Next Section

Personal Information Protection and Public Confidence

  1. Section 01
    PART I: Major Issues Arising from the Investigation
  2. Section 02
    PART II: Departmental Issues Arising from the Investigation
  3. Section 03
    Inland Revenue Department
  4. Section 04
    Work and Income New Zealand
  5. Section 05
    Terms of Reference
  6. Section 06
    Bibliography

KEY FINDINGS

General

WINZ has been in existence since 1 October 1998, bringing together the functions previously carried out by New Zealand Income Support, the New Zealand Employment Service, and the Community Employment Group. The department is still in its establishment phase. Transition issues provide challenges for staff and management.

Overall, the investigation team found that management and staff have a strong customer-service ethic, including strong support among workers for personal information protection. The department has a complex operational environment. It works closely with all of its clients in a case-management role. It is also in the process of implementing new policies in the area of employment. Staff are sometimes subject to pressure from several sources to disclose personal information. These external challenges occur against the background of the department's internal dynamics, including some human resources issues that arise from the merger of Income Support and the Employment Service (such as pay parity and workload differences).

The strong respect for the security of personal information that is evident at both the individual and local level is the cornerstone of the department's performance in this area.

Values

WINZ staff have a deep customer service ethic that supports the importance of protecting personal privacy and information.

Policies

WINZ has a process in place to deal with conflicts of interest.

The department does not have consistent and thorough pre-employment security checks for new staff.

The department does not yet have a risk management approach for the security of personal information.

The department could further capitalise on learning from actual instances of policy breaches to develop and improve policies to educate staff.

The department does not have national policies or guidelines for identification routines for telephone callers.

The department needs to ensure a clear understanding by staff of their obligations with regard to effective security housekeeping, e.g. regular changing of passwords, proper disposal of confidential documents, and clear policies on securing 'restricted access' personal files.

RECRUITMENT, SCREENING, INDUCTION, AND EXPECTATIONS OF BEHAVIOUR

  • Key privacy principles relating to personal information are well understood.
  • Update-training on privacy issues is variable on implementation.
  • Established conflict of interest process in place; clearer definition required for family/whanau.
  • Recruitment process is variable.
  • Four-week induction programme course provides strong base on privacy issues for new staff.
  • Gaps in employee security checking.

Code of conduct

The WINZ code of conduct and the key privacy principles relating to the protection of personal information were well understood by WINZ management and staff. Seventy-nine percent of surveyed staff had received an explanation of the code of conduct before certifying that they had read and understood it. Forty-eight percent of staff had attended follow-up code of conduct seminars and discussions. Eighty-one percent of staff had received a request for personal information and declined to provide it because they thought it contrary to the code of conduct and the law.

Ethics

Ethical and moral standards and values were freely discussed in focus groups although the ethical framework was centred largely on the issue of benefit fraud as distinct from obligations of information secrecy and an awareness of the Public Service ethic. WINZ staff did, however, have a deep customer service ethic which supported the implicit importance of protecting personal privacy and information. The majority of staff responded that ethical behaviour in the department has remained relatively unchanged or has improved.

WINZ have a conflict of interest process in place to assist employees in complying with the code of conduct compliance. Staff are required to identify friends and whanau who have a customer relationship with WINZ. However, they are also obliged to inform the department of anyone they know to be receiving a benefit fraudulently, including friends and whanau. This has given rise to significant concerns by staff, particularly those operating in the smaller rural communities. In respect of friends and whanau, the relevant file is secured by the department.

The obligation to identify conflicts could benefit from a more prescriptive policy guideline on how widely this requirement should apply. This is particularly important in defining the extent of a family/ whanau conflict.

Recruitment, screening, induction, and training

The focus groups indicated that WINZ staff are highly aware of their obligations in respect of private information protection, which is introduced in early-induction training.

