Office of the Privacy Commissioner | WhatDoesMyLandlordOwn.org (Compliance Investigation CE/0108) [2023] NZPrivCmr 2 (23 August 2023)
The compliance investigation CE/0108
In early February 2023, we received a series of complaints and enquiries about property ownership information published on the web platform WhatDoesMyLandlordOwn.org.nz (WDMLO). The complainants were concerned about the inaccurate identification of individuals as owners of properties.
WDMLO combined two separate sets of information sourced from the Toitū Te Whenua Land Information New Zealand (LINZ) Data Service under licence. Information on the LINZ Data service is publicly available. WDMLO is a webtool that allows members of the public to search by address, find out who owns a property, and identify how many other properties they own.
The information published included full names and private physical addresses and caused reported emotional and reputational harm to individuals. The published information also caused concern of a risk of financial and physical harm.
Our office initiated an investigation to determine if the publication of information on WDMLO was compliant with the Privacy Act 2020. We were particularly interested in how the information published on WDMLO was compiled, including actions taken to ensure it was accurate and not misleading. This is relevant to Information Privacy Principle 8, which states that, “an agency that holds personal information must not use or disclose that information without taking any steps that are, in the circumstances, reasonable to ensure that the information is accurate, up to date, complete, relevant, and not misleading.” Meeting this principle helps minimise the negative impacts and harm for individuals resulting from the release of misleading data.
Our findings
We found the algorithm WDMLO used to combine the two publicly available LINZ data sets to produce the information did so in a way that identified individuals to be owners of properties when they were not. Therefore, we found WDMLO to be in breach of the Privacy Act 2020, specifically Information Privacy Principle 8.
The accuracy issue arises where people have common names, and the information presented by WDMLO did not distinguish between people of the same name, showing them to own properties when they did not. We were not satisfied that the steps taken by WDMLO to remedy this were sufficient to address this problem.
As compliance with the Privacy Act is a term of the WDMLO licence to use the LINZ Data Service, we notified LINZ of our investigation findings. As a result, LINZ terminated the licence to use the data.
Privacy Commissioner commentary
The information WDMLO accessed from the LINZ Data Service is accurate. The inaccuracies arose when the information was manipulated to form a new data set for the purposes of identifying landlords that owned multiple properties. WDMLO did not put in place sufficient checks and balances to ensure that inaccuracies had not been introduced into the new data set during its creation.
When taking and manipulating information as WDMLO did, it is important that property owners were correctly identified and that any risks of breaching the privacy of individuals were identified and mitigated before the web platform went live. Any that were identified after go-live should be promptly resolved, or the website removed from public view until they could be resolved.
The Commissioner has made the decision to provide public comment on the details of this case, as it provides a cautionary example in an increasingly data-driven world. The decision was made in the context of our Compliance and Regulatory Action Framework and Naming Policy.
Key messages for data users:
- Where agencies are using data sourced from other providers, they are responsible for ensuring the data they are using and creating is accurate for the purposes it is being used for. While the source agency also has responsibilities, you must take care to ensure that any data manipulation you may complete to get the data ready for your own use, does not alter the underlying accuracy of the data, or generate new data in a way that creates inaccuracies.
- Agencies must complete their own assurance checks to ensure compliance.
- Agencies will be accountable for any breaches of the Privacy Act, regardless of the original data source.