Dozens of analysts at Oranga Tamariki (OT) have access to personal details about at-risk children, which they should not have
The individual analyst is expected to guard against looking at the information by using separate data screens - as opposed to access controls, according to a privacy assessment released to RNZ.
The archaic data system - that holds all its vital case management information needed by social workers on a daily basis - is being replaced, extending the data-gathering and analysing power at the ministry.
OT is struggling to stand independently of IAP, the old system it currently relies on, which is housed at the Ministry of Social Development, and which is more than 20 years old and beyond capacity.
"The Privacy Team has been advised that data analysts may not always be appropriately securing data copies they create," said the privacy assessment.
Of the 60 analysts, only 10-15 - or fewer than a quarter - needed to know children's names for one-off data matches to do their work. The rest did not, but could access it anyway.
"It is understood that, due to constraints in the IAP system, all data analysts with access to IAP have the same technical access, i.e. all ~60 data analysts have the ability to access client names.
"Instead of access controls, the current mitigation is the use of separate data views, one inclusive of client names and one exclusive of, with the responsibility on the data analysts to ensure they are only accessing the inclusive view when they have a necessary and authorised purpose."
The privacy assessment suggested the new system being built - EDAP - might be better at protecting children's private details.
But it also said: "An improved capacity to automate information collection processes (through EDAP) may result in a decrease in oversight."
The assessment overall rated the risks of EDAP at an acceptable "medium" or "low", but also revealed the ministry currently had no rules around how long it retained people's personal information, even though this was a fundamental privacy principle.
Former chief statistician Len Cook said "bad systems" were letting down agencies, even though there was good, secure technologies readily available.
"I see these issues as indicating a wider system failure in the public service and endemic in institutions where agencies have more incentives to go it alone than collaborate" on tech upgrades, Cook said.
"In short, OT are stuck with high-trust options, reinforced by staff training, process oversight and randomised monitoring."
The assessment said an improved EDAP was expected to lead to both "new collection of personal information and changes to how current processes collect personal information".
This foreshadows a form of technology 'creep'.
"Although implementing EDAP will not in itself introduce any new purposes for collection, a medium that provides improved functionality for collecting, sharing, collating, analysing, and reporting on personal information may prompt new or additional uses of personal information that would not have been considered previously, as a result of the convenience/ease-of-use," said the assessment.
This "may raise additional or heighten existing privacy risks".
There would be greater and sometimes automated data sharing with other agencies. One example was that OT would start getting Corrections data about child sex offenders.
A mitigating factor is that OT has confirmed it is having to build a "minimum viable product", settling for this due to multiple deep-seated problems with the build of EDAP, stretching back to 2021.
It is not clear the new system will address the lack of data disposal rules.
A Privacy Act principle is that organisations must not keep information longer than needed.
But the assessment said the disposal gap posed the risk that "personal information may be retained indefinitely, increasing the likelihood of inappropriate access or disclosure".
"This ought to be worked through as a matter closer to the system going live," said Cook.
Oranga Tamariki recorded 137 privacy breaches last year, more than twice as many as in 2019, but behind the 144 recorded two years ago, its annual review shows.
The number of breaches serious enough to go to the Privacy Commissioner have climbed from just one in 2019, to nine in 2021-22, to 13 last year. OT set up a centralised privacy incident reporting process last year.
At the same time, privacy complaints to the agency have dropped from 30 in 2019, down to just 10 last year.
Cook said the ministry deserved credit for the openness of the privacy impact statement - "one of the most comprehensive ones that I have seen".
But "we can see what is not well there".
"We should have this across all the agencies that require people to give them a lot of personal information.
"The review describes a system that relies on personal trust to protect privacy.
"The OT report highlights how much departments and agencies have been alone, and left alone, even where there is a common element to developments," he said by email on Monday.