Former Deloitte consultant Murray Jack, along with IT and privacy specialists from Deloitte and PwC will lead a review into the Ministry of Social Development’s individual client level data IT systems following a privacy breach.
Social Development Minister Anne Tolley announced the review last week after a report on the privacy breach ‘raised more questions than answers’ about the security of the IT system and governance of the project.
The actions follow the April 05 shutdown of the MSD’s information sharing system after it was discovered that a provider could access information in another provider’s folder.
Tolley says no private information on clients were in the folder.
The independent review comes just over a week after Privacy Commissioner John Edwards called the MSD’s policy requiring social service providers to disclose information about all their clients ‘excessive and inconsistent with privacy principles’.
Only 10 providers have uploaded information so far into the government shared portal, despite 136 providers being invited to upload client level data.
Tolley says the review, which is due to report back by the end of April, will ‘consider the circumstances which lead to the technical breach, the decisions made on why the portal was used and the security steps taken, as well as the governance and management of the project’.
“It’s important clients and providers have confidence that their information is protected and that the Government has a robust IT system,” Tolley says.
The system has faced opposition from some, including the PSA, which says it is worried that NGOs working with vulnerable families are being asked to share data of such a sensitive nature.
The PSA, which welcomed the independent review, says even if the security issues are resolved it won’t overcome its objections to NGOs being required to provide data on their clients to MSD, with the organisation ‘not convinced the gains of doing so outweigh the risks’.