State secrets - who guards our privacy?

UNDER GUARD? The possibility of another large-scale privacy breach is very real - just a few mouse clicks away.
UNDER GUARD? The possibility of another large-scale privacy breach is very real - just a few mouse clicks away.

In a downtown Wellington hotel this week, the suits huddled together and discussed your private information over cucumber sandwiches and tea.

Between them, they are responsible for a lot of it - when you were born, what medication you take, how much you earn, whether you have ever been arrested.

As the rise of the egovernment system continues, and departments rely on electronic records rather than documents and filing cabinets, data-sharing has become more and more commonplace.

But lately, government departments entrusted with citizens' most sensitive and private information have been sharing too much.

The litany of privacy breaches reads like an alphabet soup of agency acronyms: ACC, MSD, EQC, IRD.

Collectively these departments have breached the privacy of more than 100,000 New Zealanders in less than two years.

The actual number of breaches - many of which go unreported - could be far higher.

The breaches we do know about have included the release of highly sensitive details about children and sexual abuse victims. In some cases, they have left people at risk of identity theft.

At the Accident Compensation Corporation, an email blunder disclosed the personal details of more than 6500 people and eventually led to the resignation of a minister, a chief executive and four board members.

The Ministry of Social Development should have seen a breach at its Work and Income kiosks coming; it was warned they were vulnerable more than a year earlier. Instead, the ministry did nothing and the privacy of thousands of clients was compromised.

In March, the Earthquake Commission accidently emailed out insurance details of 83,000 people, roughly the population of Palmerston North, to one if its biggest critics. The commission is still trying to get the information back.

So when did government departments become so cavalier with our private information?

Privacy Commissioner Marie Shroff looks down her glasses at the 250 members of the audience, peppered with bankers, lawyers and consultants. On Wednesday morning this week, they gathered at the Intercontinental Hotel in downtown Wellington to attend the Data Safety Workshop: Preventing and managing privacy breaches.

They are here to learn one thing: how to avoid the next big breach.

What is at stake, Ms Shroff tells them, is the public's trust in government - a trust badly bruised by the careless handling of private information.

"I don't want you to be a bunch of silly coots," she says. "I want you to be a bunch of clever bastards."

The line gets a laugh but Ms Shroff is serious.

Days earlier she told The Dominion Post that privacy breaches are nothing new, they are as old as privacy itself.

What has changed is the scale.

Twenty years ago, a public servant would need a forklift to smuggle tens of thousands of personal files out of the office.

Today, those same files could go walkabouts on a data stick the size of a fingernail or be sent halfway across the world with the click of a mouse.

"We are not just talking about someone peering into a filing cabinet now. You have the potential for people to peer into hundreds of thousands of records. The risks have risen exponentially."

And as the public's interactions with the state continue to shift online this risk will rise.

The challenge is not uniquely New Zealand. Many countries are going, or have been, through it. In 2007, Britain's Revenue and Customs lost the child benefit records of 25 million citizens.

Malcolm Crompton, the former Australian privacy commissioner who led the review last year into's ACC email blunder, says 100 million people in the United States have their privacy breached a year.

"So let's assume New Zealand is twice as good as the US. You are still losing data at the rate of one-sixth of the population annually."

In this country most of our big privacy breaches have been made by mistakes and the Government has been quick to blame "human error".

After the EQC email debacle, Prime Minister John Key told Parliament there was no widespread failure problem with the government's handling of our information.

"In a modern world of technology people will make mistakes," he said.

The breaches at ACC and EQC were essentially email mix-ups. And who hasn't sent an email to the wrong person?

But it would appear public servants are particularly error-prone.

Banks and insurers also handle vast amounts of private information but so far they haven't emailed out the account details of 83,000 customers.

Some public servants have hinted the private sector are just better at hiding their mistakes but Ms Shroff says big businesses do have a better grasp on privacy than their government counterparts.

For banks and insurers, security is essential to making money.

A simple typo can have massive consequences - Westpac fired the teller whose "keying error" turned a $100,000 overdraft into a $10 million deposit in the runaway millionaire case.

Most of our banks don't even use emails to interact with their customers.

But the state doesn't face the same pressure.

New Zealanders can't shop around for another ACC. Citizens are compelled to provide vast amounts of information to the state with little control over how it is used.

By compelling the provision of this information, Ms Shroff says public servants have a stricter obligation to hand this information respectfully.

Following the debacle at ACC, she asked for the records of all of the corporation's privacy breaches. It didn't have any.

"They didn't even know how well or badly they were doing," Ms Shroff says.

When The Dominion Post recently asked the Ministry of Social Development for a record of its privacy breaches over the past five years, the ministry conceded that the information did not exist.

"Privacy breaches are not centrally collated," the ministry explained.

With upper management in the public sector asleep at the wheel, Ms Shroff says a big crash was only a matter of time.

"Managers have almost been blind to the critical nature of information. It's like a fish swimming in a fishbowl and the fish doesn't even know it's in water."

So our public servants should have done more, but what about the politicians?

After all, the Government has been pushing hard for a cheaper, faster, more open public service, including sharing information more freely. Has privacy been the victim?

Ms Shroff doesn't think so. The prime minister's "mistakes happen" line isn't quite right as clearly more can be done to avoid them. But privacy is a management problem, not a political one, she says.

