The Chief Executive of the Ministry for Culture and Heritage has commissioned an independent Review of the Ministry’s decisions and processes relating to:
- the circumstances that led to the breach of applicants’ personal information, and
- procurement and management of the Tuia 250 website (https://www.tuia250.nz/) used to receive applications for the Tuia 250 trainee crew programme.
The review will be led by Doug Craig, director of The RDC Group Limited.
The Ministry is leading the Tuia - Encounters 250 national commemoration. This is a programme of events, education and reflection that celebrates Aotearoa New Zealand’s Pacific voyaging heritage and acknowledges the first onshore encounters between Māori and Pākehā in 1769–70.
The Voyage Trainee programme gives New Zealanders the opportunity to sail aboard the vessels in the Tuia 250 Voyage during October to December 2019.
A privacy breach has occurred whereby the personal details of people who applied to the Tuia 250 Voyage trainee crew programme have been compromised. The private data includes images of passports, driver’s licences, birth certificates and other forms of identification stored on the Tuia 250 website.
Objectives of the review
The objectives of the independent review are to:
- build a comprehensive understanding of the situation and cause of the privacy breach
- inform the Ministry to prevent such a situation occurring again.
Matters in scope of this review
The review will make findings about the facts, provide an analysis to determine what caused the breach, identify lessons learned and make recommendations to the Chief Executive on changes and improvements needed to avoid a similar breach in the future.
In particular, the review will investigate:
the governance and management of the Tuia 250 Voyage trainee crew programme, relating to:
- the decision to use an externally built and hosted website to receive applications for trainee crew members
- the management of personal information
- identification and management of risks regarding management of personal information
The procurement process, including:
- analysis of technical requirements
- analysis of potential supplier proposals
- selection of the preferred supplier
- contractual arrangements between the Ministry and the supplier including the brief, agreed technical specifications, and variations to create the online application function
- management of the contract and relationship with the supplier throughout the duration of the work
- The Tuia 250 website (https://www.tuia250.nz/) itself, in particular technical functionality with respect to information security and management of personal information
- The timeline of the breach, including when and how it was identified by the Ministry
- Whether the Ministry adhered to its internal policies and to applicable government policies and good practice guidance.
Matters out of scope of this review
- The governance and management of the wider Tuia 250 programme, to the extent that this can be separated from the governance and management of the trainee crew programme
- The Ministry’s main website or other digital assets
- The response to the privacy breach itself, once the Ministry became aware of it (this will be the subject of a separate debrief)
- Third party actions arising from the breach, such as unauthorised use of personal information
- Conduct or professional performance of individual staff members
Deliverables, timeframes and reporting
The review must be carried out urgently, with an indicative date for the final report of 18 October 2019. The reviewer will give regular oral progress reports to the Chief Executive.
The final review report will be delivered to the Chief Executive. The Chief Executive will provide a copy to the Government Chief Digital Officer, the Government Chief Information Security Officer, and the State Services Commissioner.
The final report will be publicly released by the Ministry as soon as practicable.
Bernadette Cavanagh Date
Updated on 30th August 2019