A Microsoft SharePoint application used by over 30 of the largest government agencies will be at the centre of an independent security review announced by Social Development Minister Anne Tolley yesterday.
The review, into the ministry's use of the government Shared Workspace for a sensitive data collection programme and a subsequent security failure, follows an internal report Tolley described as "disappointing".
"It's extremely disappointing that the report appears to raise more questions than answers on the security of the IT system and the governance of the project," she said.
The Ministry of Social Development decided to use the Department of Internal Affairs' all-of-government Shared Workspace as an interim platform to collect individual client data from external social services providers funded by the government.
MSD said the data was being collected to help government understand who was using such external services and the impact of the programmes.
However, shortly after roll-out, one external provider was able to access another's folder where individually identifiable data was due to be lodged.
No data was in the folder at the time, but the issue was serious enough for the ministry to cancel all external access permissions to the portal.
The independent review will look into the circumstances that led to the privacy failure, the decisions made about why the Shared Workspace was used and security measures taken.
SharePoint can be deployed securely, but this is considered tricky when external parties are included. However, a description on the Department of Internal Affairs' ICT services website appears to describe it as suitable for use with external parties.
"Shared Workspace is a secure, online collaboration tool for government agencies to share information with each other and with their third party project partners."
Each provider was to have their own folder for uploading data but an error with access permissions settings led to the failure.
“We’d set up permissions on who could see what folder, and we found there had been an error in setting up the permissions on a folder, which meant that other providers when they went into the shared workspace could see that particular folder," Galvin said.
That gave the ministry "significant pause for thought", Galvin said. The ministry had to make a call on whether to persist with using that platform, he said.
"On balance and in the interests of security we couldn't in good conscience continue to pursue that platform."
Galvin said the Shared Workspace was always supposed to be an interim solution. The ministry is now working on a permanent replacement.
Seeming to throw further doubt on the decision to use the Shared Workspace, Galvin said the new system will be standalone, not a shared space, so there would be no risk of one provider seeing another's data.
The final terms of the replacement system were still under negotiation, he said, but it would be controlled directly by MSD.
The Department of Internal Affairs is currently using SharePoint 2010 to run the workspace, but is developing a roadmap to upgrade to SharePoint 2016.
A spokesperson said the Shared Workspace would continue to be available to eligible agencies for as long as they consider it meets their needs.
Microsoft referred queries about the issue to the ministry.
The independent review will be led by former Deloitte NZ consultant Murray Jack, supported by private sector IT and privacy specialists. It is due to be completed by the end of the month. The review will also look into the governance and management of the project.
Providers are continuing to collect data to be uploaded into the new IT system, once it is launched.