Public Service Commissioner Sir Brian Roche today released the findings of an inquiry into the protection of personal information.

The inquiry looked at how government agencies protected personal information provided for the 2023 Census and COVID 19 vaccination purposes. The purpose was to establish the facts and provide an independent assessment of government agency activity in relation to allegations that personal data may have been misused during the 2023 General Election.

The inquiry was led by Michael Heron, KC, and Pania Gray.

Findings related to the Census:

• Stats NZ (Stats) contracted Te Pou Matakana (also known as the Whānau Ora Commissioning Agency) to assist with a last-ditch attempt to collect Census returns for a further 10,000 households, aiming to get 50,000 additional individual forms completed by Māori. The work was aimed at people Stats had been unable to reach. On that score, the Census was a success, collecting an extra 40,000 Census forms from Māori.
• However, Stats’ safeguards to protect personal information were insufficient, creating a risk the personal information provided to or collected by the third parties on behalf of Stats could be used for an improper purpose.
• Early in its engagement with Te Pou Matakana, concerns about the process were raised within Stats. Risks of conflicts, privacy breaches and poor process were identified and not dealt with.
• The usual processes and safeguards that Stats implemented for Census activity were not done. The high trust model was inappropriate in the circumstances. Fundamental confidentiality protections (such as the use of Certificates of Confidentiality) were not put in place.
• Complaints were made about the processes followed by Te Pou Matakana, Manurewa Marae and Waipareira Trust. Stats staff raised serious concerns, but these were not acknowledged or adequately dealt with.
• Stats failed to implement the safeguards in the contract for services, allowing the potential for Census data to be mishandled.

Findings related to COVID 19 vaccinations:

• The Ministry of Health and Health NZ had no safeguards in place for addressing the possibility of conflicts of interest arising from the sharing of personal health information with the relevant service providers.
• The Ministry of Health and Health NZ did not assure themselves that the relevant service providers were meeting contractual expectations. And there were no controls over files once they were downloaded by the providers’ authorised staff.

“The report makes for very sobering reading,” said Sir Brian.

“It raises a number of issues that go to the core of the confidence and trust required to maintain the integrity and sanctity of information entrusted to government agencies.

“The system has failed and that isn’t acceptable – and it must be, and will be, remedied.”

As a result of the inquiry’s findings, the Government Statistician and Chief Executive Stats NZ, Mark Sowden, has decided to not seek re-appointment. His contract as acting chief executive ends on 30 March.

“I think it is the right thing to do in the circumstances and I respect Mr Sowden for what would have been a tough decision,” said Sir Brian.

“His decision to step down reflects the standard of accountability expected of public service chief executives.”

As a result of the inquiry findings, the Commissioner has asked Stats, the Ministry of Health, Health NZ and Te Puni Kōkiri to temporarily suspend entering into new contracts, renewals and/or extensions of contracts with the three third-party service providers named in the report, until those agencies can satisfy the Commissioner that their contracts are fit for purpose and adequately deal with information sharing and conflict of interest obligations.

All current contracts will be honoured to ensure services continue to be delivered as normal. The suspension only applies to contracts that are new or being renewed or extended with Te Pou Matakana, Waipareira Trust, and Manurewa Marae. It doesn’t apply to any subsidiaries or related parties.

Work on a new information sharing standard is underway. Agencies will be directed to implement the standard by 1 July.

The Commission’s Conflicts of Interest Model Standards have also been reviewed and updated.

This means all third-party entities who enter into contracts or information sharing agreements with core public service agencies will need to meet obligations around conflicts of interest and sharing of personal information.

Other actions underway include:

• updated guidance and template for information sharing agreements.
• strengthening public service procurement practices.
• directing agencies in the frame of the inquiry to immediately fix gaps in their processes and practices to avoid this situation happening again.
• strengthening accountability settings for all public service agencies when contracting and data sharing with third-party service providers.
• asking the Ministry of Justice to consider if changes are needed to electoral law regarding financial incentives to switch electoral rolls.

“The New Zealand taxpayer expects that their information is handled with the utmost care and respect and that contracts are managed properly,” said Sir Brian.

“They also expect government agencies will protect and manage their personal information, and that didn’t happen here. It is critical New Zealanders can trust that their personal information is secure and will not be exploited.”

The inquiry also identified a number of important matters it was unable to consider under the scope of the inquiry. These have been referred to other authorities for investigation:

• The inquiry found Health NZ, the Ministry of Health and Stats were unable to assure themselves that the relevant service providers were meeting the privacy protections set out in the data/information sharing agreements. This matter has been referred to the Office of the Privacy Commissioner.
• An absence of controls for agencies to ensure the storage, use and disposal of data after transmission through secure systems to service providers was also found. This matter has been referred to the Office of the Privacy Commissioner.
• The inquiry heard an allegation that Manurewa Marae collected personal information for its own purposes, from people receiving their COVID 19 vaccination. This matter has been referred to the Office of the Privacy Commissioner.
• It was also alleged Manurewa Marae collected personal information for a Te Pāti Māori text message campaign, at the point of vaccination, in the weeks leading up to the General Election. This matter has been referred to the Office of the Privacy Commissioner.
• An allegation that personal information collected at Manurewa Marae for the Census was entered into a database owned by Waipareira Trust. This has been referred to the Office of the Privacy Commissioner.
• The inquiry found that the compulsory collection of personal information for the Census, when combined with a campaign, using incentives, to switch to the Māori roll (but not promoting a switch to the general roll), and the potential later use of the information, needs to be considered. Aspects of this matter are the subject of an ongoing investigation by New Zealand Police. The Commissioner has also written to the Ministry of Justice and asked the agency to consider, with the Electoral Commission, the issue of using incentives to encourage voters to switch rolls.

“These are serious allegations that go to the integrity of our democratic process,” Sir Brian said.

“The inquiry found some agencies fell short on their responsibility to protect and manage the sharing of personal information, which is unacceptable.

“While we don’t know if personal information was improperly used, the gate was left open. It will be for other authorities, with the appropriate regulatory and investigative tools, to determine whether personal data was misused.”

The inquiry report is available on the Public Service Commission website. Further information can be found here: https://www.publicservice.govt.nz/publications/inquiry-into-the-protection-of-personal-information

© Scoop Media