The Ministry of Social Development says it is improving its practices to avoid the privacy breaches in its fraud investigations exposed in a damning report by Privacy Commissioner John Edwards in May.
Questions remain, however, about whether the ministry really understands the importance of privacy and proper processes. It is only a couple of years since Mr Edwards was calling the ministry out on its ill-fated plans to link funding of non-government organisations with the provision of client information.
On that occasion, although the ministry initially consulted the commissioner's office before the policy was introduced, it had never completed a privacy impact assessment to identify any potential privacy risks and mitigations.
This casual approach to privacy was also evident in its attitude to information gathering for fraud investigations. Mr Edwards found the ministry systemically misused its investigatory powers while pursuing benefit fraud, unjustifiably intruding on the privacy of many beneficiaries. Data being gathered included text messages, domestic violence and other police records, banking and billing information and birthing records.
Mr Edwards outlined an instance where an intimate picture which MSD received from a telecommunications company was produced at an interview by ministry investigators who wanted an explanation for it.
The ministry's behaviour in these investigations is supposed to be governed by a code of conduct, and this requires it to first seek information from the beneficiary before going to a third party, unless doing this would prejudice the maintenance of law.
But in 2012, MSD told fraud investigation staff they could bypass going to the beneficiary and instead go direct to third parties. It believed an amendment to the code enabled this blanket approach.
Poor records and inconsistencies between fraud teams meant it was hard for Mr Edwards to tell, but it was likely to have affected thousands of beneficiaries. The ministry suggests it involved 2300 "serious high risk fraud investigations".
Thousands of fraud allegations a year are investigated, with most not resulting in a formal finding of fraud.
The ministry said most of the time beneficiaries did not provide the necessary information when asked directly, meaning it had to go to third parties anyway, delaying investigation.
The concerns outlined by Mr Edwards could have been picked up much earlier if MSD had been following the rules which require it to review the code of conduct every three years. It has not reviewed it since 2012.
This month, the ministry released its own independent assessment of its approach to fraud prevention and investigations. It highlighted the need for better and consistent training of investigators across the country and improved policies and procedures.
In May, the ministry stopped seeking information from telecommunications companies and the police pending the review of the code of conduct.
However, it has had a less than enthusiastic approach to seeking out those who might have been affected by its legally questionable and excessive data collection.
Somehow, the possibly thousands of beneficiaries who may have been subjected to unauthorised hoovering up of their personal information are expected to know this has happened and contact the department through its website. Unsurprisingly, it was reported in August that only 61 people had done so.
It is an approach which has rightly been criticised by former MP Sue Moroney, the chief executive of Community Law which raised the concerns prompting the Privacy Commissioner's inquiry.
She wants the ministry to be much more proactive, contacting people directly, to let them know what happened and how they can seek redress.
If the ministry wants to show it cares and that it is keen to do more than pay lip service to privacy, it should follow her advice.