Tuia 250 Voyage Trainee Privacy Breach – Independent Review
Tuia 250 Voyage Trainee Privacy Breach – Independent Review Finalised
Manatū Taonga has received the independent review into the Tuia 250 trainee privacy breach and fully accepts all the report’s recommendations, Chief Executive Manatū Taonga Ministry for Culture and Heritage Bernadette Cavanagh said today.
“It’s clear that this privacy breach should never have happened, and I take full responsibility. I’m truly sorry for the harm caused to all the applicants,” Bernadette Cavanagh said.
“Everyone has a right to trust that information they share with us is managed well and kept secure. The review showed that there was a flaw in our security systems which resulted in the privacy breach.
“The review also showed that key policies were not followed properly. The website which held the trainees’ information wasn’t secure and we failed to pick this up.
“We didn’t manage the risk around
personal information and the appropriate risk assessment
wasn’t completed before the application form went
“Our response to this report will ensure we learn from this experience and that robust processes will always be followed.
“I have taken immediate action to implement improvements to our security systems. A follow-up plan to action all the remaining recommendations is in place.
“In the period immediately after the breach the
Ministry tested all its externally facing websites to ensure
no other privacy breaches can occur.
“Security testing will be mandatory on all our technical systems holding personal information. No system will go live without this testing to ensure personal information is secure.
“Next steps include making sure all our systems that hold, or have the potential to hold, personal information are signed-off at senior level. We will ensure all appropriate assessment and testing is undertaken so personal information is secure.
“The role of Privacy Officer will be moved to the legal team and we’ll ensure all new projects with privacy implications are appropriately managed through all stages of the project.
“We are continuing to work with those who were affected by the breach and again I extend my sincere apologies to all of them for what happened. Their personal information should never have been available online.
“A total of 309 trainees were affected by the privacy breach. Some 287 cases are closed and 22 remain open and we are working to close all the remaining cases as soon as possible.
“My thanks go to staff in the Department of Internal Affairs, the New Zealand Transport Agency and Immigration New Zealand who assisted us in managing the responses. The New Zealand Police also provided security advice to some of the trainees. Many other public sector organisations have also supported us during the aftermath of the breach.
“My thanks also to Doug Craig, a Director of RDC Group, for his comprehensive review of the privacy breach and for outlining what went wrong and what we can do to see the right steps are taken to ensure this doesn’t happen again,” Bernadette Cavanagh said.
A copy of the full report and the Ministry response is available on the Manatū Taonga Ministry for Culture and Heritage website.