Prime Minister and Privacy Commissioner offer conflicting views over seriousness of public service breaches.

A report on the security of public sector IT systems, which was withheld by the Government for months, discovered a dozen "weak points" which put New Zealanders' private data at risk.

However, further weaknesses are likely to be discovered as departments scramble to ensure their systems are secure, Government Chief Information Officer Colin MacDonald, who carried out the review, warned yesterday.

The review of publicly accessible state sector agency IT systems was completed in December but only released yesterday. It was initiated in October in response to revelations that private data could be obtained via the Ministry of Social Development's public computer kiosks.

Mr MacDonald, who is also chief executive of the Department of Internal Affairs, confirmed that weak points had been found in 12 of the 70 departments reviewed.


"Action has been taken and the systems are now secure," he said.

"There is no evidence any of these weak points led to a breach of privacy or information security."

One of those was at privately-run Mt Eden prison, where inmates were temporarily able to access the internet late last year. "No email, social media or adult sites were accessed," Scott McNairn of prison operator Serco told the Herald.

Prisoners had "limited" internet access for about 12 hours but that was "policed by a web filter which blocked access to inappropriate sites".

Other departments where weaknesses were identified included the Ministry of Social Development again, and the Ministry of Justice.

However, Mr MacDonald acknowledged the "desk-based" review of documentation around IT security probably didn't detect all weak points.

"All agencies are now obliged to do a complete risk review of their publicly available systems ... Until those agencies do the detailed risk assessment ... in the next few months, there could still be further vulnerabilities."

Prime Minister John Key has downplayed the seriousness of recent privacy breaches, including the EQC email blunder this year, saying they didn't indicate "systemic" problems with private data handling by government departments but Privacy Commissioner Marie Shroff yesterday offered a conflicting view.


It was "a wake-up call to the government sector" she said. "It reveals systemic weaknesses in the way privacy and security have been managed." She welcomed Mr MacDonald's recommendations, particularly that information security issues were overseen at senior management level, rather than leaving that work to IT staff and contractors.

Labour Leader David Shearer said Mr Key had sat on Mr MacDonald's "damning review", while downplaying the seriousness of privacy breaches.

He said Mr Key received the report late last year but three months later, "flatly denied there was a systemic failure across government, arguing that privacy breaches were inevitable and that 'from time to time people make mistakes'.

"That's deliberately misleading. He had the information and he chose to tell the House and New Zealanders whose private information is held by these agencies the opposite of what he knew to be true."

Failed report card

• Government Chief Information Officer Colin MacDonald and KPMG reviewed 215 public-facing IT systems across 70 government departments and found:

• 12 departments had "weak points" or specific vulnerabilities

• 73 per cent of agencies didn't have formal information security risk management processes

• 67 per cent of systems had not undergone a security assessment

• 82 per cent of systems did not have detailed security design documentation