MSD privacy breach report raises more questions than answers: Anne Tolley

Social Development Minister Anne Tolley announced details for an independent review at the ministry. Photo/Stuart Whitaker

A report on a privacy breach appears to raise more questions than answers and that is extremely disappointing, Social Development Minister Anne Tolley says.

Tolley today announced details of an independent review into the Ministry for Social Development's (MSD) individual client level data IT system, after the minister received a briefing from the ministry into last week's breach.

"It's extremely disappointing that the report appears to raise more questions than answers on the security of the IT system and the governance of the project," Tolley said.

Murray Jack, a former consultant with Deloitte NZ, will lead the independent review, and will be supported by IT and privacy specialists. The review is due to report back by the end of the month.

Tolley revealed on April 5 the information-sharing system at the MSD had been shut down after one provider was found to be able to view information in another provider's folder.

It was lucky that a no sensitive details were in the folder, Tolley said, adding such incidents damaged public trust. But at the time she rejected any suggestion that MSD was not trustworthy with personal data.

The breach is deeply embarrassing as it comes at a time when the Government is trying to persuade non-government organisations (NGOs) to share detailed, sensitive information about their clients.

It also gives fresh ammunition for Opposition parties to attack National's much-vaunted social investment approach, which depends on greater information-sharing among agencies.

Last week the Privacy Commissioner, John Edwards, released a highly critical report about the Government's policy of requiring community groups to give up data about their clients if they wanted state funding.

The policy was "excessive" and breached privacy rules, the report concluded.

Edwards said there was a risk that the new funding arrangement between MSD and NGOs could deter some people who were in need of support.

The new MSD contracts investigated by Edwards would make the provision of personal, detailed client data a condition of Government funding. Community groups cannot opt out of the arrangement.