The recruitment process appears to be variable. Survey evidence shows that 30% of staff are recruited through advertisements and recruitment agencies. One third of staff are recruited from family, friends, and colleagues of existing employees. Security (conviction/benefit fraud) checks are not always undertaken prior to employment of staff.

The State Sector Act requires that job vacancies are advertised (where practical) and that appointment be made on merit. A recruitment process should hence include advertising and a rigorous selection process. Not all the selection processes described by staff meet these requirements.

The group discussions confirm that induction and initial training are very strong in reinforcing the importance of privacy. New WINZ staff attend a four-week induction programme, at a training school, that includes specialised training on privacy issues. This training is often facilitated by lawyers. Relevant training to help staff deal with personal information issues was, on occasion, inconsistently applied. For example, provision of Official Information Act and Privacy Act training supplemented by training in dealing with difficult customers was not present in all offices visited. After training 81% of staff were confident of their ability to deal with privacy issues with respect to customers.

COMMUNICATION AND REINFORCEMENT OF VALUES AND PROFESSIONAL BEHAVIOUR

  • Strong customer-service ethic supporting personal information privacy.
  • Staff offended by attacks on their personal integrity.
  • Department has complex operational situation, including a number of human resource challenges.
  • Tension between customer service and code of conduct ethical elements.
  • Many staff have had improper requests for personal information.
  • Ensuring minimal inadvertent release of information presents major challenge.
  • Perception that there is very little deliberate misuse of information.
  • Wide span of control limits supervision effectiveness and on-the-job coaching.
  • Key performance indicators largely focus on efficiency.

Values

The department works to provide excellent customer service and ensure the sound application of policy. There was no indication from the field work to support the view that the deliberate and improper disclosure of personal information is endemic in the department.

Staff were generally offended by the attacks on their professional integrity. There was a widespread feeling that little or no improper disclosure of personal information has taken place. Equally, and realistically, little could be done to stop a rogue staff member from acting improperly. Staff thought that disclosure of personal information for personal gain was a risk all large organisations faced, and it involved a small number of staff, with poor personal integrity.

Community-based and customer service values support the protection of personal information, and these aspects were strong influences in the culture. Mutual trust and support between staff and line management is high. The respect for personal information privacy is a natural product of the 'vocational' values that form part of the customer service and support ethic. This theme emerged strongly from field discussions.

Complexity

The personal information held by the department is of a high level of confidentiality, and its protection requires a rigorous risk management approach. The department does have to contend with some significant and unique pressures in the merging of organisational cultures that is currently taking place. These pressures give rise to some significant challenges for personal information protection, even if it is inadvertent and arises from:

  • the highly personal and emotive nature of the service;
  • high case loads e.g. 300-350 cases per customer services officer (case manager);
  • complex relationships and engagements with a variety of other government departments, social service entities, and employers;
  • problematic and complex customer circumstances; and
  • situations which can result in threats to staff members' own privacy and safety.

Personal information risk management has not yet been integrated into the WINZ human resource strategy. The personal information risk issues should form part of the department's management agenda. Senior management should pro-actively monitor the quality of personal information protection, and provide the public with feedback from time to time. The presence of an internal fraud co-ordinator provides an opportunity to further develop the focus on personal information protection, and related training.

Operating pressures

The department faces further pressure between its commitment to a commercial approach to providing customer service, and the obligations and values inherent in the Public Service ethic. This tension manifests in a management emphasis on throughput, and the resulting time pressures may cause an increase of inadvertent release of personal information.

The level of inquiries for personal information is high. Eighty-one percent of staff surveyed had received requests for personal information that they believed were outside their authority to grant. Staff were concerned that due to the pressure and complexity of work there was less time for considered judgement in customer inquiry resolution. There was a risk that personal information could be inadvertently disclosed as a result of this.

Identification checks take place with telephone inquiries in particular. These checks include questioning the caller about family history, and the use of call-backs to ensure that the department is speaking to the correct individual. Consideration could be given to the practice of personal identification numbering (PIN) to remove risks away from staff.

