New Zealand's Ministry of Health and Te Whatu Ora were found to have insufficient back-end protection of sensitive information shared with third-party service providers. 

The agencies were recently probed for alleged misuse of personal health information related to COVID-19 vaccination by service providers, Te Pou Matakana and Whānau Tahi. 

While their data sharing agreements (DSA) included the necessary protections and safeguards of the Privacy Act 2020 and Health Information Privacy Code 2020, there were "some significant gaps" in them, noted the Public Service Commission in its 73-page inquiry. 

"The agencies did not implement a systematic means for assuring themselves that the relevant service providers were meeting those DSA expectations."

Based on the inquiry published in February, validation checks were only applied to the quality of data shared with service providers and not to their underlying systems and controls for receiving, storing, using, and disposing of data. There were also no controls over the CSV files they receive from the government agencies. 

"This lack of back-end controls is concerning," the commission exclaimed.

The commission sees Te Whatu Ora's DSA framework as generally relying on "high trust and commercial incentives," which it does not consider adequate back-end safeguards.

Moreover, Te Whatu Ora did not receive satisfactory assurance of compliance with the DSA terms from Te Pou Matakana and Whānau Tahi, which meant no one was able to conclude the effectiveness of both government agency safeguards and institutional arrangements regarding personal health information related to COVID-19 vaccination. 

Te Whatu Ora has since informed the commission that it will revise its standard DSA terms, including adding audit, retention and disposal provisions and developing an appropriate assurance framework for monitoring the use of personal information shared with external parties.

THE LARGER CONTEXT 

New Zealand started its COVID-19 vaccination programme in February 2021. Later, to raise vaccination rates, the former District Health Boards contracted providers to deliver COVID-19 vaccination and other related services. 

Prime Minister Christopher Luxon ordered the inquiry in June to look into allegations of improper use or use by service providers of information related to COVID-19 vaccination. The inquiry was also concerned with the same issue in the 2023 Census. Besides the Ministry of Health and Te Whatu Ora, the investigation also focused on Te Puni Kōkiri, Statistics New Zealand, Oranga Tamariki and the Ministry of Social Development. 

"The inquiry found some agencies fell short on their responsibility to protect and manage the sharing of personal information, which is unacceptable," said Public Service Commissioner Brian Roche. 

The public agencies were all ordered to temporarily suspend contract renewals and extensions, as well as entering into new contracts with the service providers named in the report, until contracts with them could satisfy the Public Service Commission. They were also directed to implement updated information sharing standards by July. 

"While we don’t know if personal information was improperly used, the gate was left open. It will be for other authorities, with the appropriate regulatory and investigative tools, to determine whether personal data was misused," Commissioner Roche said. 

In 2021, the Ministry of Health released the Data and Information Strategy for Health and Disability and a corresponding two-year action plan to improve the collection, management, use, and sharing of health data. It involved the creation of a health data sharing and accessibility framework and equity measures for data standards. 

Recently, New Zealand's largest trade union, Public Service Association, warned of heightened IT breach risks following the government's move to cut data and digital jobs across Te Whatu Ora. It requested the Privacy Commissioner to investigate the planned job dismissals, which the union said could "result in legacy issues remaining unaddressed and deteriorating," potentially leading to application failures and unplanned outages.