An employment investigation is underway at the Ministry of Social Development after a review into a blunder involving client information in a controversial information-sharing programme slated the ministry for its management of that programme.
The review was into an April incident where one organisation accessed an organisation's folder on a new IT system for social services providers to share personal client data with the Government.
Although no personal information was in the accessed folder, the loophole forced the ministry to close down the portal which was a critical part of a new Government policy requiring social organisations to share individualised client information.
Information woul include what help they were getting, names, addresses and family members and whether the Government would be eligible for government funding.
The review found the incident was the result of human error.
One provider was mistakenly given access to another provider's "library" of information. In removing the access, the ministry accidentally removed its own access as well. The attempt to restore it by a Datacom consultant resulted in all providers being given permission to access that folder.
However, the review was also critical of the wider set-up of the programme and the Ministry of Social Development's management of it, including a failure to consider security and privacy issues early and fully.
The review found the ministry had not undertaken the usual checks and testing in setting up a new system because it was using a pre-existing system as an interim measure for the data gathering while a permanent IT system was worked on.
It also came at a time of significant change, including the change from Child, Youth and Family to the Ministry for Vulnerable Children.
The review said many staff were doing dual roles because of this - working on the data sharing strategy as well as their usual everyday duties, resulting in unclear governance structure.
"This posed some additional pressure and lack of clarity on the scope of responsibilities for some of these roles," the review stated.
Brendan Boyle, chief executive of the Ministry of Social Development, said while the review confirmed there was no privacy breach of personal data, "it is concerning that there was potential for this to occur".
He confirmed he had started an employment investigation but pointed to the tight time frames the ministry was working under to get the Government's programme up and running.
"While the time frames for delivering this project were tight, more focus was needed in these critical project areas."
Social Development Minister Anne Tolley said she was "extremely disappointed" at the number of concerns the review highlighted with MSD's management.
"There was a lack of appropriate checks and testing to confirm the system's readiness. Privacy considerations and security risks were not properly identified and mitigated in a timely manner."
She said some of those risks could have been avoided if the team charged with the project had sought help from the wider ministry and other agencies. "I understand that an employment investigation by the chief executive is now being undertaken as a result of the review."
She said the ministry should have overseen the project better, given previous IT issues within the ministry. That included a breach where a member of the public had been able to access others' personal information using the Ministry's public computer "booths".
At the time of the breach Ms Tolley said she was "furious".
The information sharing strategy was a key part of the Government's "social investment" approach, which aimed to target support where it was most needed however was controversial.
The policy which required organisations to hand over sometimes sensitive personal details was criticised as "excessive and unnecessary" by Privacy Commissioner John Edwards.
He said it could deter people from seeking help. Groups such as Rape Crisis and Budget Services had also criticised it.