1 Feb 2003, 09:00

A woman complained that she received a letter, as part of a mass mail out, from the department administering her income-support benefit. Folded behind her letter was a letter to another woman including details of that woman's benefits. The client advised the department of the incident but was unhappy with its response. She complained to me about the practice of mass mail-outs, the incidence of error and the privacy implications. Her complaint raises issues under information privacy principle 5 but, after looking at the security procedures used, I formed the opinion that the department had not breached principle 5.

Principle 5

Under principle 5, information must be protected by security safeguards that are reasonable in the circumstances. The standard of reasonableness in the circumstances is consistent with the proportionality principle in the OECD Guidelines for the Security of Information Systems 1992:

Security levels, measures and costs should be appropriate and proportionate to the value of and degree of reliance on the information systems and the severity, probability and extent of potential harm, as the requirements of security vary depending on the particular information systems.

When considering “reasonableness” in the security context, factors which may be relevant include:
- the workability of the safeguards
- the cost of the safeguards
- the risks involved
- the sensitivity of the information and
- the other safeguards in place.

I enquired about the department's automated mail-out systems. The department contracted a computer-processing firm to provide this service and all automated letters are sent from one site. More than six million automated letters are sent on behalf of the department from this centre each year.

Mail is inserted into envelopes by machine and there are a number of controls to prevent multiple letters being placed in one envelope. A report called a “control total” is produced, showing the number of letters being sent. This is then compared with number of filled envelopes at the end of the process. Provided that the number of filled envelopes matches the control total, it can be assumed that there has been no double-up. However, if the machine jams and the letters are removed, there has to be a manual calculation to reconcile the envelopes with the control total. In those instances, human error could account for an incorrect reconciliation.

I was also advised that the computer-processing firm was implementing new technology to improve the process. New machinery, utilising optical recognition technology, will spot gaps in numerical sequences (such as those resulting from a double-up in one envelope) and stop processing to allow the error to be corrected.

The department said that no inserter machine could be guaranteed never to jam but what was important was that when the machine did jam, procedures were in place to deal with the problem immediately. I was also told that the frequency of inserter jams depends on the machine set-up and was not easily predicted.

I take the view that the security safeguards adopted by an organisation have to be reasonable, not perfect. The insertion of two letters in one envelope was unfortunate, but having considered the systems implemented by the department and the responses to the breakdown of those systems (which may be argued to be circumstances beyond the department's control), I did not consider that the department's security safeguards in automated mail-outs were inadequate.

I advised the woman of my view and exercised my discretion to discontinue the investigation.

September 2003

Indexing terms: Storage and security – Ministry of Social Development – Mass mail-out – Two letters in one envelope – Security reasonable in the circumstances – Information privacy principle 5