Office of the Privacy Commissioner | Case Note 202115 [2009] NZPrivCmr 18: Man complains about estranged family member unlawfully accessing IRD file
A man became estranged from his sister and, ultimately, found himself in a financial dispute with her. The sister worked for IRD. During the financial dispute, it became apparent to the man that his sister was accessing his IRD files. The man told IRD of his concerns and IRD agreed to investigate them.
Some time later, the man's concerns were confirmed and he again brought this to IRD's attention. The man made a complaint to us about the fact that IRD had let his sister access his files even though he had warned them that he thought there was a risk of this happening.
Principle 5 of the Privacy Act
Principle 5 of the Act provides that agencies must protect personal information by safeguards that are reasonable in the circumstances. In particular, an agency must ensure that the personal information it holds is protected, by reasonable security safeguards, from unauthorised access or disclosure.
Importantly, however, principle 5 is not primarily concerned with individual instances of unauthorised access. Rather it focuses upon the overall systems in place to prevent such occurrences and whether these are reasonable in the circumstances. This is because no system can be foolproof. Agencies can put in place significant safeguards but one-off incidents can and do still occur, whether due to human error or deliberate intent.
IRD advised us that it has a stringent code of conduct designed to ensure that staff are aware that they may not access personal information relating to family members, friends or acquaintances. Any breach of this code was considered by IRD to be serious misconduct.
IRD also advised us that it took action in relation to the man's specific concerns but found that, at the time he initially raised them, there was no evidence of unauthorised access. IRD made the decision that it was not necessary to restrict access to the man's files at that time. IRD commented to us that, with a staff of over 5,000, it must rely to some degree on the integrity of its employees.
After the man raised his concerns again at a later date, IRD conducted a further investigation, found that the sister had accessed his files and therefore breached the code of conduct, and took disciplinary action against her.
I formed the opinion that the general security safeguards IRD had in place were reasonable in the circumstances. This was a case in which a staff member, who was well aware of her obligations under the Privacy Act, decided to breach those obligations and IRD's code of conduct. I was therefore satisfied that IRD had not breached principle 5 of the Act.
However, I felt that IRD could have handled the man's concerns in a better way. IRD did not inform the man of the outcome of its investigation into the incident and, as a result, the man felt that his complaint was not taken seriously and that his information remained at risk. I conveyed my view to IRD and it agreed to fully restrict access to the man's files, apologise to him for the incident, and provide him with a summary of what had been done about it. I thought that these were positive steps for IRD to take and I closed my file.
October 2009
Security of personal information - IRD - unauthorised access to files by family member - general security safeguards reasonable in the circumstances - Privacy Act 1993, principle 5