Report to the Minister of Justice, Courts and Transport in relation to an inquiry into events surrounding unauthorised information matching programme operated in mid-1996
Introduction by the Privacy Commissioner
In the New Zealand Herald of 30 July 1998 Aucklanders read of a major mail-out error whereby cards warning people that they had '48 hours' to pay fines or face penalties had been wrongly sent out to up to 4,000 people. The Department candidly admitted that a different form of data matching had been used and while the Department had tried to be 'a little clever' it hadn't worked.(1)
My staff took the matter up with the Department and ascertained that the list of fines defaulters had been matched against personal details on the motor vehicle register. Data problems had been encountered which were not discovered or resolved prior to the mail-out. My office had been unaware that the Department was intending to undertake such data matching and it had not been authorised in the normal way whereby statutory authority would have been obtained with the programme listed as an 'authorised information matching programme' subject to the procedures and safeguards in Part X of the Privacy Act 1993.
The actions of the Department for Courts were of concern to me. The Department was well aware of the processes for evaluating and authorising information matching programmes to be brought under Part X as it had been involved in seeking and obtaining authorisation for matches with both the social security and tax departments. It had been involved in inter-departmental and Cabinet committee processes relating to other matching proposals. The unilateral action in undertaking significant information matching without bringing the programme within Part X represents a major risk to privacy. Had the programme been authorised under Part X it would have been established in such a way that the significant data quality problems would have been discovered and avoided. Nor would it have been possible for notices, which could be described as threatening, to have been dispatched in the way that they were. The match illustrated two typical risks of unconstrained data matching:
technical problems leading to wrong individuals being identified; and
individuals being presumed guilty without having a chance to explain themselves.
Much of this report deals with the roles of agencies other than the Department for Courts. This is not to diminish the Department's role or responsibility. The Department's position was established very early in the piece and it indicated that it had no intention of repeating the match.(2) However, the larger picture only became apparent following further and more involved inquiries. In May 1999 I asked Robert Stevens, an Auckland barrister, to inquire into the matter on my behalf.
In particular, I was interested to know of the role of the Land Transport Safety Authority which maintains the motor vehicle register database on behalf of the Ministry of Transport. As the result of Mr Stevens' preliminary inquiries, he also looked at the role of EDS (New Zealand) Limited which provided computer processing facilities in relation to both the motor vehicle register and the Department for Courts.
The balance of this report consists of Robert Stevens' findings. A draft copy of his report was sent to the Department for Courts, LTSA, Ministry of Transport and EDS in April 2000 with final comments received in June. The comments received were shown to Mr Stevens and his opinion was sought. Mr Stevens considered that his report could stand and I agree. Indeed, a degree of disparity in the responses reinforces some of the concerns expressed in the report about a contractor holding data for one customer which is also used by another customer. It adds weight to the recommendation that the relevant contracts should contain a specific prohibition against amended or enhanced use of an agency's data by or for another agency without the prior signed authorisation of the agency which provides the data to the contractor. A copy of Mr Stevens' more detailed comments on the responses has already been sent to the four agencies.
From the information matching perspective, I am extremely concerned about departments seeking to undertake data matching which has not been authorised through Part X of the Act. It is quite at variance with the Government policy lying behind the establishment of Part X. It makes little sense that Cabinet should authorise some public sector data matching subject to strict controls while officials take it upon themselves to initiate other significant matching totally unregulated by Part X. If public confidence is to be maintained in the fair handling of public sector information and in the responsible use of data matching, it is critical that departments go through the rigorous process of justification and assessment in establishing a programme and that the practice be authorised at the highest level. Officials are sometimes too quick to downplay the technical difficulties of the matching process, overstate the benefits and disregard the effects on individuals. The processes involved in Part X authorised programmes ensure that shortcuts are not taken and that significant public benefits are achieved in an entirely fair manner. It is important that data matching is not seen as proof of anything. It merely establishes information that needs to be followed up before any conclusions are drawn. People should not be presumed guilty on the evidence of computer match.
There are other important findings in the report. I commend it for careful consideration by you, all players in this particular episode, and other departments who might wish to undertake matching in the future. There are lessons also to be learned about the multiple uses of government databases. Confidence in Government is threatened whenever information is used otherwise than in accordance with good information practices and respect for information privacy.
