More to privacy breaches than meets the eye
It’s been hard to miss the storm of publicity surrounding the recent spate of privacy breaches among public sector organisations, but the context has been more easily overlooked.
The breaches have come at a time of rapid technological change which is putting government agencies under enormous pressure to deliver more online and digital public services.
In the search for scapegoats, the media, and, to a certain extent departments themselves, have often looked to single out and lay blame on individual public servants.
However behind every privacy breach there are systems, processes, and organisational cultures in which privacy considerations may not have been given the importance they deserve.
Technology has provided the public sector with huge power to collect and store information while, at the same time, recent surveys by the Office of the Privacy Commissioner show a sharp rise in public concern about the safety and security of their personal information.
Privacy commissioner Marie Shroff says “public servants need to be aware of that power and that public concern by safeguarding the information and taking responsible stewardship of it. It’s central to protecting the honesty, integrity and reputation of the New Zealand public service.”
She argues the focus must be on improving tools, systems, accountability and also culture.
Behind human error
“Behind the human error will be a hastily-constructed or vulnerable system so it’s not fair to expect individual public servants on the frontline to take responsibility. There has been a failure of senior management to take privacy seriously and ensure that staff are properly supported and have the tools to effectively guard citizens’ information,” she says.
That is echoed by PSA organiser Josh Gardner who has spent most of his career as a frontline public servant.
According to Josh, workload pressures, widget-based work systems, outsourcing and lack of training all help to create environments where mistakes are more likely to be happen.
“Workloads, particularly in call centres and at peak times mean staff can sometimes attach the wrong notes to a client because they are dealing with so many clients or cases at once.”
Josh believes a fundamental problem is that while a lot of testing of IT security systems and programmes goes on, he says “it’s not ground-floor testing by the people who actually use the systems and have knowledge at the frontline level.”
Rush to deliver
What he also finds disappointing is that anyone involved in a privacy breach is usually put into a formal employment or disciplinary process, when a wider approach and discussion about systems is needed.
The government’s Better Public Services programme and result area 10 - New Zealanders can complete their transactions with government easily in a digital environment – is also creating pressure.
Josh says many feel that in the rush to deliver more interactive and online public services, privacy protections have often taken a backseat or been acted on as an afterthought.
Marie Shroff says the answer is ‘privacy by design’ – something she believes the public sector has been slow to pick up on. It means putting privacy safeguards in place at every level and asking key questions about information and core privacy principles in the design stage of any process or system.
Looking to the future, Marie Shroff says the public sector is now on a pathway to improvement.
“If you’d have asked where we were two years ago, I would have said I was extremely concerned by public service managers’ lack of awareness and action. But the breaches have happened and now the SSC and other lead agencies are all focused on the situation and things are being taken on board. It’s early days but big efforts are underway which will see a shift in attitude.”
The Ministry of Social Development (MSD), for example, is introducing software which stops outward mailing of spreadsheets and can track employee browsing.
However Marie Shroff would like to see things taken further with the Privacy Commissioner given auditing and enforcement powers to protect private information.
“If there had been privacy auditing around the MSD kiosk breach it may not have happened,” she says.
The string of breaches across a range of government agencies has been a big wake-up call for the public service and provided some “very teachable moments”.
Those lessons will need to be taken on board to restore public confidence and to ready the public sector for a massive planned IT overhaul and the introduction of information-sharing systems across agencies.
The government’s chief information officer has just released his review of public sector IT systems. It found that many agencies lacked fundamental components of good security and privacy practice. However, the report did not fully address the staffing levels and training which support those systems.
The PSA has set up a reference group of national delegates, representing the seven agencies at the forefront of technology change, to advise on the impact of technology on members’ jobs. In particular, it will assess at the potential benefits and risks of the government’s Better Public Services programme: New Zealanders can complete their transactions with government easily in a digital environment. The reference group will seek to obtain an organisation-wide perspective.
This article is from the June 2013 issue of the PSA Journal. You can read back issues of the Journal by clicking here.