Next Section

Personal Information Protection and Public Confidence

  1. Section 01
    PART I: Major Issues Arising from the Investigation
  2. Section 02
    PART II: Departmental Issues Arising from the Investigation
  3. Section 03
    Inland Revenue Department
  4. Section 04
    Work and Income New Zealand
  5. Section 05
    Terms of Reference
  6. Section 06
    Bibliography

KEY FINDINGS

General

Overall, the investigation indicated that the Inland Revenue Department is a well-managed organisation. The department has a high regard for the protection of personal information within the context of its strict secrecy obligations under statute. There is no indication to suggest that the improper disclosure of personal information is endemic.

The strong and resilient culture of the department's staff, exemplified by their commitment to personal information privacy, is the cornerstone of the department's performance in the area of personal information security.

Building on this strong culture, the department has in recent years put a significant effort into its fraud-minimisation strategy and practices (which includes addressing the improper use of private information).

The main elements of the department's fraud prevention approach include a formal documented fraudminimisation strategy, rigorous pre-employment checks (including criminal), strong code of conduct and secrecy requirements, induction, extensive information technology-based systems controls, a risk management framework, internal audit reviews and clear processes for the management of breaches.

The review did identify aspects of the approach which required modification or increased emphasis and others where there is a need to speed up the implementation of planned initiatives. These included the need to tighten up the pre-employment checks, to standardise human resource practices, and to progress the extension of the risk management framework.

Values

Management and staff are positively committed to the obligations of secrecy.

Policies

In developing human resources policy there is a high level of local customisation with respect to recruitment, sanctions, and performance management. This gives rise to variability in approach and process.

The department does have national policies or guidelines for identification routines for telephone callers, but there is a need for reinforcement of these with front line staff.

While the department has tightened its approach in the last 18 months, with fraud training and dismissal for breaches, the front line staff view is that the department does not always learn lessons from actual instances of policy breaches, or employ that learning when educating staff.

The department has a policy of vetting all new employees. However, the investigation found that a small number of new employees were not vetted or not vetted prior to appointment.

Staff, at times, have difficulty reconciling the secrecy requirements of the IRD code of conduct with the customer service values entrenched in the IRD customer charter.

The department undertakes internal audit reviews of elements of its information security procedures, but there are gaps in following up implementation.

The department needs to take a wider view of personal information security. Personal information security needs to be included in the department's risk management framework to make it comprehensive.

RECRUITMENT, SCREENING, INDUCTION, EXPECTATIONS OF BEHAVIOUR

  • There are gaps in the security clearance for new recruits - 16% are not currently covered pre-employment.
  • Induction programme is sound, and there is intense training for staff before they are able to access the computer system.
  • Human resources policies are highly customised at the local level.
  • The IRD code of conduct is well understood.
  • The department is required to recruit temporary staff prior to offices being rationalised.

Recruitment, screening, induction and training

Recruitment methods differ throughout the various segments and offices within IRD. The field team observed that, while some staff heard about the job from family and friends of employees, vacancies are advertised in accordance with the State Sector Act 1988. Some offices of the department report that they are now using recruitment agencies.

Criminal justice (i.e. Wanganui Computer) and tax compliance checks are required to be undertaken for all new recruits, including shorter term agency contracted staff. Over the last calendar year, on the department's own figures, only 84% of new recruits had criminal justice checks completed. There is justification for some non-compliance, for example, when a new employee has been employed by the department previously. The department advises it is taking action to correct the compliance gap identified.

Induction practices vary from centre to centre and between business segments. Sometimes, if a number of new recruits exist, a group programme is run. At other times there is an individual programme. Supervision and mandatory demonstration of competence are required before new staff have functional access to the computer system.

Code of conduct

The code of conduct and the key privacy principles relating to the protection of personal information are well understood by the department's management and staff. Most staff interviewed had, prior to joining the IRD, been given a copy of the code of conduct and had been required to sign the secrecy declaration form. Ninety-two percent of the surveyed staff have read and understood the code of conduct.

Relevant follow-up training to assist staff to deal with personal information issues is available inconsistently. Not all offices visited provide Official Information Act and Privacy Act training, supplemented by training in dealing with difficult customers. Staff frequently referred to the discontinued 'Public Contact' training course as a good and useful course in customer management issues, and believe that the department would benefit from something similar now.

