Damning report into privacy breaches

A damning report into security failures at the Ministry of Social Development finds the department failed to appropriately test its systems and underestimated the risk to privacy.

MSD Brendan Boyle says four employment investigations are underway, but won't say what role those people carry out.

He says senior managers were never given the opportunity to assess the risk, and address it.

"There seems to have been slack and sloppy internal processes in follow up. There were serious deficiencies with project information and the interpretation of risk management policies."

The privacy breach was revealed last month, with a blogger able to access the information of 7,300 items of data from a Work and Income kiosk, including the personal information of 1432 people.

Brendan Boyle says he's gutted and disappointed people were let down.

The initial report by Deloittes also found there was no discussion of security risks when the self service kiosks were tested.

Blogger Keith Ng, who uncovered the security risk, says the report is a good start.

"It's a little strange that they've put it at the heads of four people but haven't actually gone as far to say why these four people have made these decisions - all they've done is point the finger at these people."

Investigations will continue into wider issues around security and systems at the Social Development Ministry.

A second report will look at wider issues, including policies, culture and governance.

Labour MP Jacinda Adern understands Deloitte has been told the kiosk issue is just one of a wider problem around privacy systems.

She thinks when that is looked at, another damning report will be released in a month's time.

Financial compensation may be an option for just ten people whose privacy was breached as a result of the Work and Income security failure.

Brendan Boyle says in the cases of eight children and two adults it was "highly sensitive" information.

"We've been working with the privacy commissioner's office, now that we've identified those ten people, we need to go through a process to determine exactly what the nature of the contact is and how we go about resolving that."

Brendan Boyle says he's gutted about the breaches and apologises to all involved.

Paula Bennett admits there's no hiding from her ministry's privacy blunder.

She says the report is damning.

"I set high standards for the ministry, they have not lived up to them in this case, and I want to see a process followed and to be assured that it will never happen again."

But Ms Bennett says she still has confidence in the ministry's CEO Brendan Boyle.

Photo: NZ Herald