I’ve been thinking about all this stuff with MSD’s security (or lack-of-security) breach for the past week or so and one thing has really been bothering me…surely someone at MSD had noticed the problem? There must have been some IT person, some WINZ office receptionist, some guy who took a phone call at the call centre, somewhere in the organisation who spent yesterday going “FFS, finally!” I mean, there were/are some major problems with their IT system as Ira explained yesterday on National Radio. With yesterday’s revelation that MSD were warned about security issues with the WINZ kiosks back in April 2011, it is apparent that someone somewhere certainly did know. There’s been an assumption that management dropped the ball on this and decided, possibly for financial reasons, not to act on the advice of Dimension Data. An assumption that word went up the chain of command and then came back down as an order to do nothing or never came back at all. An assumption that for 18 months everyone covered their own arses and kept schtum. Maybe this is what happened but since the Protected Disclosures Act 2000 (PDA 2000) came into force in 2001, there are supposed to be other avenues for employees. The PDA is for exactly this sort of situation where something is going wrong in an organisation and normal channels are not effective.
The purpose of this Act is to promote the public interest—
- (a) by facilitating the disclosure and investigation of matters of serious wrongdoing in or by an organisation; and
- (b) by protecting employees who, in accordance with this Act, make disclosures of information about serious wrongdoing in or by an organisation. (PDA 2000, s5)
serious wrongdoing includes any serious wrongdoing of any of the following types:
- (a) an unlawful, corrupt, or irregular use of funds or resources of a public sector organisation; or
- (b) an act, omission, or course of conduct that constitutes a serious risk to public health or public safety or the environment; or
- (c) an act, omission, or course of conduct that constitutes a serious risk to the maintenance of law, including the prevention, investigation, and detection of offences and the right to a fair trial; or
- (d) an act, omission, or course of conduct that constitutes an offence; or
- (e) an act, omission, or course of conduct by a public official that is oppressive, improperly discriminatory, or grossly negligent, or that constitutes gross mismanagement,—
whether the wrongdoing occurs before or after the commencement of this Act (PDA 2000, s3)
The serious wrongdoing in this case would be “(e) an act, omission, or course of conduct by a public official that is oppressive, improperly discriminatory, or grossly negligent, or that constitutes gross mismanagement”, as it’s pretty obvious that someone in the MSD has been either grossly negligent or has completely and totally mismanaged this*. With the 2009 amendments to the Act, an employee only needs to believe on “reasonable grounds” that this wrongdoing has taken place. The whole purpose of the PDA was to set up a legal, protected avenue for internal whistleblowing – if you saw something going wrong at your workplace and couldn’t report it through normal channels, or did but nothing happened, then the PDA allows you to make a disclosure outside of these channels without fear of retaliation. The public sector, such as the MSD, are required under the Act to have internal procedures in place. They must also let their employees know that these procedures exist and provide information on how to use them.
So, in an ideal world, a responsible and morally upright employee, recognising that no action was taking place to rectify this security hole, would immediately consult their Protected Disclosures Policy and disclose the information they had on the “serious wrongdoing” to the appropriate person. If no action was forthcoming after 20 days (or the time specified in the procedures), they could then take it up a level within the organisation ultimately informing the Minister herself. If this hypothetical employee and procedure existed, after 18 months all the steps within the procedure should have been exhausted and the Minister or the Ombudsman informed. It is unclear to me whether the PDA would cover Dimension Data as they were under contract but even if it doesn’t, they certainly informed employees of MSD of their findings.
Are we to believe that not one of the people who knew about this hole were at all concerned over the entire 18 month period? I think that unlikely although not impossible (I wish that it were impossible). What seems far more likely is that no one knew about the PDA procedures at all or that they were so convoluted and onerous that the whistleblower simply gave up. (The State Services Commission’s Integrity and Conduct Survey 2010 found that only 35% of all state servants knew about the PDA.) The PDA relies on responsible employees to take the correct action and follow up on that action themselves – if they don’t know it exists or understand how it works in their organisation, they’re not likely to take advantage of it. Moreover, there is no requirement for the public sector to report on internal disclosures made under the PDA within their organisation. There is no requirement to keep records which can be obtained under the Official Information Act (OIA). So basically, we may have no idea if anyone has made a protected disclosure within MSD and no evidence for any action that was or wasn’t taken in response to it. (nb. I will be making an OIA request to see if there are any records.)
If an employee has blown the internal whistle prior to the news breaking, there is either a problem with MSD’s procedures which let it drag on for 18 months or it was blown only recently. Either way is not good. The PDA is really designed to allow the State to deal with (cover up) serious wrongdoings within the public sector out of the public eye. This is why it only protects internal whistleblowing and excludes disclosures to the media and opposition MPs. Ministries should really be encouraging their employees to make use of it. If they had, either Paula Bennett would have known of the IT issues or it would have been dealt with before it got that far…and certainly much sooner. Ira would never had found the hole and we would be none the wiser. However, Ministers don’t really want to find these problems and have to deal with what may be a very expensive, vote-losing solution. They would much rather the next Minister, and a different Party, be the ones responsible for any wrongdoing. It is in their political interests to keep quiet, cross their fingers and plead ignorance if and when it comes to light. They must maintain plausible deniability.
So, a bit more public accountability may be in order. If everyone knew about the PDA – and there were requirements for reporting on it within organisations and these reports were obtainable under the OIA – organisations would expect their serious wrongdoings be found out and so be more likely to deal with them in a timely fashion…and less likely to commit them in the first place. Allowing protected disclosures to the media in certain circumstances may also be in order. This may not have been in the interests of the State back in 2009 when the Act was amended but it certainly seems to be so now. This may be the only way the MSD will ever earn back the trust of the public.
Thanks goes to Brit for all the legal background on this which I have simply applied to this case…I am most certainly a layperson so please let me know if I have misunderstood anything.
* Gross negligence and gross mismanagement are legal standards, but they may well still be met in this case.