Office of the Privacy Commissioner | MSD fraud investigations “intrusive, excessive and inconsistent with legal requirements” - Privacy Commissioner
An Office of the Privacy Commissioner (OPC) inquiry has found the Ministry of Social Development (MSD) systematically misused its investigatory powers while pursuing benefit fraud, unjustifiably intruding on the privacy of many beneficiaries.
The inquiry found MSD’s exercise of its information gathering powers to be inconsistent with legal requirements under the Social Security Act 1964 and the Privacy Act 1993. This failure has resulted in infringements of individual privacy, particularly in relation to the collection of information from third parties.
In the course of its inquiry, OPC interviewed beneficiaries and reviewed fraud investigation files provided by MSD. As a result, it saw cases where individual privacy was infringed. Examples included:
- Failing to ask beneficiary clients for information before seeking it from a third party leading to inaccurate assessments of the information;
- Overly broad requests leading to the provision of unnecessary and sensitive information (in one case a woman’s birthing records);
- Disproportionate and inappropriate requests for information (in some cases, every text message sent and received by an individual over lengthy periods);
Mr Edwards says the inquiry reviewed MSD files that contained text messages between parties in a relationship, sometimes of a sexual, familial or otherwise intimate nature.
“In one instance, a beneficiary described to us how MSD obtained, from a telecommunications company, an intimate picture shared by that individual with a sexual partner. The photograph was then produced at an interview by MSD investigators seeking an explanation for it.”
MSD has powers under the section 11 of the Social Security Act (as regulated by a Code of Conduct) to collect “any information” about a person on a benefit in order to assess their entitlements – including retrospectively, as in the case with fraud investigations.
As well as the Privacy Act, MSD’s Code of Conduct required MSD to first seek information from a beneficiary client directly before seeking it from a third party, unless to so would prejudice the maintenance of the law.
A change in practice
But in 2012, MSD advised its fraud investigation staff they could bypass the requirement to seek information directly from a beneficiary and instead go direct to third parties. MSD believed that an amendment to the Code enabled this.
The 2012 practice change resulted in MSD using its powers to collect large amounts of highly sensitive information about beneficiaries from third parties without approaching beneficiaries first. The information collected included text messages, domestic violence and other Police records, banking information and billing records from a range of providers.
MSD investigates thousands of fraud allegations a year. Of these, a large proportion result in no formal finding of fraud.
Mr Edwards said since 2012, MSD’s failure to first ask beneficiaries for information before approaching third parties has likely affected thousands of beneficiaries.
“Due to poor record keeping practices and inconsistencies between fraud teams, we have been unable to establish whether the Ministry has been bypassing beneficiaries in all fraud investigations or only those categorised as ‘high risk’. It is disappointing that MSD does not keep accurate records of when and how many section 11 notices are issued by its staff.”
Mr Edwards also noted MSD is required to review the Code every three years but had not done so since 2012.
Recommendations
The report makes five recommendations including that MSD immediately cease its blanket application of the ‘prejudice to the maintenance of the law’ exception when issuing section 11/schedule 6 notices.
It also recommends MSD undertake a comprehensive review of the Code and to develop training material and guidance for all its fraud investigation teams.
View the Privacy Commissioner's Inquiry into the Ministry of Social Development’s Exercise of Section 11 (Social Security Act 1964) and Compliance with the Code of Conduct report
Note to editors
The Privacy Act 1993 enables agencies to collect, use and disclose information that is necessary and proportionate to their lawful requirements. The Act provides that, in general, information should be collected from an individual directly.
Section 11 of the Social Security Act 1964 provides a mechanism by which the MSD can compel information from persons other than the individual. Before exercising this power, however, MSD is required in the first instance to seek the information required from the individual directly, unless there are reasonable grounds to believe that this would ‘prejudice the maintenance of the law’.
Contact: Charles Mabbett 021 509 735.