IT changes jeopardised Parliamentary privilege

Major changes to Parliament’s IT systems contributed to intrusions on Parliamentary privilege during an investigation into the leak of a sensitive report into illegal surveillance by New Zealand security agency GCSB.

The report, detailing illegal surveillance of New Zealand nationals and permanent residents including Mega Upload founder Kim Dotcom, was leaked to Dominion Post journalist Andrea Vance and published in April ahead of its official release by the Prime Minister.

An enquiry into that leak, led by former Inland Revenue Commissioner David Henry, was provided with the metadata and content of communications between Parliamentary staff, MP Peter Dunne and journalist Vance, in potential breach of Parliamentary privilege and posing a threat to freedom of the press on the Parliamentary compound.

In an interim report (pdf) into the release of that data, Parliament’s Privileges Committee yesterday noted that before 2009, IT support for ministers was provided through the Department of Internal Affairs, and for other members of Parliament through the Parliamentary Service.

“This arrangement ensured a clear delineation between the Executive and Parliament as two, very distinct, constitutional branches," it says.

However, separate IT arrangements posed practical problems. There were difficulties in ensuring that the respective IT systems aligned to support the ability of members and Ministers to carry out their roles effectively.

When members became Ministers or ceased being Ministers, the process for changing systems was also time-consuming and cumbersome.

In 2009, responsibility for IT support for all members, including Ministers, was shifted to the Parliamentary Service.

“While we accept this transition has had practical benefit, in our view ease of service provision must be a secondary consideration to security of parliamentary proceedings, and appropriate service delivery to Parliament and parliamentarians,”

“Those who provide services to both the Parliament and the Executive must remain cognisant of the constitutional differences between the two, and what this means for their service delivery on any particular occasion.

“We are very concerned that little thought seems to have gone into how such relationships should affect requests for information, and where ownership (and therefore authority) over such information rests.”

The interim report says Parliamentary Service holds a large amount of data and information relating to individuals on the precinct. Since the IT changes in 2009, little analysis seems to have been done on questions of when this data should accessible, and by whom.

Issues identified included failing to involve the Speaker in the process for requesting the data.

“We understand that the Speaker (who, on behalf of the House, exercises control over the Parliamentary precinct so that the House can function properly in its role as a legislature) was not informed of, or asked for direction on, any of the requests, nor was legal or procedural advice sought on the matter,” the report says.

The information provided included the metadata of email traffic between Vance and relevant Ministers, including Dunne, and staff; the content of some of the emails; logs of phone calls made and received on landlines and on mobile phones; and swipe card records.

“For much of the information relating to Mr Dunne and Ms Vance, the consent of the particular individuals involved was not sought. In other cases, consent was sought but not given, but the information was provided to the inquiry regardless,” the report says.

Much of this material was kept on systems maintained and serviced by the Parliamentary Service.

“The fact that no consideration was given to this issue at the outset of the Henry inquiry is of considerable concern to us,” the interim report says.

“We believe that the Speaker should have been involved by the participants, and that members should have been consulted. That such an intrusion has been allowed to occur does not reflect well on the agencies responsible.”

During its enquiries, as reported last month on ZDNet, the Privileges Committee went as far as seeking the opinion of the Clerk of the UK House of Commons on the issues.

Sir Robert Rogers told the committee bulk metadata can be very revealing, in some situations more revealing, than the content of a communication.

“The selective mining and release of such metadata could constitute the processing of personal information of the kind that ought not to be released without a good and lawful reason,” he wrote in his evidence.