STATE SERVICES COMMISSIONER'S OVERVIEW
Introduction
In November 1998 a total of five employees of the Inland Revenue Department (IRD) and Work and Income New Zealand (WINZ) were under investigation for allegedly selling citizens' personal information from departmental databases. A total of five people is a tiny proportion of the Public Service workforce of 30,000. Some people might ask, therefore, why I decided to carry out this investigation. The answer is twofold.
Citizens must have confidence that the information they provide to Government departments is treated carefully. This is the more so because citizens are compelled by law to provide certain information to the Government. In other words, there is an implicit compact between the State and citizen that, where the State exercises its power to collect information, it has an obligation to treat that information carefully. This principle is encapsulated in statute, for example, in the Privacy Act 1993. It is also encapsulated in departmental codes of conduct, including those applied by IRD and WINZ.
There was a second reason for my investigation. Around the world, the New Zealand Public Service has a reputation for high standards of integrity. The claims and facts that were publicly aired in early November raised questions about that integrity. Those questions cast a shadow, not only over IRD and WINZ, but over every department and every public servant. I think it is fair to say that many public servants themselves want those questions to be addressed.
The security of personal information held by the departments
The key question for the public is whether personal information held by IRD and WINZ is safe. This investigation has concluded that the personal information these departments hold is generally secure. However, given the quantity and nature of the personal information held by the departments, I recognise that this level of reassurance will not satisfy everyone. I have made some recommendations that should raise the level of reassurance. I expect the chief executives to implement the recommendations.
Overall findings
The overall findings of my inquiries are that:
- there is a high level of understanding, on the part of the staff in both departments, of the need to protect personal information held by the departments, and a personal and professional commitment to protecting that information;
- there were gaps in the systems, policies, and practices in the departments with regard to the protection of personal information. My recommendations are intended to improve the systems, policies, and practices of the departments to reduce their vulnerability to the improper use of personal information.
IRD and WINZ
There are differences between IRD and WINZ. One is a long-established department; the other is new and still in transition. As a result, there are differences in the nature and maturity of their management systems and policies. Those are reflected in the findings and recommendations, specific to each department, in part II of this report. Those differences between the departments mean that the response of each to my recommendations is likely to be different.
Risk management approach to confidentiality and security
IRD and WINZ must acknowledge that confidentiality and security of personal information is more than maintaining staff awareness, providing training, and monitoring information technology (IT) systems.
Systems, policies, and practices must proceed from the overriding principle that the departments must maintain public confidence in their handling of citizens' personal information.
There is always a probability that failure to preserve the confidentiality and security of personal information will occur. There will always be some cases of improper use or disclosure; some cases will be inadvertent, some will be deliberate and criminal. A management priority should be to minimise the probability of failures, and to minimise their impact when they occur.
Consequently, I am recommending that the chief executives of IRD and WINZ implement integrated risk management approaches to the protection of personal information. This will require IRD and WINZ to:
- recognise fully the critical role of personal information protection in maintaining public confidence in the departments;
- assess explicitly the external risks to the confidentiality and security of personal information - that is, from whom outside the departments is there pressure for disclosure, where is that pressure applied and in what ways;
- assess the vulnerability of the departments to those external risks in the context of the existing internal systems and culture;
- ensure that they have policies and practices - that are benchmarked against relevant best practice - to address the external risks, and ensure that those policies are operating at the front line; and
- assess, regularly and formally, the effectiveness of the policies and practices in minimising risk; ensure that any gaps that are identified are closed; and regularly reassess the overall vulnerability.
A risk management approach will not eliminate the risk of improper disclosure. That is probably impossible. But it will minimise it.
Recommendations
The recommendations in my report can be summarised as:
- The chief executives of IRD and WINZ ensure that they have in place a comprehensive and integrated risk management approach to the security of personal information. Such an approach would recognise fully the importance of maintaining public confidence in the departments with regard to the confidentiality and security of personal information.
- Chief executives of all departments ensure that their management practices concerning personal information, especially in human resources, reinforce the departments' commitment to the values and ethics of the Public Service culture.
- IRD, WINZ, and other Public Service departments holding extensive customer databases develop an explicit policy for protecting and managing personal information, one that can be benchmarked against best practice. This is to be done in consultation with the State Services Commission, which will develop the appropriate standards.
- The chief executives of IRD and WINZ ensure that their initiatives for customer focus and operational excellence are consistent with Public Service legal and ethical requirements as to personal information.
- The chief executives of IRD and WINZ consider the costs and benefits of measures such as personal identity numbers and passwords, and institute these measures where they might improve the confidentiality and security of personal information.
