategy was a key part of the Government's "social investment" approach, which aims to target support where it is most needed - but was controversial. The policy requiring organisations to hand over sometimes sensitive personal details was criticised as "excessive and unnecessary" by Privacy Commissioner John Edwards, who said it could deter people from seeking help. Groups such as Rape Crisis and Budget Services had also criticised it.