Electronic Data Safety Bill

  • defeated on 18 March 2015

Electronic Data Safety Bill

Member’s Bill

87—1

Explanatory note

General policy statement

Recently, a member of the public was able to download 7 000 documents from the Ministry of Social Development’s (MSD) computer network through the Work and Income self-service kiosks. The documents included sensitive information (such as medical invoices) about children in the care of Child, Youth and Family (CYF), personal information about people receiving benefits, the names of people being investigated for benefit fraud, the name of a person who had committed suicide, and pay rates for individual contractors employed by MSD. Previous breaches in other agencies have highlighted the need for a systematic inquiry into the adequacy of information management systems in all government agencies. Various government agencies hold extremely sensitive personal information and it is absolutely imperative that the public has full confidence in the Government’s ability to manage that information without allowing unauthorised access.

This Bill establishes a Commission of Inquiry into various privacy breaches that have occurred in the past few years by and within various government agencies. The Commission will also examine the agencies’ capacity to respond to breaches in the future and how best to prevent further future unauthorised access to private information.

Clause by clause analysis

Clause 1 is the Title clause.

Clause 2 is the commencement clause. It provides that the Act comes into force on the day after the date on which it receives Royal assent.

Clause 3 is the purpose clause.

Clause 4 is the interpretation clause.

Clause 5 establishes the Electronic Data Safety Commission.

Clause 6 specifies the manner of appointment of the Commission, and the requisite qualifications of its members.

Clause 7 sets out the entitlement to remuneration of members of the Commission.

Clause 8 gives the Commission all the powers of a Commission of Inquiry.

Clause 9 sets out the functions of the Commission.

Clause 10 sets out the reporting requirements of the Commission.

Clause 11 requires the Government to respond to the Commission’s recommendations.

1 Title

This Act is the Electronic Data Safety Act 2012.

2 Commencement

This Act comes into force on the day after the date on which it receives the Royal assent.

3 Purpose

This Act establishes a Special Commission of Inquiry into—

(a)

the recent privacy breach that enabled access to the Ministry of Social Development’s computer network through the Work and Income self-service kiosks:

(b)

any other similar, significant, and recent breaches involving unauthorised access to the personal information of members of the public held by government agencies:

(c)

the capacity of government agencies to manage and hold secure personal information, especially in electronic form:

(d)

how significant breaches involving unauthorised access to the personal information of members of the public held by government agencies may in future be avoided:

(e)

any other matter that the Commission considers it prudent to inquire into and report on.

4 Interpretation

In this Act, unless the context otherwise requires,—

Commission means the Electronic Data Safety Commission established under this Act

Minister means the Prime Minister.

5 Electronic Data Safety Commission

The Electronic Data Safety Commission is established.

6 Membership of Commission

(1)

The Commission consists of up to 3 members, to be appointed, no later than 30 days after the coming into force of this Act, by the Governor-General on the nomination of the Minister.

(2)

One member of the Commission must have held a practising certificate as a barrister or solicitor for at least 7 years prior to appointment, and must be nominated and appointed to be the chairperson of the Commission.

(3)

In nominating members, the Minister must take into account the need for the Commission to have expertise in—

(a)

privacy and information management; and

(b)

IT systems security; and

(c)

public administration.

(4)

Members hold office until the Commission reports to the House of Representatives under section 10.

7 Remuneration of Commission

Members of the Commission are entitled to remuneration and expenses under the Crown Entities Act 2004 as if they were members of a Crown entity.

8 Powers of Commission

Except as provided by this Act, the Commission has all the powers of a Commission of Inquiry established under the Commissions of Inquiry Act 1908, and that Act shall apply, with any necessary modifications, to the proceedings of the Commission.

9 Functions of Commission

The Commission has the purpose of inquiring into and reporting to the House of Representatives on the following matters:

(a)

the recent privacy breach that enabled access to the Ministry of Social Development’s computer network through the Work and Income self-service kiosks; and

(b)

any other similar, significant, and recent breaches involving unauthorised access to the personal information of members of the public held by government agencies; and

(c)

the capacity of government agencies to manage and hold secure personal information, especially in electronic form; and

(d)

how significant breaches involving unauthorised access to the personal information of members of the public held by government agencies may in future be avoided; and

(e)

any other matter that the Commission considers it prudent to inquire into and report on.

10 Commission to report

The Commission must present a report to the House of Representatives concerning the matters described in section 9 not more than 12 months after its appointment.

11 Government to respond

(1)

The Minister must, not more than 30 working days after the report of the Commission has been presented to the House of Representatives, present a report to the House responding to any recommendations of the Commission.

(2)

The Minister’s report must contain clear indications in relation to each recommendation of the Commission as to—

(a)

whether the recommendation is accepted, in whole or in part, and how the Government intends to implement it, and when; or

(b)

whether the recommendation is rejected, and if so, why.