Shining the light on the Callaghan Due Diligence reports on Manaaki.  Allegation number 2.
A guest blog from my husband and co-crusader in our quest for justice for Manaaki and We Are Indigo.

A few weeks ago, I started picking over the the Due Diligence Reports on We Are Indigo/Manaaki. 

A quick recap – these reports were commissioned by Callaghan Innovation to support an RFP process.  They were written by a contracted private investigator John Borland, who had what appears to be an undisclosed conflicts of interest.  These reports were deliberately distributed to a number of government departments and agencies.  Since then, redacted reports of the summaries have been widely distributed, including from an anonymous Gmail address. 

This is in breach of the expectation of the confidentiality clauses in the procurement agreements.  There is a confidentiality carve-out in the RFP documentation allowing for some matters to be shared.  This is applicable to the gathering of information and does not cover widespread sharing of information such as has happened.  My reading of the clauses leave me in no doubt that confidentiality breaches have occurred.  A number of lawyers have concurred with this view in verbal advice.

The allegations in the redacted summaries are truly shocking, if they are true.  In the previous blog I dealt with the first allegation of attempted misappropriation of government funds.

I now look at the second major allegation.  A data breach.

Allegation: Potential Privacy Breach: Witnesses and additionally the Respondent have provided information that supports a potential privacy breach occurred which includes a potential notifiable contravention of the Privacy Act 2020. This is due to providing accidental access to someone’s personal information and then failing to acknowledge/report the breach.

Let us look at the background. 

Chooice (the company where the alleged data breach occurred) was at that stage a joint venture between Ms Colcord and We Are Indigo, aimed at providing an online distribution platform to micro-businesses.  It had experienced extremely rapid growth, with a strong uptake amongst Māori and Pasifika businesses.  It was well understood that the platform was not robust, and Chooice and We Are Indigo were trying to raise investment to address this and other issues.

There were three instances of store owners’ drivers licence IDs being exposed on the Chooice platform.  One of the team working on Chooice identified the data breach and a call was made by Chooice staff to shut the Chooice platform down temporarily.  After review of the cause of the problems, what had been exposed and the risk of further exposure, the Chooice team reinstated the platform.

The Respondent (MACFIE) attempts to override the instruction from the witness, failing to accept a notifiable breach had occurred, then instructs staff to turn the website back on despite no remedy occurring to the breach issue.

The morning after the website was taken down, Pat MacFie asked for the website to be reinstated.   Chooice’s staff had already reinstated the website.  The communication trails seem to make this clear.  They also make clear the cause of the problems.  One can assume the staff were confident that any issues could be managed.  So MacFie’s instruction was ancillary to the actions already being undertaken, as the staff had already reinstated the website. 

The allegations appear to me to be inflammatory, misleading and incorrect on many levels.  They are contradicted in the evidence given in the reports and this evidence is not commented on in John Borland’s write up as it should have been.

John Borland states:

In my professional opinion, consideration should be given on whether this potential breach should be escalated to the Privacy Commissioner.

My understanding is a privacy breach is reportable if it has caused or is likely to cause serious harm to an individual.  There is a requirement to notify the individuals concerned and this was done.  Privacy Breach reporting requirements.

In this case – and I do not have access to all the people and facts – it seems hard to make the leap to serious harm.  And as stated, the 3 individuals were advised. 

It is unclear if reporting the breach was required and if so who’s responsibility was it?  Hindsight review suggests it was not reportable.  Yet the headline statement in the allegation is “a potential notifiable contravention of the Privacy Act 2020”.  

Is John Borland’s interpretation of the breach overreach?  Does he have specific expertise?  Is his pronouncement unprofessional?  My answer to these questions, based on the facts presented, is Yes No Yes.

As I shine a light on each of the allegations in these reports in turn over the next few weeks, will I find each to be equally flakey?  So far it’s two out of two…

1. The allegation of misappropriation of government funds appears to be a dispute over an unpaid invoice, which was subsequently paid.
2. The allegation (discussed above) of an inappropriately managed data breach, (it is agreed the data breach happened) appears to be a minor breach, in which the three parties affected were notified, and no harm was caused.  The breach was not notifiable.  The allegations of Pat MacFie inappropriately instructing the techies to reinstate the Chooice site is irrelevant, as the site had already been reinstated by Chooice staff.  Many of the allegations against Pat MacFie are contradicted by the evidence provided.

And may I remind you that We Are Indigo has never seen the full reports, only the redacted versions now being widely circulated.  As such they have been denied the opportunity to fully respond.  What comment they have made in response has not been incorporated in the reports.  Natural justice has been denied.

The reports were prepared by what appears to be a conflicted investigator, who did not declare his prior knowledge.  EY were engaged to review the due diligence process, but the scope was set to exclude conflicts of interest and report content.  They did NOT, as some are claiming, “independently validate and verify” the findings or conclusions of the report.  EY stated that We Are Indigo should be given the opportunity to respond.

There are so many question marks over these reports and their conclusions.  Are they fair and accurate?  Sometimes when something seems so unbelievable, it’s because it is simply not true.

Callaghan – You are the only ones who can fix this.

Admit that the investigator was conflicted.

State unequivocally that the due diligence reports, commissioned under the confidentiality of a government procurement process, should never have been shared around.

Make it clear that you are upset and angry (are you?) at the way the reports continue to be leaked.

Clarify that the EY review was NOT a review of due diligence findings or of the conflicts of interest.

Officially withdraw the due diligence reports, and maybe even apologise for the harm they have caused.