- Date published:
11:36 am, April 7th, 2017 - 16 comments
Categories: Abuse of power, human rights, law, national, Spying, useless - Tags: data, fail, incompetence, msd, privacy, social investment, surveillance
Very much in the news at the moment, but the best piece on the government’s plans for our privacy is by Shane Cowlishaw Newsroom:
Backdown unlikely after big data report
A damning report from the Privacy Commissioner has raised serious concerns about MSD’s demands for client data. What will it mean for the Government’s wider social investment approach?
Among the hundreds of submissions to the Privacy Commission’s inquiry into data collection, one comment summed up the public concern more than others.
“If MSD knows my budget is so tight, will they take my children off me?”
It illustrates the fear behind the questions people are asking; why does the Government want my personal information and what will it do with it?
An increase in the collection of highly confidential data about social service users is at the centre of National’s social investment approach.
It wants to use new technology to crunch the information down, so it can target money at the regions, and groups of people, that need it most.
The Ministry of Social Development is leading the charge, introducing a policy that requires more than 2300 NGOs it funds to hand over their clients’ data in order to receive funding.
The information is detailed, consisting of name, address, gender, date of birth, ethnicity, iwi, plus details of any dependents.
Many organisations who deal with New Zealand’s most vulnerable people felt uncomfortable with the policy. Their complaints to Privacy Commissioner John Edwards led to him launching an investigation, and the result is not flattering to the Government.
What does the report say?
Edward’s report identifies a litany of problems with MSD’s approach.
It says there appeared to have been little or no analysis of the impact of the policy or possible unintended consequences. …
Read on in the original for plenty more. Here’s one standout:
Security of the information and MSD’s ability to protect it was also a concern for Edwards.
In talking to MSD for the review and analysing documents provided to the Minister, he discovered MSD had stated it was working on a Privacy Impact Assessment to identify risks, alongside a separate Security Risk Assessment.
Neither of these was completed.
We can trust the MSD to get it right anyway, can’t we? Sorry – couldn’t keep a straight face there. With impeccable timing:
Tolley furious at Ministry for Social Development privacy breach, hints at job losses
Social Development Minister Anne Tolley says she is furious about a privacy breach at her ministry and has hinted jobs could be lost as a result of the blunder.
The breach is deeply embarrassing as it comes at a time when Government is trying to persuade non-government organisations (NGOs) to share detailed, sensitive information about their clients.
It also gives fresh ammunition for Opposition parties to attack National’s much-vaunted social investment approach, which depends on greater information-sharing among agencies. …
Lets give these clowns more data shall we? Gordon Campbell follows up:
Gordon Campbell on the MSD’s privacy problems
As Anne Tolley, the Minister of Social Development told RNZ this morning there will now be some delay in implementing this policy – a few months, maybe longer – until MSD can devise a data storage and handling system that can keep the information safer than it is capable of doing now. Agencies that deal with victims of sexual violence will be exempted for a year from this demand for compliance.
This fiasco has been a perfect example of a bad policy, terribly executed – on a rushed timetable that appears to have been driven by an MSD desire to cut costs in the contracts due for renewal, mid year. Obviously, the real priority should be the people at risk. Yet this policy is likely to deter them from seeking help because (a) MSD has proven time and again, that it can’t keep confidential information safe and (b) the information they provide to an NGO may return to bite them if government chooses to use it against them by altering the terms of their access to assistance.
Such fears are well grounded. (Evidence has emerged this week of two recent privacy disclosure lapses by MSD.)
More to the point, Tolley has hinted that the compulsory-acquired data will be used against the clients of the NGOs in question… To RNZ, she talked about how this allegedly anonymised data will be used for “coverage” purposes, to detect if some people are accessing more than one agency – as if this was something that should be deterred in future. Nothing is more likely to destroy the relationship of trust between an NGO and its clients than a policy that forces the NGO to rat on its clients in this fashion. …
I/S at No Right Turn is, as usual, pretty blunt:
An unnecessary intrusion
Reading through the [Privacy Commissioner’s] full report, they find that it is not clear that universal collection meets the necessity test of privacy principle 1, and that unclear purposes for collection threaten serious problems for both agencies and WINZ around informed consent, accuracy, and future use. From the policy development trail they give, its clear that WINZ has no real idea what they want to use this for (except maybe budget cuts) or who they will share it with, and seems to regard big data as magic: if they collect everything and throw it in a pile, then somehow policy solutions will magically emerge. Its also clear that they don’t give a shit about the privacy of their victims: they never completed a privacy impact assessment of the policy, and still haven’t, despite serious concerns being raised.