Management

Generally, the investigation team observed a high level of line management sponsorship, and reinforcement of the values and expected behaviours supporting the protection of personal information. This was particularly reinforced by local office managers setting the tone for a culture that reflected the particular community.

The current 1:13-25 management span is a potential risk, because case loads and complex customer issues give rise to a requirement to accommodate urgent authorisation and supervision. Management availability is an issue. Front line service managers' capacity is under pressure with administration and reporting work taking an increasing portion of time. In respect of personal information, this may detract from service management's sponsorship and preventive role in personal information protection. In addition, many managers are in temporary roles pending the outcome of position reviews. Some managers are new to management roles. The technical quality officers' role (a peer position at core manager/front line level) is playing an important role in assisting this capability issue at the front line. However, effectiveness and role definition is variable.

The key performance indicators focus largely on quantitative measures and issues such as throughput, turnaround and volume, which are measured and enforced. This has led to a view that efficiency has improved, yet most of the staff approached argue that effectiveness has declined. The investigative team found no examples of measures to assess the quality of personal information protection.

INFORMATION MANAGEMENT SYSTEMS AND CONTROL

  • Department currently runs several systems, and is evaluating transition to a single infrastructure platform.
  • Process by which staff log-in with cards (SWIFTT) and trace back to payroll system provides good access control.
  • SWIFTT does provide a time-limited browsing tracking facility.
  • Staff experience frustration with the number of 'network' crashes, resulting in limited SWIFTT access.
  • The idiosyncrasies of the 'crashes' result in staff screen-sharing in order to maintain access, raising security issues.
  • Disk drives are not disabled on all sites.
  • There are no PINs and/or passwords to enhance certainty of customer identification.
  • Variable focus on personal information security housekeeping.

The department has inherited multiple systems from predecessor organisations: SOLO (Employment Service), SWIFTT (Income Support), TRACE (DSW), and Student Allowance (WINZ).

Running two separate networks and systems with potentially different security features increases the risk of security issues arising. At a minimum, the security features of both should be standardised as far as possible. The department is currently evaluating a transition to a common system infrastructure, and considering a unified customer view across all systems. The investigation focused on the SWIFTT system.

The SWIFTT System

Security of the log-on process for the WINZ income network is relatively strong, with real-time links checking the card log-on devices to the payroll systems. This strength is no longer complemented by the requirement for staff to change their passwords regularly. This previous feature of the security system was disabled due to passwords which had expired, and the operation of the cards. The investigating team understand that there are 'randomly occurring' issues with the operation of the cards relating to sessions remaining open when cards are removed from their reading devices. These issues should be resolved to improve the strength of security over the initial network log-on process.

The SWIFTT system also provides a time-limited browsing tracking facility - modifications to records are also audited.

The network supporting SWIFTT is, however, subject to frequent crashes. During a crash SWIFTT becomes inaccessible to any staff member not logged-on at the time of the crash. This leads to 'screen sharing' as staff 'locked out' of the system must use the screens of staff who were logged-on at the time of the crash.

The length of time for log-on/log-off routines may undermine best practice of screen shutdown when staff are absent from their desk and particularly for the receptionist role.

With multiple groups often involved in discussions for a client, it is important that PINs or passwords be considered to ensure privacy.

Areas of personal information disclosure risk identified included:

  • Due to information storage limitations, SWIFTT does 'lose' elements of information including customer passwords as further information is added. As such, legitimate disclosure can be impeded whilst guidelines, history, and notes are lost.
  • On-line security checking (community services card numbers/PINs etc.). To obviate unauthorised release the system hence relies entirely on individual assessment of callers, by WINZ staff.

Disk drives are not disabled in all sites. Ex-Employment Service sites have disabled disk drives, and this is under consideration for the ex-Income Support sites. Disk drives provide a medium for the removal of significant volumes of personal information from WINZ premises.

