Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

A man complained that his criminal record had been accessed by a Department of Corrections employee at a Corrections office with which he had had no contact. He became aware that information from his file was disclosed to his ex-partner by the Corrections employee, who was known to her.

This complaint raised issues under principles 5 and 11 of the Privacy Act.

Principle 5

An agency that holds information is required to make sure that the information is protected by reasonable security safeguards to ensure against unauthorised access, as set out in principle 5.

The Department confirmed that in fact two employees had accessed the man’s record without a legitimate work-related purpose. One employee had accessed the man’s record on two separate occasions.

The Department advised that it took such matters very seriously and conducted monthly audits of staff access to the system.  However, the Department advised that no audits had taken place during the period when one staff member accessed the system.

We noted that the Department was unaware that its employees had accessed the man’s record until his complaint was brought to their attention and a review was carried out by the Chief Privacy Officer.

In our view, it was not sufficient just to have policies to safeguard information against unauthorised access. Agencies should also have processes in place to ensure that those policies were being followed. We found that there had been a breach of principle 5 of the Privacy Act.

Principle 11

Principle 11 says that an agency shall not disclose information unless it believes that one of the exceptions to principle 11 applies.

We accepted that there had been a breach of principle 11 as the Corrections employee did not have a legitimate reason to disclose information from the complainant’s record to his ex-partner. None of the exceptions to principle 11 applied.

Harm

In order for us to find that there has been an interference with privacy, there must be both a breach of a privacy principle and harm to the individual to the level required by section 66(1)(b) of the Privacy Act.

We took the view that the man had a reasonable expectation that his record would be securely stored by the Department and that it contained inherently sensitive information.

We found that the complainant had suffered stress and anxiety and that his feelings had been injured. We were guided by the decision of Director of Proceedings v O'Neil [2001] NZAR 59 at [29], where the Tribunal accepted that “injury to the feelings” can include conditions such as anxiety and stress.

Settlement

We facilitated a settlement of this complaint and closed the file.