Privacy is not concerned solely with security - although that was a significant issue in this case - but also in such principles as checking information for accuracy or to see if it is relevant, up to date and not misleading before using it.
As a final point, I should say that there may be a sensible case for matching the motor vehicle register against the list of fines defaulters. If there is, the case ought to be assessed in the usual way. Amongst other things, this will look at the cost benefit of doing so given that the Department has had, for several years, authority to undertake matching with data of much higher quality held by DWI and IRD. It would also ensure that all technical aspects are thoroughly gone into to ensure that the resultant discrepancies are more reliable than appeared to have been the case on this occasion.
Mr Stevens offered three recommendations with which I concur and comment as follows.
1. A contract between a public sector agency and data processing contractor contain a specific prohibition upon any amended or enhanced use of that agency's data by or for another agency, without the prior signed authorisation of the agency which provides the data to the contractor. The Privacy Commissioner might endorse that recommendation as a prudent step for an agency in complying with information privacy principle 5(b) and write to privacy officers of public sector agencies accordingly.
Comment: I endorse the recommendations. I will bring the matters uncovered by this inquiry, and the lessons to be learned, to a wider audience including privacy officers. Furthermore I have drawn the report to the attention of the State Services Commission, so that it may influence State agencies entering into outsourcing contracts.
2. The Privacy Commissioner encourage the Ministry of Transport to check its arrangements with LTSA for the handling of personal data by LTSA as agent for the Ministry, and to establish a procedure whereby LTSA must at least inform the Ministry of its plans prior to any change to the uses of the data.
Comment: The recommendation has already been put to the Ministry of Transport and LTSA and this report is being presented to the Minister of Transport. The Secretary for Transport has responded that the Ministry has been working with LTSA since 1998 to put into place administrative procedures to improve privacy safeguards. I am told that this has included more stringent controls in user contracts.
3. The Privacy Commissioner take steps, either directly or through the appropriate Ministers, to bring to the attention of middle management in public sector agencies the understanding with Government that new information matching programmes will not be commenced without specific statutory authority.
Comment: This reflects an aspect of these events that I view with particular concern. If the Privacy Act's information matching controls and safeguards are to work effectively for the benefit of individuals and governments it is essential that officials seek authorisation in the way anticipated by the legislation. It was clear in 1991 that information matching programmes in existence were to be brought within the statutory framework of the Privacy Act and that thereafter new programmes were to be authorised by primary legislation. Most departments understand this and the processes for authorising new matches, involving an information matching privacy impact assessment, Cabinet approval and legislative authority, have been used on a number of occasions to authorise important new programmes. Indeed the Department for Courts itself has been involved in having matches authorised in the proper way. I have become concerned in recent years about initiatives by some officials and others to short circuit information matching safeguards and to establish matching programmes on some informal basis. It is deceptively attractive to think that computers can infallibly sort out matters affecting real people. I will disseminate this report to officials involved in the management of information in the public sector. I have discussed with the Ministry of Justice plans to enhance my data matching compliance activities in the coming year.
B H Slane
25 August 2000
Report by Robert Stevens as to Inquiries into Information Matching by Department for Courts with the Motor Vehicle Register in June/July 1998
1.1 I was asked to carry out a brief inquiry into the events in June or July 1998 by which the Department for Courts ('Courts') used an information matching exercise with the Motor Vehicle Register in an attempt to locate updated addresses for some of their debtors. The Office of the Privacy Commissioner had already been in touch with Courts about this matter from August 1998 to January 1999, and the aspect then being explained by the Department was the action which it had taken upon receiving what appeared to be useful data. It emerged that the data was not nearly as dependable as the Department assumed, so that the confidently overbearing tone of its communications with the people thus 'matched' was inappropriate and resulted in what the press called 'red faces'.
