6 Dec 2023, 14:00

Background – Data retention and disclosure of identifying information

In 2021, a woman completed a form asking a government agency to review its decision on an outstanding debt. Several months later, the woman received a message from a stranger through a social media site. The stranger sent the woman an image of the woman’s own form, apparently having been sent it in error when asking for a separate review of a decision.
The woman complained to the agency. The agency investigated what had happened and confirmed that the woman’s information had been accidentally sent to several other email addresses over a nine-month period. They were unable to resolve the matter, and the woman made a complaint to OPC.

The principles applying to this case

This complaint raised issues under IPPs 5 and 11 of the Privacy Act. Principle 5 says agencies must have safeguards in place to keep personal information secure. Principle 11 prevents agencies from disclosing personal information unless one of the exceptions are operating.
OPC’s investigation

A staff member had saved the woman’s completed review form, which they believed was a blank template, to their computer desktop for easy access the next time they needed to send a form of this type to a future client. In fact, while the front page was blank, subsequent pages contained the woman’s personal information. The staff member sent the woman’s completed form, believing it was a blank template, to other clients. One of those recipients then located the woman on social media and informed her that she had received her information from the agency in error. Additionally, an anonymous person contacted people who knew the woman, revealing her personal information that had been contained in the form. We were satisfied the agency’s actions had breached IPPs 5 and 11 in this case.

Summary

The extent of this privacy breach caused the complainant and her whānau significant stress and inconvenience over many months. As a result of careless filing, the complainant’s personal and other sensitive information was disclosed to multiple people and ultimately was circulated. Despite the agency’s efforts to contact those who had received the form, there was no way to guarantee that the information was no longer in circulation. The woman reported feeling that her mana and integrity were diminished because of the agency’s failure to keep her information safe. We agreed the agency’s breaches of IPP’s 5 and 11 met the threshold in section 69(b)(iii) of the Privacy Act and resulted in significant humiliation, significant loss of dignity, and significant injury to the feelings of the woman. We worked with the parties to resolve the matter. The agency provided a formal letter of apology and agreed to remind staff of the importance of keeping personal information safe. The agency ensured the document was removed from the staff member’s desktop and reminded all staff about the correct process for sending templates and storing client information. The agency also agreed to pay the woman $15,000 in compensation for the interference with her privacy.

Commentary

This case note highlights the importance for agencies to strengthen their internal privacy guidelines and be mindful when filing and sending documents. Agencies need to make sure that it is simple for staff to send and use the templates and documents they require for their day-to-day work. If systems are not easy to use, then staff might resort to workarounds (like saving things to desktops) that result in great risk to personal information. Agencies also need to create a culture of checking emails and attachments before they go out. The greater the sensitivity of the information, the more checks that should be made. As we saw in this case, a simple mistake can result in significant harm to individuals.