In 2008 a staff member from a government department dropped a file in an Auckland street. The file contained a list with personal information about a large number of individuals.
The information was subsequently passed to media outlets.
The department followed the Privacy Breach Notification Guidelines responding to the incident. They informed the Privacy Commissioner's Office and all individuals affected about what had happened. Some of those individuals then complained to the Privacy Commissioner.
The complaint raised issues under Principle 5 of the Privacy Act.
Principle 5 - security safeguards
Principle 5 provides that:
An agency that holds personal information shall ensure -
(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against -
(i) loss; and
(ii) access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
(iii) other misuse; and
(b) that if it is necessary for the information to be given to a person in connection with the provision of a service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.
In considering whether a security safeguard is reasonable, the kind of matters we take into account include:
the steps and/or policies in place to guard against a breach of principle 5;
whether those steps and/or policies have been followed;
training provided to staff; and
the sensitivity of the information.
Here, we formed the view that the loss of the file was a breach of principle 5, and the department accepted this.
Generally, in order to find an interference with privacy, there must not only be a breach of a privacy principle, but also some harm, loss or detriment.
Harm can include significant humiliation, loss of dignity or injury to the feelings of the individual.
Here, the department acted promptly to mitigate the harm to individuals arising from the breach. They followed the Privacy Breach Notification Guidelines in order to minimise the impact of the incident. The steps taken included:
getting the original file and copies back, with the assistance of the police;
seeking and receiving legal undertakings from media outlets that the information would not be published or disclosed;
notifying the Privacy Commissioner's Office and seeking advice;
notifying all affected individuals; and
investigating and taking steps to reduce the likelihood of the situation reoccurring.
Because it took these steps, the department managed to contain the disclosure. The file was promptly recovered and was not widely circulated before recovery. The incident had the potential to cause harm to the individuals, but the steps taken meant they suffered no harm as a result of the incident.
Although the department breached principle 5, there was no interference with privacy because the individuals did not suffer any harm. We informed the individuals of our conclusions and closed our file.
View the Privacy Breach Notification Guidelines. These are also available by contacting the Privacy Commissioner's Office.
Security of personal information - government department - file lost on street - personal information passed to media - privacy breach notification guidelines followed - no harm suffered - Privacy Act 1993, principle 5, section 66