1.2 It seems that with all information matching 'the devil is in the details', and what looks like a useful and even obvious use of another body of data quite often turns out to be troublesome. Here the problem appears to have arisen in the 'algorithm', which is the set of rules embodied in the computer program by which the computer determines when two entities in the separate bodies of data will be regarded as a 'match' and thus proceed as if the two separate records relate to the same individual. In the past, Courts had regularly made one-off checks on entries in the Motor Vehicle Register where Courts had a record of the individual's motor vehicle registration number. In the June/July information matching exercise, the Department for Courts automated the matching process and looked for 'matches' on name and date of birth even where Courts had no record of the individual's motor vehicle registration number. The algorithm was set to regard the Courts record as matching that of the Motor Vehicle Register where the surname, first name and at least the initial of a middle name matched, and where the date of birth in each record was not clearly different. Not all Motor Vehicle Register records contained a date of birth. The programme produced 3,967 matches for Courts debtors for whom Courts had no current address. Of these, 2,166 were cases where neither the name nor the date of birth was an exact match, but Courts considered that the 'matches' were useable and wrote out to all 3,967 presumed debtors. Further details of the process and the subsequent press report are given at paragraphs 3.5 to 3.8 below
1.3 The focus of my inquiry was not on the Department for Courts, but on the keeper of the Motor Vehicle Register. The register is kept by Land Transport Safety Authority ('LTSA') as contracted agent of the Ministry of Transport. Because information matching almost always involves comparing a whole file with a list of individuals of interest, it seemed likely that the keeper of the Motor Vehicle Register would have had to make a copy of its entire register available to Courts; if that had occurred, it would raise questions about the security safeguards operated by LTSA or about the authority which it had or assumed itself to have in giving others access to the register on a more or less wholesale basis.
2 Persons contacted
2.1 The inquiry was commenced by a letter from the Privacy Commissioner to Reg Barrett, the Director of the LTSA.(3) This was followed by a letter from me to Mr Barrett, posing a list of questions and suggesting that the Director might nominate a member of staff to provide me with further information or clarification as required. The LTSA's response came from Tony West, Manager Special Projects. I subsequently had correspondence and telephone conversations with Mr West. I then went back to Helen Duckworth, who is the manager of the Call Centre for the Department for Courts, to approach the matter by asking Courts what processes had been followed by Courts staff in arranging the matching exercise, and I followed through by talking first with Graham Robb and then with Nick Dixie, both of the Department for Courts.
2.2 At the Department for Courts, I later had telephone discussions with Murray Short, General Manager Collections, and met with Mike Neilson, Business Improvement and Support Manager Collections.
2.3 Towards the end of the inquiry I obtained copies of the service contracts between EDS and the Department for Courts, and EDS and the LTSA, and then met with Ray Upton, the Account Executive at EDS (New Zealand) Ltd with special responsibility for the company's work with Law Enforcement Systems in New Zealand.
3 Conclusions as to what happened
3.1 As far as I have been able to determine, the Department for Courts did not involve LTSA at all in the preparations for, or operation of, this matching exercise. The initiative for the match came from Courts, who were looking around for ways of improving their ability to trace debtors. A suggestion was made to the persons in Courts who manage their computer systems, and those persons worked with EDS to devise and implement the match on a 'one off' basis, utilising the access which Courts already had through EDS to a copy of the Motor Vehicle Register.
3.2 The Motor Vehicle Register exists in two or more forms. There is a simple form which has been going for many years (which is probably the one I have heard referred to as 'the DOS version') and Courts have routine access to what is apparently a full electronic copy of this version. A more modern and complex version of the Register also exists, incorporating additional data such as the vehicle history, but that does not seem to have been involved here. The copy of the register accessed by Courts is actually kept by EDS on contract to LTSA. EDS also maintains and operates the computer systems of Courts, and I understand that the systems of LTSA and of Courts are kept at the same location and on the same computer hardware.
3.3 The copy of the Motor Vehicle Register made available to Courts is regularly updated with changes as new or replacement data is fed in. Courts have access to these incoming changes, but the files of changes given to Courts are destroyed once the copy Register has been successfully updated. The Register records against each entry the date of last change to that entry.
3.4 The Motor Vehicle Register is arranged by a vehicle identifier. Apart from the several vehicle identifiers, it records the name and address and gender of the current owner. At some point in recent years the owner's date of birth was added to the information collected upon registration or re-registration, and this item of information is shown on the simple version of the Register as well as upon the fuller version. Date of birth for the registered owner is being added to the register as changes in the ownership of a vehicle are registered.
3.5 Realising that there would be difficulties in effecting a satisfactory match of debtors' names with the details of owners shown in the Motor Vehicle Register, Courts arranged for a matching programme to be drawn up incorporating an algorithm which would seek out matches for three names (i.e. forename, middle name and surname, but not necessarily in the same sequence) and for date of birth. The match was also to look for a car registration number where this was known by Courts.
