Tuia 250 Voyage Trainee Privacy Breach – Independent Review Finalised
Manatū Taonga has received the independent review into the Tuia 250 trainee privacy breach and fully accepts all the
report’s recommendations, Chief Executive Manatū Taonga Ministry for Culture and Heritage Bernadette Cavanagh said
“It’s clear that this privacy breach should never have happened, and I take full responsibility. I’m truly sorry for the
harm caused to all the applicants,” Bernadette Cavanagh said.
“Everyone has a right to trust that information they share with us is managed well and kept secure. The review showed
that there was a flaw in our security systems which resulted in the privacy breach.
“The review also showed that key policies were not followed properly. The website which held the trainees’ information
wasn’t secure and we failed to pick this up.
“We didn’t manage the risk around personal information and the appropriate risk assessment wasn’t completed before the
application form went live.
“Our response to this report will ensure we learn from this experience and that robust processes will always be
“I have taken immediate action to implement improvements to our security systems. A follow-up plan to action all the
remaining recommendations is in place.
“In the period immediately after the breach the Ministry tested all its externally facing websites to ensure no other
privacy breaches can occur.
“Security testing will be mandatory on all our technical systems holding personal information. No system will go live
without this testing to ensure personal information is secure.
“Next steps include making sure all our systems that hold, or have the potential to hold, personal information are
signed-off at senior level. We will ensure all appropriate assessment and testing is undertaken so personal information
“The role of Privacy Officer will be moved to the legal team and we’ll ensure all new projects with privacy implications
are appropriately managed through all stages of the project.
“We are continuing to work with those who were affected by the breach and again I extend my sincere apologies to all of
them for what happened. Their personal information should never have been available online.
“A total of 309 trainees were affected by the privacy breach. Some 287 cases are closed and 22 remain open and we are
working to close all the remaining cases as soon as possible.
“My thanks go to staff in the Department of Internal Affairs, the New Zealand Transport Agency and Immigration New
Zealand who assisted us in managing the responses. The New Zealand Police also provided security advice to some of the
trainees. Many other public sector organisations have also supported us during the aftermath of the breach.
“My thanks also to Doug Craig, a Director of RDC Group, for his comprehensive review of the privacy breach and for
outlining what went wrong and what we can do to see the right steps are taken to ensure this doesn’t happen again,”
Bernadette Cavanagh said.
A copy of the full report and the Ministry response
is available on the Manatū Taonga Ministry for Culture and Heritage website.