The recommendations are in more detail on page 29 and page 38 of the report.
Next steps
My investigation was not a forensic one. It covered the managerial and ethical standards that apply in IRD and WINZ. But my investigation has found no evidence or indication either of attitudes among staff that condone or allow widespread improper disclosure of personal information by employees, or that unauthorised disclosure of personal information is endemic. Given that, and provided the recommendations I have made are implemented, I consider that there is no need for any further general inquiries into this matter in these two departments.
I found no evidence in the course of this investigation that the restructuring of the public sector over the last decade has caused a deterioration in the personal integrity of public servants. It did emerge that the risks inherent in the closer integration of public and private sectors (for example, departments' increased use of private sector contractors) impose a need for vigilance on the part of those whose role it is to protect personal information.
The findings of this investigation emphasise the importance of information in the modern public sector. Only a few years ago, organisations were dedicated to protecting and maintaining capital assets of another type, such as their plant or their intellectual know-how. Today, the key asset of many organisations is information. I acknowledge that, to date, the State Services Commission itself has been insufficiently aware of the security of personal information held by departments as an area of major risk. I intend to address the issue of security of personal information through the annual chief executive performance reviews and the departmental performance assurance processes.
The Public Service must acknowledge that there have been some cases of people deliberately using personal information for criminal purposes. Those few cases - and the findings of this inquiry - are a timely reminder. All the departments of the Public Service hold information, whether it is personal information or information of other types, that is sensitive in some way. Departments must maintain management standards and an ethical environment that ensures constant vigilance with regard to the confidentiality and security of that information.
ISSUES WITH WIDER IMPLICATIONS
The results of my investigation have highlighted three issues that, while they have immediate relevance to IRD and WINZ, may also have implications for other Public Service and public sector organisations.
The responsibilities of departmental chief executives
Departmental chief executives are responsible for setting the standards of professional and personal behaviour within their departments. The results of my investigation show that the professional and personal standards of employees are paramount in ensuring that departments treat personal information with proper care. Departments may have the best physical and technological information security available, but people who are bent upon beating physical or technological security systems will always be able to do so.
What is equally important, therefore, is that departments set expectations of personal and professional behaviour that reinforce high personal and professional standards. Chief executives are responsible for setting those expectations and ensuring that they are continually reinforced. Such expectations, when they are set and reinforced, are probably the principal bulwark against the misuse of personal information. In recent weeks I have reminded chief executives of their duties and role in this regard. They readily acknowledged their responsibilities. I intend to emphasise further the duty and role of chief executives in setting expectations of personal and professional behaviour when I carry out future annual performance reviews.
Security and the scale and range of information technology
The importance of proper processes for the confidentiality and security of personal information is underlined when one considers the scale of information held by departments like IRD and WINZ. The very point of modern, computerised databases is that they hold a mass of information that can be recovered quickly and at points all over the country. Such speed and accessibility of information is needed for the effective operation of departments, but presents them with major security problems. Security is a complex issue. Security measures operating across thousands of daily transactions on databases may also become an impediment to the swift conduct of a department's work. It is a financial issue too. The benefits of database security must be weighed against the cost.
The investigation results underline the dilemma faced by departments. Should they impose further security constraints on their databases, at the risk of increasing costs and slowing their response to customers? Can security measures that operate across such a range and quantity of electronic transactions be effective? Although the overall picture is that the systems already in place are generally adequate, the investigation identifies steps both departments should take to improve database security.
In November some newspapers focused on what are known as IT audit trails, whereby an organisation can identify any user who has entered a database. I am not convinced that, in a department with 4,000 people and such a high volume of transactions, these would be helpful (or cost effective) in detecting deliberate disclosure. It is more likely that deliberate disclosure will be discovered by other means - including the vigilance of other staff and reports from departmental customers.
The pressures of meeting 'customer' demands
IRD and WINZ, like many other departments, face increasing pressure to provide high levels of service to the people they serve - people whom the departments regard as their 'customers'. Citizens increasingly State Services Commission 13 expect public sector organisations to provide levels of service that match or exceed those that are provided by private sector businesses. Departmental chief executives should, and do, respond to that demand. The demand is particularly noticeable in departments that, like IRD and WINZ, number hundreds of thousands of people as their customers.
The desire to 'meet the customer's demands' may sometimes be incompatible with the need to observe carefully the confidentiality of personal information. Applying confidentiality safeguards to personal information can delay service. Staff who are focused on the customer may be tempted to find shortcuts. This report highlights some ways of maintaining security of information while still providing high levels of service. No matter how it is managed, the confidentiality of personal information must continue to be a foundation of Public Service practices.
M C Wintringham
State Services Commissioner