3.6 The next step was for Courts (or its computer contractor, EDS) to prepare a file of Motor Vehicle Register data against which the list of debtors could be matched, using the matching algorithm which had been thus developed. This appears to have been done by combing through the copy of the Motor Vehicle Register to extract all entries which had been updated since a certain cut-off date, which showed a date of birth against the registered owner, and which showed at least three names for that owner. At this point I should note that I may be wrong in some of these details, as certain things I have been told seem inconsistent with my understanding of the events gleaned from other sources, but the precise operational steps do not appear to be crucial for the purpose of this inquiry. However they were compiled, these extracts were collated into an offspring file against which the match was then operated. This preparation of a file for matching, and development of an algorithm for the match process, are steps where I would normally expect to see the two agencies who hold the respective data files co-operating to ensure that the match operates successfully; unusually, that does not seem to have occurred in this case. I might add that it is also unusual for one agency to have sufficient access to another agency's computer records to be able to prepare a file for matching without the assistance of the 'holding' agency, but again that seems to be what happened in this case.
3.7 The information matching operation produced five 'levels' of results, according to the number and degree of matched attributes as between the details shown in the Courts list of debtors and the details shown in the Motor Vehicle Registry. The outcome of the matching operation, in terms of these five levels, was set out in the letter of 7 September 1998 from Helen Duckworth to the office of the Privacy Commissioner. Courts did carry out a manual and individual check of the match results, and the total matches across all five levels was reduced from an initial 26,852 'raw hits' down to just 3,967 cases in which cards were sent out to the individuals concerned. Of the 3,967, more than half (2,166) were in the lowest level of matching, where the surname and forename matched and there was at least a matching initial letter of the middle name, there was also 'a near or null match' in the date of birth, but there was no match of vehicle registration number. It is noteworthy that the communication sent out by Courts to the 3,967 individuals does not appear to have contemplated that the match result may have been incorrect, and was instead a blunt and threatening notice that '48 hours is all the time you have left to arrange payment of your outstanding fine. Your fine won't go away and you could face penalties for not paying. Call us 0800 ... .'
3.8 An article in the New Zealand Herald on 30 July 1998 reported these events under the headline 'Red faces as namesakes sinbinned' and quoted a Courts spokesperson as saying 'This is a glitch. We were trying to do something a little clever but it hasn't worked. I guess there are some red faces as well as red cards. To people who are wrongly sent a card, we do apologise.'
3.9 I understand that this matching exercise has not been repeated. I am not aware of any final analysis of the number of mismatches among the 3,967 cases to which notices were sent.
3.10 Despite the publication of press reports at the time, LTSA maintains that it was unaware of this event until approached by the Privacy Commissioner and asked for an explanation. The responses to me from Tony West have suggested that no possible fault could lie with LTSA in relation to this matter, as 'LTSA allows Courts access to the Motor Vehicle Register as required by the Fifth Schedule of the Privacy Act'.
4 My observations
4.1 'Access to law enforcement information' under s.111 of the Privacy Act and the Fifth Schedule does not mean that the accessing agency is entitled to have a copy of an entire file put at its disposal. The Privacy Commissioner might consider it appropriate to seek to have the terms of the Fifth Schedule made more precise through amendment to the statute, or merely through direct contact with the limited number of agencies which appear in the Fifth Schedule.
4.2 The Motor Vehicle Register is the responsibility of the Ministry of Transport. The Ministry appears to have known nothing at all about this information matching exercise. The arrangement between the Ministry and LTSA for the custody and operation of the Register might warrant re-examination by the Ministry in this regard.
4.3 Either LTSA knew in advance and authorised the Courts use of the information in the Motor Vehicle Register for information matching to identify addresses of Courts' debtors, or this use was 'unauthorised' by LTSA. LTSA maintains through Tony West that it had no prior knowledge of the information matching and gave no authorisation for it. The fact that EDS assisted Courts in the information matching suggests that EDS did not feel that such activity, although not authorised by LTSA, was prohibited. EDS was able to believe that there was no prohibition upon this new use of information in the Motor Vehicle Register because LTSA had not made clear in its contract and other communications with EDS that such new uses were not to be allowed without express authorisation from LTSA. EDS told me that they considered the enhanced use of the Motor Vehicle Register information by Courts as falling within the use permitted by the Fifth Schedule of the Privacy Act. In my view this should not have been a matter for EDS to decide, and it should have been made clear in LTSA's contract and operational instructions that any such change required specific authorisation. This looks to me like a prima facie breach of information privacy principle 5(b)(4) on the part of LTSA.