"It's not the prime minister' job to be particularly focused on that. It is the job of public service managers and I think they have failed."

Privacy consultant Ernie Newman disagrees. He says there is a tension between information sharing and privacy - and the Government has made it clear the former is more important.

"I don't think the politicians can duck for cover on this. There needs to be a very strong statement across the bow that this will not be tolerated."

Paul Matthews, chief executive at the Institute of IT Professionals NZ, says the scary thing about the breaches was what they revealed about how our information is handled.

EQC not only stored information about 83,000 claimants in one spreadsheet, but the document was widely available within the organisation.

"People should only be able to access the information they need."

ACC claimant Bronwyn Pullar was thrust into the centre of one of New Zealand's biggest privacy scandals last year after she was accidentally emailed a list of 6500 claimants, including rape and sexual abuse victims.

How the breach was handled and what it revealed about ACC has become the template for what not to do with private information in New Zealand.

Ms Pullar says the fact that such a list even existed, and was being freely circulated within ACC, was deeply concerning.

"These people have so much information about you and they can just email it here, there and everywhere. It is very disturbing."

She says there appears to be a disconnect, particularly in big government departments, between information and the people behind it.

"They should be protecting it like it's their own rather than treating it like just another number."

So if the state can't be completely trusted to keep our secrets safe, the next question is do we care?

Some would argue privacy is already dead or dying. Millions of people already voluntarily share their lives online anyway, despite knowing data companies will mine it mercilessly and sell it to the highest bidder. Has the privacy horse already bolted?

Colin MacDonald, the government's chief information officer, was the keynote speaker at Wednesday's data safety workshop.

He threw the 'has the horse bolted?' question out to conference attendees.

"The main issue is public trust and confidence. As government agencies, we must be able to keep people's private information private."

And Kiwis do care.

A survey conducted for the Privacy Commissioner in March last year found 67 per cent of people were concerned about the protection of their personal information.

Complaints to the commissioner have been rising since 2007, with a record 1142 lodged last year. The biggest culprits are all state agencies.

More broadly, Mr Crompton warns sloppy information handling could leave New Zealand vulnerable to attack.

So far our breaches have mostly been silly mistakes but a cyber attack, either from organised criminals or other nations, is a real risk and could be far more damaging.

"There is now an opportunity to get it right before you really are in the spotlight."

Back at the hotel, Mr MacDonald lounges in a green armchair in a quiet corner.

His job has got a lot more complicated recently. After the MSD breach, he was asked to review the security of all systems governing the state's interaction with the public.

The review will be released in the next few weeks and will uncover plenty of areas for improvement, particularly around oversight.

"We do have to improve and we are improving."

The Ministry of Justice will also report back to its minister, Judith Collins, in the next two months on the Law Commission's recommendation to increase privacy protection.

This could eventually lead to more powers for the privacy commissioner and even a legal obligation for serious breaches to be disclosed. New Zealand is one of the few western countries that does not already require this.

So the public servants are scrambling, but are there still more big public sector privacy breaches to come?

Ms Shroff openly laughs at the question.

"I don't think it's a question of if, it's a question of when."

This doesn't mean we shouldn't trust the government necessarily. The majority of the time in the majority of cases, the government doesn't lose our information.

"I don't want to destroy the public trust in government because generally speaking its seems that government systems do work properly.

"The way the systems are designed at the moment, there's a vulnerability, and these need to be urgently dealt with, and until these are urgently dealt with there could continue to be leaks."

Mr MacDonald approaches the question differently. The public may want the state to look after their information, but they also want it more accessible in more places. "Citizen expectations are high on government providing online services, inevitably that means there are risks."

While Mr MacDonald sits in a quiet corner, public servants are telling their privacy "war stories" in the conference room.

Some are pretty trivial, a few failed job interviewees mistakenly disclosed to an opposition politician. Others are big, the 25 million British citizens whose information it still out there somewhere.

There is lot of talk about data loss, critical information and minimising risk.

Nobody wants to see another big privacy breach. Then again, nobody is saying there won't be.

Mr Crompton says that's not a promise anyone can keep and New Zealand is only just beginning to gets its house in order.

"They will always be risk, but it needs to be well managed. Is New Zealand there yet? I think we are clearly hearing 'no'."



Have you ever sent an email to the wrong person?

Even if you're not handling thousands of people's personal information it can be embarrassing. Most government department privacy breaches have been human error - an employee sending information to the wrong recipient. There are some simple technical solutions to avoid email faux pas.

Most email programmes remember previous addresses you have emailed and as you begin to type the addressee's name it will suggest previous recipients. By turning off this "auto-complete" function you have to manually type the recipient's details in full.

Regularly prune the "suggested contacts" list that pops up when you start typing an address.

Set a 10-minute delay for sending/receiving emails. This gives you a small window to realise you have emailed the wrong person and fix it.

Resist using "reply all".

Your work emails should be run through a system that can block spreadsheets from being sent as attachments.

If you are handling sensitive information you should use data loss prevention software. These programmes, such as those provided by Microsoft and Symantec, can block unauthorised access or transferring of digital information and help track down a leak if it does occur.

Consider encrypting sensitive files before they leave the organisation and sending the password in a separate email.

The Dominion Post