New Zealand’s Ministry of Health and Te Whatu Ora recently came under scrutiny for insufficient back-end protection of sensitive information shared with third-party service providers. The agencies were investigated for potential misuse of personal health information related to COVID-19 vaccination by service providers, Te Pou Matakana and Whānau Tahi.
While the data sharing agreements included necessary protections and safeguards, a 73-page inquiry by the Public Service Commission revealed “significant gaps” in the implementation of these measures. The agencies failed to ensure that service providers were meeting the expectations outlined in the agreements, particularly when it came to the back-end systems and controls for handling data.
The lack of validation checks on the underlying systems and controls for receiving, storing, using, and disposing of data raised concerns about the security of the information shared with the service providers. The commission emphasized the importance of implementing robust back-end controls to safeguard sensitive data effectively.
Te Whatu Ora’s reliance on a “high trust and commercial incentives” framework was deemed inadequate by the commission, as it did not provide sufficient assurance of compliance with the data sharing agreements. This lack of oversight raised doubts about the effectiveness of the safeguards in place for personal health information related to COVID-19 vaccination.
In response to the findings, Te Whatu Ora committed to revising its standard DSA terms, including the addition of audit, retention, and disposal provisions. The agency also pledged to develop an assurance framework for monitoring the use of personal information shared with external parties to enhance data security and compliance.
The larger context of the inquiry highlighted the importance of protecting personal information in the context of New Zealand’s COVID-19 vaccination program. Prime Minister Christopher Luxon ordered the investigation to address concerns about improper use of information by service providers, extending the inquiry to other government agencies beyond the Ministry of Health and Te Whatu Ora.
Moving forward, public agencies were directed to suspend contract renewals and extensions with the service providers named in the report until updated information sharing standards were implemented. The aim was to strengthen data protection measures and prevent any potential misuse of personal information.
The Ministry of Health’s Data and Information Strategy for Health and Disability, released in 2021, outlined plans to improve data collection, management, and sharing in the healthcare sector. However, concerns were raised by the Public Service Association about increased IT breach risks following job cuts across Te Whatu Ora, prompting a call for the Privacy Commissioner to investigate the potential impact on data security.
Overall, the inquiry shed light on the importance of robust data protection measures and oversight mechanisms to safeguard personal information in the healthcare sector. By addressing the gaps in back-end controls and enhancing compliance with data sharing agreements, New Zealand aims to strengthen its data security practices and protect the privacy of individuals.