The field teams found a high level of local customisation in developing human resource policy regarding recruitment, sanctions, and performance management. This practice gives rise to variability in approach and process. This may be a result of decentralising decision-making. Some of the differences in induction can be explained because long-standing staff were employed at a time when induction processes were considerably different. However, differences in approach and process still exist between permanent and temporary staff. A strategic and integrated human resources approach to these processes would be useful to manage personal information risk.

Ethics & values

Ethical standards and behaviour were freely discussed in focus groups. Focus group members displayed a significant level of comfort and understanding for the high level of an individual's obligations as a department employee. The groups felt that the leaders in the department actively communicated the required ethical standards. The majority of staff responded that ethical behaviour in the department has remained relatively unchanged or improved, despite the ongoing changes in the department.

Mutual trust and support between staff and line management is high. The team observed a strong resilience from staff, despite the impact of restructuring and the planned closure of some offices. As with all operations, there are some areas open for improvement and these areas are recognised by staff. The team observed a high level of line management sponsorship and reinforcement of the values and expected behaviours supporting the protection of personal information. This was reflected in chief executive communication, and in the team leader practice and practical approach in the field.

COMMUNICATION AND REINFORCEMENT OF VALUES AND PROFESSIONAL BEHAVIOUR

  • The department, by its nature and purpose, has a strong control framework.
  • Staff perceive a tension between code of conduct and customer charter requirements.
  • Staff have a high awareness of the importance of personal information protection.
  • Not all staff are trained in handling 'difficult' people.
  • A strong and resilient culture of protection for personal information is very evident in front line staff.
  • Staff make many judgements daily regarding personal information protection and other issues.
  • There are gaps in formal reinforcement on code of conduct and update on privacy law to staff.
  • Personal information protection is not explicitly managed with its own 'champion', or as a public confidence issue.

Control framework

The department, by its nature and purpose, requires a strong control framework. This framework has tremendous complexity and requires technical precision. In terms of personal information protection, a large number of rules, codes, policies, manuals, standards, and other written requirements are imposed from the national office to meet the department's secrecy obligations. In the field, practicality and common sense are applied to these secrecy requirements. Management and staff are positively committed to the obligation of secrecy. The project team found a high level of strictness in field staff practice involving personal information disclosure.

Operating pressures

The inquiry level for personal information is high. Seventy-three percent of staff surveyed had received requests for personal information that they believed were outside their authority to grant. Staff were concerned about the risk that, due to pressure of work and a reduced time for customer inquiry resolution, personal information could be disclosed in particular situations even though the secrecy requirements are well understood. The natural tendency is to fall back to the 'all information is secret' position, and in particular situations this would result in significant pressure on staff, and delay in satisfying the customer.

There are tensions between the department's statutory secrecy obligations and customers' and/or agents' (at times unrealistic) expectations and requirements. Staff occasionally have difficulty reconciling the secrecy requirements of the code of conduct and the requirement that the customer has a 'right to be believed', entrenched in the customer charter. The code emphasises non-disclosure of personal information to unauthorised people, whereas the charter says 'the customer has the right to be believed, even if sometimes we are required to check the information you give us'. This includes how many steps should be pursued for positive identification of a phone-in customer, and how much personal information should be released. Judgement calls were made to solve these situations. Some offices also reported they were unsure as to the 'status' of the charter.

Customers expect their personal information to be treated in a confidential manner, and yet in other circumstances request (sometimes very strongly) access to particular personal information of other people.

It was not uncommon to have parents or children enquiring about family members' tax affairs. Parents often called enquiring about their children's student loans. Judgement was sometimes exercised in these and other cases. These reconciliation issues can be largely resolved by addressing the practical tensions between charter and code as part of induction and ongoing training.

Another area where judgement is commonly exercised involves information disclosure from the IRD to other government departments. While many staff said that they were unable to give any information to any department, others said they could give information to some departments providing they had authorisation.

From time to time, the department uses consultants and contractors to assist in specific tasks. For example, it recently engaged a market research firm to assist it in matters relating to child support. This is a proper use of contractors, and is not in breach of the department's statutory secrecy obligations. However, a number of the taxpayers surveyed by the research firm have questioned why the company had details of their personal information that was held by the department. If such contracts are to be entered into in future, the department needs to take steps to ensure that this does not undermine public confidence in its custody of personal information.

