Health NZ reportedly planning to cut nearly half of Data and Digital Directorate
The Public Service Association (PSA) is requesting the Privacy Commissioner to look into potential risks from Health NZ's plan to lay off nearly half of its IT staff.
It was reported in December that Health NZ has plans to cut 47% of roles in its Data and Digital Directorate, resulting in the loss of 1,120 roles, including vacancies.
The directorate is responsible for the storage and maintenance of patient records, health information, as well as highly sensitive personal information.
In its letter to the Privacy Commissioner, PSA Acting National Secretary Fleur Fitzsimons said they are concerned that Health NZ's cuts do not consider the importance of the work performed by the affected employees.
"We urge you to use your power under section 17 of the Privacy Act 2020 (the Act) to conduct an urgent investigation into these proposed cuts due to the dangerous impact they will have on the security and privacy of patient health information," Fitzsimons said in the letter.
"We consider that the proposed cuts at HNZ will significantly impact privacy and need to be examined in detail by you," Fitzsimons told the commissioner.
Section 17(1)(g) of the Privacy Act 2020 grants the Privacy Commissioner the power to inquire into any law, practice, or procedure if it appears to infringe the privacy of individuals.
Health NZ's plan to cut nearly half of its IT staff is part of its measures to save $100 million, according to the PSA.
It comes despite the risk of emerging cyber threats in New Zealand. Data from Cert NZ revealed that the National Cyber Security Centre responded to 1,905 incident reports from individuals, businesses, and organisations from all over Aotearoa in the third quarter of 2024.
Incidents of phishing and credential harvesting increased by 70% to 823 in the third quarter, and are one of the most commonly reported categories of cyber security incidents.
In Health NZ's case, one of the most recent cyber security incidents was recorded in Waikato DHB in May 2021, which led to a "set of data" being copied outside of the district health board's IT environment and later disclosed by a third party on the dark web.
According to the agency, it was a ransomware event where malicious software was used to "lock-up" Waikato DHB's data and interrupt the function of its digital systems.
The PSA said this incident showed that the risk of a cyber security breach is "very real."
"The government should be investing in IT upgrades and more, not fewer staff to better protect sensitive patient records and ensure the benefits of centralising computer systems under the health restructure are realised," Fitzsimons said.
