OPINION: So four lowly ranked heads are on the block over the unforgivable security lapse at the Social Development Ministry.
As an interim step, it is a reasonable response to the "damning" Deloitte report, which found "woeful" failures at the ministry - and those are just the words of chief executive Brendan Boyle.
The legal rights of those workers - presumably middle IT management - are being handled with the required caution.
But that still begs the question of whether it is a case of "the worker wot gets the blame" while the executives escape with their salaries and bonuses intact.
That will only be answered by a second report looking into the systems and culture at the ministry. But it will be extraordinary if all the failures are left resting on the shoulders at the bottom of the pile.
Among papers released yesterday was the ministry's 2006 risk-management manual that makes clear where responsibility rests.
It is hard to see how "monthly discussions relating to risk management and mitigation" at deputy chief executive level or a rule that all risks be "documented, rated, managed and monitored in a comprehensive manner" by general managers allowed urgent risks picked up last year by Dimension Data to "drop off the radar".
How could the risk presented by 700 public terminals, linked to the main servers, not be the responsibility of a senior manager somewhere in the system?
Privacy Commissioner Marie Shroff found it "unfathomable" the Dimension Data revelations were not addressed at the highest level, and she expects the second report to "ask some penetrating questions".
Meanwhile the ministry is doing itself no favours in the way it is advising those affected by the leak. Sure, Keith Ng and Ira Bailey, who accessed the data, pledged it went no further.
But the ministry cannot be certain there were no other privacy breaches. It is unclear who was behind a similar one on October 4, the day before Mr Bailey reportedly accessed the system.
Yet Mr Boyle said only 10 people, with the most sensitive privacy issues, would be told out of the 1432 whose data was accessed.
It is out of kilter that an agency that allowed such a major lapse should then arbitrate on how serious it was and who should be told. Those not informed include some facing benefit fraud investigations.
Mr Boyle seemed to think a public apology would suffice.
He should ponder Ms Shroff's advice. "There's been far too little focus on the fact that there are real people behind the information that government agencies hold."
- © Fairfax NZ News