Security housekeeping

Some aspects of physical access, layout, and security raise concerns. Staff generally view the open-plan layout as a positive measure which assists personal safety, although some staff feel vulnerable because their surnames are on their name tags.

In terms of general housekeeping, there are no regular reviews of matters such as the positioning of computer monitors/black screens, printers in open-plan offices, secure documentation disposal procedures, and secure paper-filing arrangements.

The team noted that overnight printing of lists (e.g. case load details) at some sites could be a security risk. Customers have the right to ask the department to secure a file. At some offices the client was issued a password. This system can be further enhanced by electronically securing the file. However, there is no national policy on re-securing such a file once an employee has finished working on it.

Risk management

The department has not assessed the value to external, unauthorised users of the personal information which it holds, although that value is implicit in the general statutory requirement for secrecy. In failing to address the point explicitly, the department is unable to accurately assess and manage the risk of release. The marginal cost of minimising the misuse or unauthorised disclosure may be high. However any misuse or any unauthorised disclosure - no matter how few cases there may be - is likely to have a high cost in terms of public confidence.

PROCEDURES FOR INVESTIGATION OF BREACHES OF THE DEPARTMENT'S STANDARDS AND THE PROCESSES APPLYING TO SANCTIONS

  • Low level of improper use of information, but high vulnerability to possible occurrences.
  • Most staff have expectations that any breaches will lead to discipline or counselling.
  • Staff perceive the application of sanctions as variable, despite a formal process.
  • Conservative approach to dismissals applies for breaches.
  • Limited learning from past transgressions; some learning through team discussions.

Incidents

For the period 1996-1998, 19 incidents of allegations of offences relating to improper use of personal information were investigated by WINZ or its antecedent departments. Twelve cases were substantiated. Six of the substantiated cases resulted in dismissal and two cases were referred to the police. 8 Staff reported that there are many incidents of malicious allegations against staff. It is not known how many of these have substance.

Seventy-one percent of surveyed staff thought people would be disciplined or counselled for breaching the privacy of personal information. The field work indicated that the application of sanctions for the improper use of personal information is seen by staff to be inconsistently applied. Focus group observations conclude that staff often do not see the outcomes of disciplinary procedures.

In terms of staff discipline, managers are aware of due process, and provide staff with the opportunity to present their point of view. This caution arises from the fact that many complaints are apparently motivated by grudges and vendettas against staff who have been involved in unpopular or unfavourable decisionsaffecting customers. As such, not every case has a definitive conclusion and one that can be communicated to general staff.

It would appear that departmental management do not dismiss employees for serious breaches without due process. There is, however, common practice of suspending any employee who is under investigation for a breach of personal information privacy or for fraud.

Case studies

It is not customary within WINZ to use past transgressions as future case studies. Generally, if staff are disciplined, a 'closed door' policy on the circumstances and outcomes is applied. There was some concern that internal publicity may result in 'copy-cat' offences. Given that judgement calls are made, case studies and a 'lessons learnt' approach to reinforce personal information issues would help staff. Further support could be provided by the provision of decision trees to front line staff to aid decision-making.

KEY RECOMMENDATIONS

  • The department should urgently implement an integrated risk management approach which incorporates the protection of personal information.
  • Pre-employment checks should be undertaken for all new recruits, including checks for benefit fraud history.
  • The department should consider introducing personal identification numbers (PINs) and/or passwords for all customers.
  • When possible the department should seek learning opportunities, for staff and managers, arising from personal information breaches.
  • Practical security and housekeeping matters should be reviewed urgently, and guidelines and operating practices implemented as soon as possible.
  • The department's approach to information security should be standard across all systems and applications, and ensure a high level of protection.

7 Under the State Sector Act, the legal name of the department is the Department of Work and Income. Work and Income New Zealand is the operating name.

8 WINZ information letter, 4 December 1988.

 

  1. Section 03
    Inland Revenue Department
  2. Section 05
    Terms of Reference