MSD privacy blunder 'raised more questions than answers'

An "extremely disappointing" report into a recent MSD data breach has revealed more questions than answers according to Social Development Minister Anne Tolley.

A technical problem last Tuesday saw one social service provider being able to view another provider's folder in an IT portal, part of MSD's new individual client level data system.

The portal system was shut down once the breach was discovered, and luckily no private information was available as the folder was empty at the time.

"I have now received a briefing from MSD on what led to last week's technical issue with the portal," Ms Tolley said on Tuesday.

"It's extremely disappointing that the report appears to raise more questions than answers on the security of the IT system and the governance of the project."

The minister has announced that an independent review into MSD's individual client level data IT system will be led by former Deloitte NZ consultant Murray Jack, and supported by two IT and privacy specialists from the private sector.

The review will be due back at the end of April and will look into the circumstances that led to the technical error, the decisions made about why the portal was used and security measures taken.

 It will also look into the governance and management of the project.

MSD say the purpose of the data collection is to understand who is using the programmes and services they fund, and what impact they are having.

However the individual client level data system is controversial, a number of privacy concerns have been raised by social service providers as well as the privacy commissioner.

At a protest outside Parliament in March, social service providers including Women's Refuge voiced their opposition to the new system, fearing it would turn vulnerable people away from accessing services.

The Privacy Commissioner said the new system could deter individuals from seeking help or put them at further risk, and that there was a lack of clear purpose for collecting individual client information.

So far, only 10 providers of 136 have uploaded their client level data into the Government shared portal.

Individual client level data includes clients' demographic information, information about their dependants and detail about the services they're accessing.