The authorities had no safeguards in case the person or group getting the health information had a conflict of interest. Photo: 123rf
Health New Zealand is scrambling to fix contracts that gave it no power to check if people have been misusing sensitive health data or not.
It did not even know about the weaknesses in its systems until the Manurewa Marae inquiry - that came out on Tuesday - exposed it.
The "gate was left open" for Census and Covid 19 information to be misused, said the Public Service Commission that had ordered the 73-page inquiry.
HNZ Te Whatu Ora and the Health Ministry not only did no audits, but had no power to do that under their toothless contracts that are now being urgently overhauled.
"There were no controls over files once they were downloaded by the [outside] providers' authorised staff," the commission said.
In addition, the authorities had no safeguards in case the person or group getting the health information had a conflict of interest.
A "failed" system left data open to be exploited, the commission said.
The investigation was sparked by allegations that data provided to health and social services providers at Manurewa Marae was misused.
That is still being looked into.
However, it is clear the hands-off, no-checks approach to sharing health data prevailed for years, despite the government's overarching line on personal data - which it has been gathering more and more of - that you can totally trust them with it.
HNZ once again on Thursday stated it took "the security and privacy of health data very seriously".
Yet it did not realise its systems were unsafe till the external probe.
"We became aware that our data sharing agreements could have been stronger through the inquiry process," HNZ's interim director of data and analytics Stuart Bloomfield told RNZ.
"Our data sharing agreements provided a robust foundation for data sharing but they lacked provisions allowing us to seek assurances of, and audit to test compliance and we are addressing this."
None of the agreements - DSAs - allowed for audits, or to enforce compliance with what, on the face of it, were strict rules around privacy.
The agency also lacked data handling protocols.
They had started work "immediately" to fix all this, Bloomfield said.
They were adding the ability to audit and to "seek assurances re-compliance".
"We will also be revising our processes to ensure that conflicts of interest are routinely considered.
"We expect to have these measures in within the next six months."
These weaknesses persisted despite the huge volumes of health data that is shared; how sensitive the law regards health data; or how successive governments' push for more and more personal data, has been accompanied by assurances all is safe.
For the past 15 years, health authorities have been telling "all health providers" they must follow the 75 pages of guidelines about protecting health information.
In that time, especially most recently, how the information flows has become much more complex amid myriad digital systems.
Privacy laws make very clear that health data sits in a group where really stringent controls must be enforced over how it is used, how it is stored and how it is disposed of.
Te Whatu Ora got as far as ensuring its data-sharing met Privacy Act 2020 and Health Information Privacy Code 2020 protections and safeguards, and that it made its expectations to external providers clear.
But then it stopped short of checking if they lived up to the expectations.
They "did not assure themselves that the relevant service providers were meeting contractual expectations", the commission said.
"It is critical New Zealanders can trust that their personal information is secure and will not be exploited."
Bloomfield said, "We are not aware of any evidence that Covid 19 data was inappropriately used by any of the relevant recipients."
'Sobering reading'
The inquiry made "sobering reading" about a "failed" system, commission head Sir Brian Roche said.
At Stats NZ, the findings have claimed the head of the chief executive, who will step down within days.
At HNZ Te Whatu Ora, there has been no mention of anyone stepping down - that said, the chief executive had already just quit, and the job of the head of data and digital was disestablished in October to save money.
Everyone is under the gun, with accountability being upped on info-sharing across the public sector.
The wider implications are that other government agencies are not keeping enough tabs and audits on people's information after they share it, as Newsroom has reported.
"It raises a number of issues that go to the core of the confidence and trust required to maintain the integrity and sanctity of information entrusted to government agencies," Roche said.
His agency is now working on a new standard for information sharing. HNZ is helping. It kicks in from July.
The Office of the Privacy Commissioner is now looking into the allegations of actual misuse.
The Health Ministry, Health New Zealand, Stats NZ and Te Puni Kōkiri have been asked to temporarily suspend new contracts, renewals and extensions with the three providers.
Health NZ also has its own problems handling personal data internally, even when it did not share it.
Papers previously released under the OIA talk about a confusion of multiple standards and models, "no shared principles standards", "no ability to track data use to ensure it is being used for its intended purpose or adherence to sovereignty", and "information is not kept current due to siloed copies [of] personal information".
Blockages have been noted between doctors and data analysts - and critics of the reset to save $600m, have expressed fears that plans to halve the data and digital team will make that worse.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