4.4 It might also be argued that, simply in providing the information of the Motor Vehicle Register in the form of an entire electronic copy (with consequent ease of use for other purposes and in new ways), the LTSA is similarly failing to take reasonable security safeguards against misuse of the information, in breach of information privacy principle 5(a)(iii).
4.5 Unless s.111 of the Privacy Act, or any provision of the statute under which the Motor Vehicle Register is maintained, is understood to require transmission of the Register's personal information to Courts by electronic means, the LTSA practice of giving access by means of an entire computer file made available to Courts would seem to be a breach of public register privacy principle 3.
4.6 Increased contracting out to the private sector can be expected to produce more instances of one contractor handling the personal information held by two or more separate public sector agencies, where there is temptation and opportunity for either the contractor or one of its customers to make unexpected use of the information. Whilst there is no suggestion that EDS would jeopardise its business by improper exploitation of its position, the natural inclination to be helpful to existing and potential customers means that there is more need for both the contracts and the practical arrangements for data handling to be tight and precise so as to prohibit any new uses of information without formal notification to and agreement by the agency which 'owns' the information.
4.7 The dangers and practical difficulties associated with information matching are of course well known to the Office of the Privacy Commissioner and to a few individuals who have had reason to look into actual information matching operations. The difficulties seem not to be obvious to others, and unfortunately the awareness that information matching is both possible and useful is spreading ahead of the knowledge of problems associated with it. It is for this reason that embarrassing errors like this incident can and do occur. As a risk management measure, the government may be amenable to formalising the existing understanding that public sector agencies will not conduct information matching without specific statutory authority to do so; by that means ss.13(1)(f) and 98 of the Privacy Act would allow and require input by the Privacy Commissioner before any public sector information matching is carried out.
5.1 I recommend that every contract between a public sector agency and EDS (or any other data processing contractor) contains a specific prohibition upon any amended or enhanced use of that agency's data by or for another agency, without the prior signed authorisation of the agency which provides the data to the contractor. The Privacy Commissioner might endorse that recommendation as a prudent step for an agency to take in complying with information privacy principle 5(b), and write to Privacy Officers of public sector agencies accordingly.
5.2 I recommend that the Privacy Commissioner encourages the Ministry of Transport to check its arrangements with LTSA for the handling of personal data by LTSA as agent for the Ministry, and to establish a procedure whereby LTSA must at least inform the Ministry of its plans prior to any change in the uses of the data.
5.3 I recommend that the Privacy Commissioner takes steps, either directly or through the appropriate Ministers, to bring to the attention of middle management in public sector agencies the understanding with government that new information matching programmes will not be commenced without specific statutory authority.
21 March 2000
1. 'Red Faces As Namesakes Sinbinned', New Zealand Herald, 30 July 1998. (read)
2. Letter from Call Centre Manager, Department for Courts, to Office of the Privacy Commissioner, 7 September 1998. (read pg1, pg 2)
3. Letters from agencies concerned in response to draft report
Ministry of Transport, 8 May 2000; (read)
EDS (New Zealand) Limited, 8 May 2000; (read pg1, pg2)
Land Transport Safety Authority, 9 May 2000; (read)
Department for Courts, 5 (read) and 29 May 2000. (read pg1, pg2)
1. The press clipping and the Department for Court's explanations are appended to this report. (back)
2. Letter from Department for Courts to Office of the Privacy Commissioner, 22 January 1999. (back)
3. Letter Privacy Commissioner to LTSA, 16 July 1999. (back)
4. Information privacy principle 5 provides: (back)
'An agency that holds personal information shall ensure-
(a) That the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against-
(i) Loss; and
(ii) Access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
(iii) Other misuse; and
(b) That if it necessary for the information to be given to a person in connection with the provision of service to the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or authorised disclosure of the information.'
View the document (11 pages).