PART II: Departmental Issues Arising from the Investigation

The investigation set out to evaluate four areas in IRD and WINZ:

• the recruitment, induction, and screening of new staff, and the information on expectations of behaviour received by new staff;
• the communication and reinforcement of values and professional behaviour for departmental staff;
• information management systems and the monitoring and control of those systems; and
• the procedures for investigating breaches of the departments' standards, and the processes for applying sanctions where they are required.

The investigation

The practical inquiries were conducted under the direction of a senior partner of the chartered accountancy and management consultancy firm, Ernst & Young, Dr David Cullwick. In conducting the inquiries, he drew on staff from the State Services Commission and from Ernst & Young. A former Chief Ombudsman, Sir John Robertson, acted as an independent advisor to the State Services Commissioner during the course of the investigation. Sir John also provided advice to Dr Cullwick. The report was drawn together and written by staff from the Commission and Ernst & Young.

The investigation strategy was focused on the terms of reference areas covering the risk management issue posed by effective personal information security. A part of that approach was testing the degree to which personal information security was explicitly identified in policies and operational processes, and in day-today management.

To evaluate the four areas in the departments, it was necessary to go out to the front line of the departments' operations - that is, out of Wellington. In other words, the investigation set out to determine what happens in practice in the departments. The investigation aimed to identify any shortcomings or areas of risk, and recommend improvements. In three weeks, members of the investigation team visited 16 IRD sites and 26 WINZ sites around the country. Some sites were visited twice. In total, the investigation team heard from 600 employees of IRD and WINZ in one-to-one interviews or through focus groups that comprised several members of the departmental staff. The investigation also included a questionnaire that participating departmental staff were asked to complete. In Wellington, the investigation team interviewed the chief executives and members of the senior management teams of both departments.

There is a clear legislative base for the protection of privacy of personal information by Public Service departments.

The Privacy Act 1993

The Privacy Act 1993 sets out the general principles for the collection, use, holding and release of personal information. The Act defines 'personal information' very broadly as meaning any information about an identifiable individual. Personal information should be used only for the purpose for which it was obtained, and in general should be disclosed only to, or as permitted by, the subject of the information. The Act also sets out the circumstances in which a department may release personal information to another agency.

Tax Administration Act 1994

In respect of the IRD, those general requirements for privacy are encompassed in the strict requirements of the Tax Administration Act 1994, ¹ which requires every officer of the IRD to maintain secrecy in all matters relating to tax statutes. This includes the privacy of information concerning taxpayers.

Official Information Act 1982

Since 1982, by virtue of the Official Information Act, it has been the overriding principle that official information should be made available unless there is good reason for withholding it. However, the protection of privacy of natural persons has always been a ground for withholding information (unless there is a countervailing public interest). That exception to disclosure is now underlined by the principles contained in the Privacy Act.

State Sector Act 1988

The State Sector Act 1988 empowers the State Services Commissioner to issue a code of conduct that prescribes the 'minimum standards of integrity and conduct that are to apply in the Public Service'. ² The code establishes three principles that all Public Servants are expected to observe:

• employees should fulfil their lawful obligations to Government with professionalism and integrity;
• employees should perform their official duties honestly, faithfully and efficiently, respecting the rights of the public and their colleagues; and
• employees should not bring their employer into disrepute through their private activities. ³

Under the State Sector Act, the chief executive of each department is responsible 'for the general conduct of the department'. ⁴ The chief executive must act as a 'good employer', and in particular 'must ensure that all employees maintain proper standards of integrity, conduct and concern for the public interest'. ⁵

Departmental codes of conduct

Each department has its own code of conduct for its staff, building on the Public Service code of conduct. In addition, WINZ is required to comply with a code of conduct issued by the Director-General of Social Welfare in consultation with the Privacy Commissioner, which governs the collection of information concerning beneficiaries.

Expectations

The State Services Commissioner's expectations are that chief executives and their staff will comply with those requirements. Each department is expected to have in place systems and processes that enable compliance with the statutory requirements, and to encourage a culture that supports compliance.

¹ Section 81, Tax Administration Act 1994.

² Section 57, State Sector Act 1988.

³ Public Service code of conduct. Further expansion of standards is contained in the series of publications, 'Public Service Principles Conventions and Practice', State Services Commission 1995.

⁴ Section 32, State Sector Act 1988.

⁵ Section 56.