Investigation fails to find leaker of Whaitiri report
Jo Moir, Political Reporter
An investigation has failed to identify who was responsible for leaking to the media a report into former Minister Meka Whaitiri's alleged bullying.
Prime Minister Jacinda Ardern called for an inquiry into the leak of the redacted report by the Department of Internal Affairs, which it was "probable" Ms Whaitiri grabbed and left bruising on her press secretary.
Ms Whaitiri was stripped of her ministerial responsibilities after Ms Ardern lost confidence in her following the altercation with her press secretary at an event in Gisborne in late August.
Deloitte was commissioned to conduct an independent, thorough forensic investigation, into the leak but found no evidence that any Internal Affairs staff were responsible and could not identify any other individual at fault.
The investigation did highlight inadequate security and access controls around information and a deficient redaction process.
"The department has robust information security and management policies in place, but in this instance we fell short of our own standards," Internal Affairs chief executive Paul James said.
We did not maintain adequate security controls over the report.
"We will strengthen staff training and awareness of our robust information management policies. This will include a strong focus on information security practices."
Investigators from Deloitte interviewed a number of department staff and external parties, and conducted a forensic examination of internal files and email systems and part of the inquiry.
The investigation found the press secretary involved in the altercation was left alone with a copy of the draft report for a window of about five minutes but there was no evidence they took any copies of the report or passed on its details to anyone.
It also found Internal Affairs was more focused on "protecting the privacy of DIA staff and addressing the consequences of the report's findings rather than ensuring that the security of the document itself was preserved''.
"Also, rather than saving the document on the secure DIA document management system, it was saved on a shared network drive, on numerous email accounts and on a staff member's personal iPad,'' the investigation revealed.
There were five different versions of the report that was leaked, but only three of them ever went to Internal Affairs.
While Deloitte found no evidence that any Internal Affairs staff member leaked the report to the media, "the level of confidence that we would normally be able to reach around the report's movement within DIA was materially diminished given the process deficiencies we identified,'' the investigation found.