28 February 2020

State Services Commissioner Peter Hughes has today announced the findings of an inquiry into how Budget-sensitive material was accessed at the Treasury.

The inquiry, led by Ms Jenn Bestwick, was launched by the Commission at the request of the Treasury after sensitive Budget information was accessed on the Treasury website two days before the 2019 Budget was to be announced on 30 May. Budget-sensitive material was accessed via searches on the Treasury website.

Assembling and publishing the Budget is a core responsibility of the Treasury.

The Commissioner said the Treasury’s failure to keep Budget sensitive information secure was not acceptable.

“This should not have happened,” said Mr Hughes. “Some things are so critical that they can never be allowed to fail. Security of the Budget is one of these.”

The inquiry found:

  • A series of technical decisions led to a design in the Treasury website search function, which allowed access to Budget 2019 information. The design also existed in the 2018 Budget, though there were no security breaches.
  • Governance and oversight at the Treasury’s executive level fell short
  • Risk management processes around Budget 2019 were not good enough
  • Concerns about security risks existed but were not escalated.

Mr Hughes said the Treasury has an excellent reputation as New Zealand's lead advisor to the Government on economic and fiscal policy, with very good people doing their best.

“But sometimes doing your best is not enough,” said Mr Hughes. “Some things you just need to get right. Each and every time. For these you need to check, check and check again and that didn’t happen with security around Budget 2019.

“Senior leadership at the Treasury were rightly focused on the big economic and fiscal issues which are important to New Zealanders and the Government. That is what I expect. But they got the balance wrong. The Treasury’s core business is also delivering the Budget and I’m disappointed the senior leadership were not hands-on enough in that task.

“I am confident the new Secretary of the Treasury will provide the leadership to deliver the necessary changes to ensure this doesn't happen again.”

The Treasury, under new Secretary Dr Caralee McLiesh, has already implemented a number of changes that address many of the issues raised or findings from the inquiry.

Since the incident, Dr McLiesh has: 

  • appointed one of her executive leadership team members to personally oversee the security of the Budget
  • implemented new quality assurance measures around all aspects of the Budget process
  • implemented new security and testing policies
  • steps in place to ensure a replica Budget website will be fully and comprehensively tested prior to Budget day. 

Dr McLiesh said the Budget production process for Budget 2020 is robust and secure, and in line with best practice and the appropriate guidance and standards. 

“The Budget is a core priority of the Treasury and what happened should never happen again,” she said.

“The Treasury accepts all of the inquiry’s findings. When I came into the job last September, the Treasury had already made a number of improvements and we have since initiated a programme of work to improve security processes around the Budget. A lot of the necessary changes identified in the inquiry report have been implemented or are already underway.” 

Ends

Media queries: Grahame Armstrong 021 940 457 or grahame.armstrong@publicservice.govt.nz

 

Related  Content

Report of the Inquiry into the Treasurys Budget Related Information Security Systems(PDF, 792 KB)