Given the serious problems identified by the Privacy Commissioner, this is not a policy that should continue. WINZ needs to end it, now. If they want proper data to enhance their policies, they should go back to the drawing board and find some way to get it legally and without deterring people from accessing services, rather than creeping on people with intrusive data surveillance.
So all up, a perfect cocktail of over-reach and incompetence. National needs to actually listen to the people for a change, and bin this mess right now.
Kinda feels to me like a fundamentally good idea of Bill English, which Anne Tolley and MSD have proceeded to balls up completely.
Bill English is incapable of a fundamentally good idea. That’s why he’s a Nat PM.
The rest you got right.
More compassionate conservatism, they want to know all your dirt. Then use it against you.
Let’s see how you like it MSD-GCSB
Very entertaining half hour yesterday morning listening to MSD’s “data guy” getting taken to pieces on Nat Radio
The “you know” count got higher and higher as the interview went on….
This policy is only for poor people. Richer people can buy the same services but their identifiable data won’t be collected and shared.
They’re starting with Welfare because poor people are an easy target, but they’re also doing this in Health and it will affect everyone. In Health it’s being presented as this great new way to manage medicine, but it’s all part of the corporatisation of the management of National Inc’s stock units (that’s us).
The information gathered on all clients has to go to MSD. Including the childless working clients who receive NO government subsidies. That belies the reason for the info gathering – “the exercise is to keep the children of NZ safe”. Does Tolley really believe all budget clients are wife beaters / child molesters ?
It’s a shame, the idea of targeting assistance to those most in need of it is great. Should the Govt give up on the whole idea because of some human error by MSD beaurocrats or data enterers? It’s easy to attack a Minister I know – maybe every new Govt should sack all the staff and get new ones?
Of course at least two guys behind the scenes here worked for the GCSB; the guys implementing it.
Funnily enough…. at least one is a fake leftist with friends at Netsafe. They love to slam Assange and Co…. lol.
Looks like the truth is outing.
I think the National Party Policy aims in this are very clear. It was never about getting data to more effectively fund NGOs. It was all about finding a reason to cut the funding of those NGOs by lowering the number of people who will seek their help so that they can claim that poverty is down. The number of people seeking help from the NGOs is making them look bad, so as per National Party Policy, rather than fix the problem they simply find a way to make the numbers vanish without the need for a real fix.
I disagree with the policy on the basis that more government involvement is always worse.
But….couldn’t you just get a bot that can draw logical conclusions about people based on the information that the government already collects and already has the ability and permission to share?
In a way Yes. This sort of statistical trend analysis is now commonly used in government and NGO institutes in the states, for example.
The Data Mining side aims more for “predictive analytics”. Good prediction means good mining, and needs more details to feed the algorithm.
That has to be balanced with ethics, including privacy. the grey point is where too many details make a person identifiable. Unfortunately, good prediction sometimes requires enough details to be partially identifiable, at least.
Besides, the big picture would and should include good privacy protection in the dataset management systems – both technical, such as hard disk encryption, restrictive access privileges, etc; and design and policy, such as transforming data to separate out risky parts (like a full name and exact birth date) from the statistical details (such as ethnicity and general age), and how submissions are handled so opportunities for accidental breach like what happened, can never happen to begin with.
But data mining has more issues:
Algorithms have their limits, and different algorithms work better for different types of datasets and situations.
The mining process also requires “sanitising” the data, which if not done well will mislead the algorithm.
The best data mining – or really, data analysts – know how to interpret the results and if the algorithm is being useful or silly. This is actually the most important quality in Data Mining.
Aside, from the articles read on Govt’s “Big Data” Utopia, they don’t actually understand what Big Data actually is (no surprise), and even if they lack a hidden agenda, the belligerent way of going about it is harmful.
My own hope is that their stupidity doesn’t turn the real Big Data into a grand-demon, in the mind of the Public. I don’t want the brain drain to get worse.
How likely is the privacy breach is a symptom of poor IT policy and bureaucracy?
The breach was the visibility of one provider’s private folder to another provider. That’s a privileges / restriction issue – as if all providers were using the same user account.
Similar breaches have occurred before (WINZ), and appear to have the same / similar underlying cause.
As someone with experience in software construction, admin and IT Policy development, I’m surprised simple policy and admin requirements such as privilege control haven’t been set properly.
I’m curious as to what IT Professionals the ministry is hiring – but also, and more so, what conditions and project milestones they have to work to, and what planning, testing and review processes goes into the project lifecycles. Or lack of.
Ministerial or Executive influence (or domination) of the project management likely has a part to play.
As some in the industry could say: “The customer only ever provides the problem. We provide the professional solution, and they stay out of our way.”
It will happen here, and the more information one single agency holds the bigger target they paint on themselves.
The comments above echo my own musings.
Interesting article over at Werewolf: