Social Development Minister Anne Tolley says she is furious about a privacy breach at her ministry and has hinted jobs could be lost as a result of the blunder.

The breach is deeply embarrassing as it comes at a time when Government is trying to persuade non-government organisations (NGOs) to share detailed, sensitive information about their clients.

It also gives fresh ammunition for Opposition parties to attack National's much-vaunted social investment approach, which depends on greater information-sharing among agencies.

"Embarrassing isn't the word," Tolley told reporters at Parliament this afternoon. "I am furious."


The matter was now "an employment issue", she said. She would not go into further detail, but said it was "pretty serious" and had been referred to the chief executive.

Tolley revealed on Wednesday that the information-sharing system at the Ministry for Social Development (MSD) had been shut down after one provider was found to be able to view information in another provider's folder.

It was lucky that a no sensitive details were in the folder, Tolley said.

Such incidents damaged public trust, she said. But she rejected any suggestion that MSD was not trustworthy with personal data.

"MSD has a lot of data about a lot of people. We had one big incident around the kiosks, which was part of trying to give people better access to their own information.

"MSD deals with a million New Zealanders on a daily basis and we don't have massive breaches of people's privacy. They should have been able to manage this."

It would take "as long as it needs to take" to get a new system up and running, she said.



Earlier today, the Privacy Commissioner released a highly critical report about the Government's policy of requiring community groups to give up data about their clients if they wanted state funding. The policy was "excessive" and breached privacy rules, the report concluded.

Commissioner John Edwards said there was a risk that the new funding arrangement between MSD and NGOs could deter some people who were in need of support.

"Not only could that put those people further at risk, and increases pressure on the NGOs, the ultimate result could be that those individuals become 'invisible' to Government and policy-makers," he said.

The new MSD contracts investigated by Edwards would make the provision of personal, detailed client data a condition of Government funding. Community groups cannot opt out of the arrangement.

The policy will be introduced in July, but Opposition parties now say it should be scrapped. It could apply to up to 4300 contracts linked to Work and Income, Family and Community Services and the Youth Development and Vulnerable Children ministries.

So far, 136 providers had been asked to share their information, and 10 had agreed to do so.


Edwards said no NGO received state funding "as of right", and it was important that Government took steps to ensure any programme it funded was effective. This required good data, he said.

"However, insufficient consideration has been given to means by which Government might achieve those legitimate aims in ways that do not involve the collection of excessive or unnecessary personal information."

The policy was inconsistent with the Privacy Act and should be amended, Edwards said.

He identified three main privacy risks: Individuals could choose not to seek help at all; to provide incorrect information to preserve their privacy; or NGOs could give people access to MSD services without providing their personal information, meaning they became "invisible" to the Government.

Edwards was also critical of MSD, saying it failed to clearly explain to NGOs what their data would be used for, who it would be disclosed to and how it could be used in future.

It had also put the policy in place prematurely without proper consideration of the privacy risks.


A possible alternative proposed by Edwards was to allow Statistics New Zealand to receive the information from NGOs, and that agency could provide anonymised analysis to the ministry.

Tolley, however, said that recommendation could not be accepted.

Anonymised data only told the ministry whether services were effective, and the Government wanted to "do much more than that", she said.

MSD needed clients' names, addresses, dates of birth, the number of children they had, and the age of their youngest child. This would help determine whether agencies were duplicating each others' work and where the gaps in services were.

Tolley said she had asked MSD whether exemptions could be made for groups which were reluctant to share their sensitive information.

She also challenged Edwards' findings, saying they were based on assumption and that there was no proof people would choose not to seek help rather than provide their personal details to MSD.



Labour's social development spokeswoman Carmel Sepuloni said the report confirmed that people most in need, clients of Women's Refuge or Rape Crisis, could be deterred from seeking support.

The findings "throw a huge spanner in the works" of the Government's flagship social investment approach, she said. Under this approach, the Government is increasingly looking to use large, detailed datasets to decide which social services should get funding.

"The Commissioner clearly states that this current data grab could not be deemed a better use of data and could instead deter those in need from seeking support and increase long term costs," Sepuloni said.

Green Party social development spokeswoman Jan Logie said the Government needed to immediately put a stop to the MSD contracts.

"With the Privacy Commissioner and community groups like Rape Crisis and Budget Services coming out against this data intrusion, the Government must realise that it will not achieve its social objectives by overriding individuals rights to privacy."