Staff acknowledged that the need to resolve customer queries as quickly as possible often causes a level of inadvertent disclosure, but there was a widespread feeling that little or no serious misuse of personal information tales place, and equally that little can be done to stop a rogue staff member from acting improperly. The potential risk in this area is considered by staff to be very limited. Staff are of the view that disclosure of personal information for personal gain is a risk all large organisations face, and it only involves a very small number of staff with poor personal integrity. Staff were generally offended by attacks on their professional integrity. Departmental policy, procedures, and strong team-based values support the protection of personal information, and these aspects are well recognised and understood by staff and implemented by the department.

Operational practice and processes supporting personal information protection included:

  • formal requirements for consent forms and data release authorisation (in the case of agents);
  • communication to other government departments via liaison officials; and
  • on-line security checking (taxpayers' numbers/PINs for Business Link and Business Direct).

The department indicates that the cornerstone of its operational policies and practices is the protection of personal information and, therefore, every manager is accountable. This approach is understood, but nevertheless, in the investigation team's view public information protection is not explicitly managed as a public confidence issue by the department. The department approaches this issue as 'this is our information and it's secret' as distinct from 'this is our customers' information and we will protect it'. Because of the public confidence issues involved, it would be valuable to identify at a national and local level who is the 'champion' for personal information protection.

INFORMATION MANAGEMENT, SYSTEMS, MONITORING, AND CONTROL

  • The department maintains a sophisticated and well developed approach for the protection of information security.
  • The focus of the security is, however, on maintaining the integrity of the data, with limited focus on protecting personal information, other than for designated individuals.
  • The scale of the transactions involved limits the economic feasibility of tracing every inquiry.
  • For 'at risk' areas/individuals a trace can be installed.
  • There is lack of clarity regarding functionality of access at the individual level.
  • The department undertakes audit reviews of elements of its information security procedures, but there are gaps in the follow up on implementation.
  • The implementation performance levels for IT security policies have not been able to be substantiated.
  • There is only a limited approach to risk management, with some local office initiatives.

The FIRST system

The IRD maintains a sophisticated and well developed systems security control framework (largely in its FIRST system) for the protection of information security.

The department's emphasis in system security control is on modification of the information in the data files. This is a concern with maintaining information integrity. The issues in personal information protection are to do with what information is private, who can have access to what information under what circumstances, and in which areas are the system and its information most vulnerable to inappropriate access. These particular issues receive very limited attention, apart from the department's perspective that all information is secret except to the individual concerned. In that sense the culture of commitment to personal information protection by staff is the 'system' for protection or security.

The amount of the department's records and transactions are such that tracing every inquiry for personal information is viewed as uneconomic. Traces are able to be placed on staff inquiries when risks are identified. For example, staff members exhibiting inappropriate behaviour as identified in fraud training would trigger tracing.

Staff attempts to access unauthorised or restricted areas immediately result in a security violation screen, which blocks further access. These attempts are recorded in a weekly security violation report. Sometimes individual staff are unaware that the level they are able to access has been changed, which creates unnecessary over-subscription in the security violation report. The violation report does not distinguish between malicious attempts and innocent mistakes. Not all managers routinely check staff explanations for these breaches.

Call centres and telephone enquiries

A particular area of challenge for personal information risk management is the extensive (and increasing) use of telephone communications with customers, agents, and third party organisations. The systems approach does not normally involve a specific PIN number (as for banks) or password to verify customer right of access. Hence, staff experience and judgement is the reference point which works well for known agents and/or customers. PIN numbers operate in InfoExpress (an interactive voice recognition (IVR) facility). Security systems to evaluate third-party requests for information often rest upon individual understanding and 'own' processes.

Risk analysis practice has recently been introduced for trial by the Internal Audit group. However there is no formal risk management process for personal information protection throughout the department. As a result policies and procedures can be developed without reference to personal information implications, and current gaps have not been identified.

With moves to call centres there is less time and experience (higher staff turnover and less experienced staff) to undertake identification verification, resulting in a changed nature of risks and required security standards. A positive feature of the call centre system approach is the improved provision to 'monitor' calls. Practices regarding identification and release of personal information can be checked through this feature, and subsequently coaching can be done.

