The deeper question is whether, as Curran suggests, the failure had anything to do with the low "national spend on educating, training, and developing skilled technical personnel."
I suggest not; if the technical personnel had been adequately briefed, they would have disabled email-to-email attach or autocomplete or -- maybe a radical suggestion -- implemented encryption of sensitive data if it was really necessary to send it by email. It's well known technology; even home computer users can set up basic public-key encryption.
A public-key infrastructure is not difficult to maintain. It ensures that email goes to the right person, comes from the right person and has not been corrupted on the way. SEEmail (Secure Electronic Environment Mail) was designed with these objectives in mind, as the first priority of the State Services Commission's e-government unit back in the early years of this century.
Development of private intranets and extranets should have, in any case, made sending sensitive data by email an unnecessary practice.
The failure to specify such precautions comes from higher up in the chain of development, with a lack of appreciation of adequate security precautions among managers and business analysts.
InternetNZ's Susan Chalmers is closer to the true cause than Curran when she says privacy in computer systems should be designed in, not tacked on as an afterthought. The necessity to "put it right" post-facto is an embarrassment and hits public confidence. Now we are getting some measure of all-of-government action in ICT, would the drafting of a set of standard security tools and insistence on, or at least strong recommendation of, their use by all government-associated organisations be that radical a suggestion?
Sign up for CIO Asia eNewsletters.