Orange Tamariki (OT) says it always intends to publish a punitive review that found serious privacy violations that caused physical damage to people.
The review was commissioned in 2023, at the insistence of the Privacy Commissioner and was completed in April 2024.
RNZ requested in November, but was released only last week.
The independent review detailed nine instances of violations by placing children and their families in danger, calling these “instant” of the current situation.
He found multiple and serious bad practices at the agency.
“People on the front line are very confusing,” he said.
“They receive messages [law] SECTION 66C, which wants to encourage the broader sharing of information to ensure that we keep people safe and then border with privacy and sulfur on violations.
“They don’t know what to do.”
Oranga Privacy Director Tamariki, Phil Grady, told RNZ on Tuesday: “It was always our intention to publish the review.
“However, several factors, including organizational restructuring in 2024, resulted in a delay in publication of the review.
“It was important to us that, after the release of the report, we were also in a position to give confidence to the public that we already have systems in force to address the discoveries of the report.”
But the Privacy Commissioner said on Monday that the agency had a “considerable amount of work” to improve its privacy practices, and they went beyond the reach of its new privacy improvement plan.
Grady took on the privacy work after the position was high for the leading leadership ranks, although he had no previous privacy role in OT.
He has “extensive experience and understanding of the importance of privacy functions,” according to his own statement.
This function update was among several improvements already completed or “progressed significantly”.
RNZ is looking for a summary of what was done about each of the report’s recommendations.
The ministry is also updating its case management system to provide better data restrictions, audit and tracking, Grady said.
The review found that its existing system had the ability to impose control layers to limit the range of personal data data, but the agency did not activate it.
