ParentingLegalCrisisDisabilityEthnicChildrenMaoriYouthMenFamilyWomenSexual ViolenceCoordinationCounsellingEducationElder


Privacy Commissioner's report criticises MSD collection of individual client level data

April 07, 2017 at 11:10 AM

*From the New Zealand Family Violence Clearinghouse*

The Privacy Commissioner has published his report examining the Ministry of Social Development's (MSD) requirement for NGOs to provide individual client level data (ICLD).

The Commissioner has criticised MSD's approach as "excessive and inconsistent with the privacy principles," highlighting three major privacy risks:

  • Individuals may choose to stay away from seeking help at all – leading to worse outcomes for individuals and society as a whole
  • Individuals may choose to provide incorrect information in order to preserve their privacy – leading to inaccurate or useless data for analysis
  • NGOs may allow those clients who are reluctant to have their sensitive information given to MSD to access services without providing their personal information – leading to reduced funding and risks to NGOs' long-term viability and the 'invisibility' to the system of a significant cohort of individuals in need of support.

The Commissioner's report is based on an inquiry initiated in January, including a survey of affected NGOs which received 548 responses.

The report states the purpose of collecting individual client level data (ICLD) is unclear and the process was poorly developed. There are four recommendations in the report:

  • MSD should consider alternative methods for accomplishing its goals, such as having the information collated and analysed by Statistics New Zealand.
  • MSD must ensure its information collection practices do not deter vulnerable individuals from receiving necessary help. MSD should consider how it can meet its policy objectives in ways that infringe less on personal privacy and reduce the risk of unintended adverse consequences for New Zealand’s most vulnerable people.
  • MSD must ensure that its purposes for collecting, holding, using and disclosing information are specific, relevant to its functions and clearly conveyed, and the information collected is necessary to achieve these purposes.
  • MSD must ensure that its security procedures for holding, using and disclosing ICLD are robust, well-documented and transparent.


ComVoices welcomed the Privacy Commissioner’s report and endorsed the recommendations. Spokesperson Trevor McGlinchey said:

It is very important the families and individuals seeking support from community service providers can trust that their rights to privacy will not be breached and that no harm or misuse could result in the use of their personal information. This encourages early access to support and allows vulnerable families to grow into independence rather than being forced to hide their problems for fear that this information will be used against them or publicly shared. Earlier, more direct engagement with providers of social services could have prevented the current situation arising.

ComVoices followed up with a further statement about the Minister's response:

While there is some relief that after the failure of MSD’s private data portal, Minister Tolley has put the reporting of clients’ private data on hold for a few months, NGOs are very frustrated with the Minister’s response to the Privacy Commissioner’s report on the collection of individual Client Data. The determination to push ahead with MSD collecting this sensitive data in the face of the Privacy Commissioners Report and the failure of the MSD information portal demonstrate that we should be holding off on implementing this process and a more effective way of demonstrating the value of social services should be developed.

... We are now in the very difficult position of being expected to sign MSD contracts that are out of step with the Privacy Commissioner’s findings. It is difficult to see how we can do this in good faith and we have real concerns about the liability we might be opening ourselves up to.

ComVoices has previously written two Issues Papers and letters to the Ministers setting out their concerns and proposed ways forward.

Privacy breach and IT system shut down

Minister Anne Tolley announced that the IT system for collecting ICLD will be shut down after a potential privacy breach was discovered. Minister Tolley said "The system was shut down last night as a result. To date, 136 providers have been invited to upload client level data into the DIA shared portal, only 10 providers have uploaded information so far. I've asked officials for advice on the next steps which will involve using a different IT platform that will be robustly tested."

Background information

See these previous NZFVC news stories:

Temporary reprieve for sexual violence services on individual client level data

Research project investigates people’s views of data linkage

Consultations on more proposed government agency information sharing

Government continues work on integrated data and "social investment"

Concerns and public meeting on NGOs and provision of individual client level data

ComVoices paper highlights issues with govt requiring individual client level data

MSD to require individual client level data from community agencies

Selected media

Privacy Commissioner has slammed Social Development data collection plans as too intrusive, Stuff, 06.04.2017

Govt funding policy 'excessive', could stop people from seeking help: Privacy Commissioner, NZ Herald, 06.04.2017

Data for funding 'excessive and disproportionate', Radio NZ, 06.04.2017

MSD 'shut down' IT portal over privacy near-miss, Radio NZ, 05.04.2017

MSD in another privacy blunder, Newshub, 05.04.2017

MSD says IT system not up to standard after privacy breaches, Stuff, 05.04.2017

Category: Reports