MSD deputy quits after botch-up with client data security, despite having 'no direct involvement'
A senior civil servant has quit after a privacy botch-up at the Ministry of Social Development – but a union says others are also responsible for the bungle.
Murray Edridge, a deputy chief executive at the ministry, will step aside, even though his boss, Brendan Boyle, said Edridge had "no direct involvement" in the client data controversy.
The ministry's poor handling of issues around the handling of sensitive and personal data in late March and early April triggered an independent inquiry.
The Public Service Association (PSA) said Edridge had taken the blame for security and privacy issues arising from client data collection.
* Data-sharing blunder by ministry of social development to be probed
* Stacey Kirk: Government's personal data collection drive a political dead horse
* Privacy Commissioner has slammed Social Development data collection plans as too intrusive
But responsibility went "wider than Mr Edridge and his colleagues", PSA national secretary Glenn Barclay said.
Former Deloitte consultant Murray Jack, who led the investigation, made it clear the ministry was asked to implement policy in an unworkable timeframe, and the security issues were a direct consequence of that, Barclay said.
"At a time of major organisational change, putting pressure on agencies to implement complex IT projects is unfair and unwise.
"We are very concerned about the pressure the Government can bring to bear on ministries when their pet policies are at stake."
Boyle said on Friday that Edridge would quit after a report into the actions of the ministry's community investment business group.
"Murray has advised me that he will take responsibility for the actions of his team at the time, despite having no direct involvement in those actions," Boyle said.
"In taking this course of action, I commend Murray for demonstrating the integrity and leadership that we have come to know him for."
Edridge had spent five years in senior leadership at the Ministry of Social Development (MSD). He was previously chief executive at Barnardos New Zealand.
Social Development Minister Anne Tolley announced details of the independent review into MSD's individual client level data system last month.
Client level data included beneficiaries' demographic information and vital statistics, such as client addresses, details of their dependants and details of MSD programmes clients were enrolled in.
No privacy breach occurred in the IT botch-up, but the review found the IT system gave organisations access to other groups' folders, with the potential to reveal vulnerable clients' personal data.
The botch-up infuriated Tolley, being revealed as she promoted policies forcing non-governmental organisations (NGOs) to hand over personalised client data if they wanted Government funding.
The independent review found MSD revoked its own access to the IT system, but a reinstatement led to even wider access being granted to prohibited parties.
And MSD had to shut down an information-sharing portal after a privacy flaw let officials from one non-government organisation view a folder that could have contained client data.
Earlier this week, Tolley welcomed the review, saying it was "vital clients and providers have confidence that their information is appropriately protected".
On Tuesday, Boyle said the investigation confirmed the ability of other organisations to see one uploaded folder stemmed from human error, relating to the incorrect granting of access permissions.
He said the investigation confirmed MSD did the right thing in shutting down access to the shared workspace once the error was identified.
"While we are satisfied that no breach of privacy occurred, it is concerning that there was the potential for this to occur."