Risk management

The department recognises that the integrity of taxpayer information is of fundamental importance to tax administration. All taxpayer information is secret, and a culture of secrecy rightly pervades the department. The department recognises the impact that a breach of personal information security will have on tax administration. However, field work suggests that, in general, front line staff do not universally appreciate that the department's obligation to preserve the secrecy of taxpayer information underpins voluntary compliance with the tax system. The need to maintain secrecy of taxpayer information is embodied in the code of conduct, and staff recognise and uphold this.

The department undertakes internal audit reviews of elements of its information security procedures but there are gaps in following up implementation. The implementation performance levels for information technology security policies have not been seen to be substantiated. The department would benefit from more explicitly assessing its vulnerability in terms of personal information protection.

The marginal cost of minimising the misuse or unauthorised disclosure may be high. However any misuse or any unauthorised disclosure - no matter how few cases there may be - is likely to have a high cost in terms of public confidence.

IRD undertakes risk management and audit initiatives. The department has rolled out legislative risk management nationally, and is now about to rollout operational risk management. Overall, however, IRD risk management development is at an immature stage.

Procedure for investigating breaches of department standards and process of applying sanctions

  • Sanctions for improper use of personal information are applied inconsistently, but more recent cases have involved dismissals.
  • Circumstances relating to past disciplinary cases are not used sufficiently or universally for reinforcement training of staff.
  • A major fraud-awareness programme has been rolled-out nationally to team leader level.

Incidents

During the three years, 1996, 1997, and 1998, there were 28 breach of secrecy cases investigated by IRD Internal Audit. All but two were at a staff level. In 11 cases, no offence had been committed, and in two others there was insufficient evidence to establish whether or not an offence had been committed. Five cases resulted in dismissal, and in three of those the employees were prosecuted. 6 During the last 18 months, breaches have resulted in dismissal as a result of the department's decision to tighten procedures.

Fraud policy, education and training is a specific area of activity and a major awareness programme is nearly completed on a national basis nation wide through to team leader level. A key part of the programme is for managers and team leaders to be able to identify 'at risk' behaviours. A gap exists, though, in the need to have the same issues better understood by front line staff, and this may well reflect a lack of resources available to the sole national office officer working on fraud issues.

A significant number of staff (18%) indicated through the field work that the action to be taken for breaches of personal information privacy depends on the circumstances of the case. The investigation team found a view among staff that some individuals subject to a disciplinary process have been given the opportunity to resign voluntarily rather than face summary dismissal. The survey results indicate a perception among staff that a high degree of management discretion and tolerance exists in exercising sanctions.

The department considers that the measures it has put in place have been successful in limiting the improper disclosure of private information.

Case studies

IRD uses past transgressions as future case studies for staff training in its fraud-awareness seminars. The lessons from transgressions should be more widely and quickly communicated to front line staff. Generally if staff are disciplined, a 'closed door' policy on the circumstances and outcomes is applied. Given that inadvertence is the major cause of improper disclosure of personal information, staff in focus groups strongly supported case studies and a 'lessons learnt' approach to reinforce personal information issues during training.

Staff felt that an improved approach to internal measurement of personal information performance (in the number of breaches, sanctions applied, etc, and its communication to staff) could enhance staff awareness of the issues and provide a more transparent process for improvement.

KEY RECOMMENDATIONS

  • The department must ensure that all security checks are completed on new recruits, prior to their commencing work, in accordance with policy.
  • The department should consider the introduction of personal identification numbers (PINs) or other unique identifiers for all customers.
  • Internal audits of information security procedures must continue to be undertaken regularly, in particular when major changes are made to systems architecture and applications.
  • The department must ensure that it has formal reassurance that solutions have been implemented to any gaps that are identified in information security and in audits.
  • The department should review its local human resources practices and procedures to ensure consistency and alignment across the country on matters of policy interpretation.
  • The department should identify at a national and local level a 'champion' for personal information protection.
  • Where possible the department should seek further learning opportunities arising from personal information breaches for staff and managers.
  • The department must further develop and implement a comprehensive risk management approach for managing personal information protection.

6 Inland Revenue breach of security cases report 1/1/96-1/12/98.

  1. Section 02
    PART II: Departmental Issues Arising from the Investigation
  2. Section 04
    Work and Income New Zealand