It would be an understatement to say there are some New Zealanders who don't completely trust our government. There are probably more who have not yet completely overcome their mistrust of ICT.
To experience a privacy failure in government ICT, when more and more government processes and transactions are being consigned to digital channels is to strike powerfully at public confidence. In recent months we have had two accidental releases of public data, from the Earthquake Commission and the Accident Compensation Corporation and one deliberate penetration of a core government agency -- the Ministry of Social Development - albeit only for the purpose of demonstrating the vulnerability.
Though EQC is on the fringe of government, it deals with particularly sensitive transactions.
The naysayers led by John Key who dismiss the matter as trivial and only to be expected from time to time, do not serve public concern well. But neither, really, does a panic reaction like closing all internet and email ports, as EQC did.
A measured response, with admission of the failure, the harm done and the stress caused, and a reassurance that the specific vulnerabilities had been remedied would have served public confidence better. In EQC's case it appears the risk was in the easy autocompletion of a name on an email form; in ACC's the ability to attach an email in its entirety to another email.
You have to ask, though, would the absence of an autocomplete facility or a warning trigger when an email addressee falls outside the expected take too many seconds out of a staffer's day or detract from the organisation's long-term efficiency?
We will have to accept that the files on EQC and ACC emails were sent by accident, and any implication of the recipient taking advantage of the information has been discounted. Nevertheless shortcomings in security open up the chance for irregular practice. Whether a hypothetical internal "mole" involved in any deliberate leak could be called to account before a court is dependent on an interesting hole in the law -- Crimes Act Section 252 subsection 2, which legally absolves an employee entitled to use a computer system lawfully from penalty for any misuse.
The EQC breach has led to an unsavoury Twitter squabble between ICT Minister Amy Adams and Opposition spokesperson Clare Curran. Xero CEO Rod Drury has even weighed in from the sidelines -- to object to Curran's use of his remarks on the need for a government chief technical officer to bolster her (weak) argument that some blame for the EQC breach lies at Adams's door. The surface consideration is which minister or chief executive is responsible for securing the government's computer systems -- Curran implies it's Adams; Adams ducks and points to the Government CIO and Internal Affairs as the responsible 'person' and department for government ICT security.
Sign up for CIO Asia eNewsletters.