Privacy Commissioner Michael Webster says doesn't have "robust systems" in place to protect the personal information it holds. Photo: VNP / Phil Smith
Privacy Commissioner Michael Webster says the children's ministry remains at "high and ongoing risk" of disclosing vulnerable children's highly sensitive information.
He has issued Oranga Tamariki a compliance notice to compel it to do more to fix its deficient training, data sharing and privacy systems.
"Oranga Tamariki currently doesn't have sufficiently robust systems and practices in place to appropriately protect the personal information it holds," he said.
In breaches documented in an investigation report kept under wraps for a year, and only revealed by RNZ in March, several women and whānau suffered actual physical harm including from being attacked, after Oranga Tamariki disclosed information it should not have.
It had let slip addresses and names, for instance.
A series of serious breaches have been notified to the commissioner since 2020 (prior to 2019, OT and other public agencies were not mandated to alert him).
"These incidents have put vulnerable children, parents and caregivers at risk as well as retraumatised victims," Webster said in the [https://www.privacy.org.nz/assets/New-order/News/20250527-Compliance-Notice-Oranga-Tamariki-CN-01_2025a-A1082324.pdf
compliance notice] issued on Monday and announced on Wednesday.
"I consider there is a high and ongoing risk that without taking steps to mitigate the risk, serious privacy breach incidents will continue to occur."
The compliance notice said OT had improved under a fixit plan that did not go far enough, ordering the ministry to take further measures by October, and some by March 2026.
Webster listed ongoing weaknesses around personal information he had identified, including documents and devices being lost, or disposed of loosely, and inadequate access controls.
Staff persisted in having access to personal information they should not have, over a year after an investigation report had warned OT it must clamp down on access.
At that time, even trainees were being allowed into files which they shouldn't have been allowed to access. The investigation report was released to RNZ in March 2025 after months of asking for it.
Not only did the April 2024 investigation state the scale of breaches was impossible to know as OT did not keep proper records of them, but the compliance notice is now once again ordering the ministry to set up a proper privacy breach reporting framework.
The other measures the ministry must undertake by October entail not just strengthening its own systems, but externally, too, with the commissioner ordering stronger contracts with NGO service providers around keeping information secure and disposing of it.
The ministry must begin to audit how it was going, the compliance notice said.
Earlier this month, RNZ reported how the ministry had yet to make a start on half a dozen of the recommendations in the privacy breach April 2024 report, while a dozen others were underway but not complete. Among those not started was the setting up of an induction process so new staff were less likely to breach clients' privacy.
In June 2024, RNZ reported that dozens of analysts at the ministry had access to personal details about at-risk children they should not have.
A key weakness is technology: The ministry's core information IT systems, including its social worker records about thousands of children, are old and weak, but it has continued to struggle to find the resources, expertise and time to replace them.
Webster said the new compliance notice was necessary to "underpin" the improvements OT was making.
The ministry said on Wednesday it continued to work closely with the Office of the Privacy Commissioner on improving how it looked after information.
It elevated the chief privacy officer role higher up among management, and instituted an improvement plan that would be completed in 2026.
"The Privacy Commissioner was involved in the development of that plan. We continue to make good progress on implementing the plan, with several actions already completed or significantly progressed prior to receiving the notice," Acting chief privacy officer Jane Fletcher said in a statement.
It had not had any notifiable privacy breaches in the past 18 months, she added.
A tech upgrade called the Frontline Technology Systems Upgrade would "deliver greater safety, security and privacy".
The ministry said Fletcher was acting in the role while Philip Grady was on secondment at Health New Zealand. The chief privacy officer job was elevated from a tier five to a tier two management role eight months ago as a result of the breaches investigation.
Sign up for Ngā Pitopito Kōrero, a daily newsletter curated by our editors and delivered straight to your inbox every weekday.
