Report reiterates slack attitudes to security

Labour Party

Thursday 6 December 2012, 2:16PM

By Labour Party


A second report into IT breaches within the Ministry of Social Development once again highlights the lax attitude to the handling of supposedly secure personal information, Labour’s Social Development spokesperson Jacinda Ardern says.

“Deloitte’s independent review of information systems security will be cold comfort for clients who may have had their privacy breached.

“The report found that of three issues that led to the kiosk disaster one in particular – that when problems were found they weren’t escalated or addressed - is evident across the entire Ministry.

"So this isn’t just about the self-service kiosks (which were accessed 1.2 million times between December 2010 and October 2012) but about the entire department’s approach to privacy and the security of information.

“We have no way of knowing exactly how many breaches have even occurred.  When Paula Bennett was asked recently how many people were ‘affected’ by breaches of privacy she pointed to the Privacy Commissioner’s annual report.  MSD even admitted that ‘privacy issues that have been identified during 2011/12 [are] not collated centrally’.

“For the report, then, to claim that there is no cultural or systemic issue around the security of information is surprising, not least for the people who have had their privacy breached and not just through the kiosk debacle.

“Deloitte’s reached this conclusion not by looking at complaints, but instead by surveying just 105 staff members out of a total 9500. That is hardly comprehensive, yet from that the report concludes the Ministry has ‘a strong culture that clearly understands the importance of privacy and security’.

“The facts speak for themselves. Security issues were not addressed, adequate data hadn’t been collected and policies and procedures were ‘often informal or [lacked] specificity’.

“Paula Bennett needs to get on top of her portfolio, stop referring to problems within her department as operational matters, and she needs to take responsibility for the failures that have played out under her watch.