Office of the Privacy Commissioner | Media Release: Hard hitting report shows MSD breached client trust
2 November 2012
'Government agencies must treat people's information with the highest standards of respect,' says Privacy Commissioner, Marie Shroff. 'But this hard-hitting report - especially since it follows hard on the heels of the ACC report - shows just how far some of our major agencies have to go before we can be confident our information is protected.
'Basic IT security safeguards to protect personal information were missing, from the time the kiosk' system was built. And it's unfathomable that the Ministry did not address Dimension Data's revelations that sensitive personal information was exposed on network shares. The decision about how to handle such a serious problem should have been made at the highest levels of the business. This raises questions about the wider culture of handling information within MSD.
'Looking at IT security is only one part of the picture. Recent privacy breaches make it plain that a complete mind-shift is needed in some quarters. There's been far too little focus on the fact that there are real people behind the information that government agencies hold. Those agencies need to develop and embed strong leadership, governance structures, policies and practices to manage personal information at every level of the organisation.
'We often don't have a choice about handing our personal information over to government agencies. The least we can expect is responsible stewardship of that information.
'The problems with the MSD kiosks are now evident. Whether there have been wider failures of leadership, policies and strategy about how personal information is handled within the Ministry is still to be seen. However, I expect the next stage of this review to ask some penetrating questions.
'I welcome the MSD Chief Executive's acceptance that the Ministry's performance was inadequate here, and his commitment to examine the Ministry's systems and culture in the second phase of the review.'
ENDS
Deloitte's report
Note to editors
The Privacy Commissioner has formally opened an own-motion investigation into the MSD incident but will wait until phase two of the Deloittes inquiry has been completed before deciding what else might need to be considered or done.
For further information contact Cathy Henry on 021 509 735