The Privacy Commissioner has criticised the Ministry of Social Development’s approach to security, saying leadership needs to come from the top down in order for things to change.
The Social Development Ministry is replacing its public kiosks in Work and Income offices with a new system, after a major security breach was identified in October.
Privacy Commissioner Marie Shroff said today that privacy and security should be structured in from the start and leadership “from the top” was needed to ensure that different parts of the ministry were working together.
“Information systems have moved on and are powerful and sophisticated.
‘‘Senior managers must recognise that the way we manage those systems now needs to evolve too,” Shroff said.
A new report into the security breach, which gave the public access to sensitive welfare case notes, found that one of the three main causes of the breach existed across the ministry.
The Phase 2 report, by consultants Deloitte, found that there was no explicit requirement for all risks to be "escalated" to management by staff further down the chain.
"Consequently, this led to this primary cause being evident across the ministry," the report said.
While the review also made the point that the ministry was under pressure to provide faster and more efficient services, Shroff said New Zealand needed a public service management which was focused on respect for people and their private information.
“It’s easy to forget that the ‘data’ relates to real people – and that failing to look after that data can cause harm to those people,” Shroff said.
The ministry had recently taken steps to ensure that those overseeing projects receive full registers of the risk, which together with heightened awareness of information security was expected to lessen the risk.
Chief executive Brendan Boyle said today that the ministry was talking to a supplier about installing new "client self-service workstations that will be completely separate from the Ministry's own IT systems and will replace the kiosks closed in October".
They would only go online once the ministry was satisfied that they were as secure as possible.
The report found the two other causes of the breach, disclosed by blogger Keith Ng after a tip-off, did not exist across the ministry.
Those were the failure to adequately design security into the public kiosks and the failure to follow up on a "penetration test" that had highlighted problems with security at the kiosks.
However, Deloitte said security risks and security related activities need to be strengthened to give leadership a high degree of confidence that these factors would not emerge elsewhere in the ministry. Ministry head Brendan Boyle welcomed the report.
"While there are matters that need to be addressed, I am reassured that the Phase 2 Report has found those issues are not widespread across the Ministry.
‘‘From the scope of the work Deloitte did, there was also no evidence found to suggest that there were other breaches of the Ministry's IT systems."
He said he had made it clear to his leadership team that the ministry was responsible for ensuring recommended improvements occur "and that the protection of client information is at the forefront of all decision-making".
A new role of chief information security officer would be created.
Boyle said of all the items downloaded during the October security breach, invoices relating to 10 individuals contained highly sensitive information.
"The ministry had spoken with all these individuals or people acting on their behalf (some are children) and is continuing to work with them to address their concerns."
It had also been contacted by about 100 people concerned that their information may have been accessed.
An employment investigation into four people, as a result of the security breach, was not yet complete.
Findings from the Phase 2 report would be used as part of this investigation.
The two reports into the security breach have cost $450,000.
"This is a significant sum, but we had to ensure we understood what had occurred and were in a position to take every possible step to prevent it happening again.
"New Zealanders we work with must have confidence we will keep their information secure," Boyle said.
What do you think of claims Kiwis have been misled about mass surveillance?Related story: US spy base in NZ?