Deloitte has been commissioned to conduct an independent review of the information systems security at the New Zealand ministry of social development (MSD).
The review comes after a massive privacy breach that meant anyone using the 700 self-service kiosks installed in Work and Income social welfare offices could access confidential and sensitive personal data about the agency's clients.
Murray Jack, Deloitte chairman, will lead the review with a four-person independent steering group to provide oversight.
MSD chief executive Brendan Boyle will also attend and participate in the steering group.
Phase One of the review will be completed within two weeks, and will investigate the circumstances and causes of the kiosk security breach that compromised privacy. It will check the work done to ensure appropriate information security was put in place at the time the kiosk infrastructure and services were designed and built.
Also in the scope of the first phase of the review are checks on the independent security testing done, the MSD's response to it and information provided by third parties reporting security concerns.
A second part of the review will look at the MSD's wider information systems security, focusing on the policies, governance, capability and culture around publicly available systems.
The second phase will also identify any lessons learned and make recommendations to the chief executive of the MSD as to any changes and improvements required for systems security.
Reports from both phases of the review will be made public, according to the terms of reference.