Our website uses cookies so we can analyse our site usage and give you the best experience. Click "Accept" if you’re happy with this, or click "More" for information about cookies on our site, how to opt out, and how to disable cookies altogether.

We respect your Do Not Track preference.

Privacy Commissioner Michael Webster today welcomed the BSA’s decision which found RNZ breached the privacy and fairness standards when it broadcast sensitive details about a child’s care.

Hackers released information about the child’s situation, and others, onto the dark web as part of a cyber-attack on the former Waikato DHB. Our Office publicly warned against accessing this material given the circumstances in which it was made available.

The Privacy Commissioner complained to the BSA last year after RNZ accessed the stolen information and broadcast sensitive details concerning the unique aspects of a child’s care in a way that was identifiable, and risked causing significant harm to them, their whānau, and caregivers.

Today, the BSA released its decision agreeing that the breach of the child and their whānau’s privacy was serious and was not justified in the public interest. 

“Firstly, I acknowledge that the news media have an essential role in disseminating news and casting light on matters in the public’s interest and their news gathering activities are not regulated under the Privacy Act,” Mr Webster said.

“Our complaint to the BSA was about the importance of maintaining freedom of expression while also ensuring the stolen information belonging to the people at the heart of the news was safeguarded against further harm.

“We believe the vulnerability of the child, the sensitive nature of the disclosed information, and the manner in which the information was accessed by RNZ, meant their personal information deserved greater privacy protection, not less.”

The BSA has ordered RNZ to broadcast a statement summarising its decision, and to pay costs to the Crown of $1800.

The Privacy Commissioner also raised concern with the BSA about RNZ accessing data released by the hackers. However, the BSA reached the view that it could only consider the material that was published and would not consider whether RNZ’s actions in accessing the information was illegal.

“What happened in this situation highlights the need for organisations to strongly consider applying to the High Court for an injunction to help contain serious privacy breaches and prevent further harm arising as soon as possible,” Mr Webster said.

“While a High Court injunction was granted following RNZ’s broadcast, and this prohibits anyone from accessing or using the stolen information and required RNZ to delete any copies of the stolen information from its system, the child and their whānau should never have been in the position of having their personal information accessed and broadcast in this way.”

It’s vitally important that people respect the personal information of others because there is a great risk that failing to do so can cause them harm, Mr Webster said.

Any organisation that experiences a serious privacy breach must notify our Office and any other relevant agency. The organisation must also notify those individuals whose information has been compromised and must take effective steps to contain the breach.

“We all have a role to play if we receive or find personal information about others. Do the right thing, and contact the organisation or the person concerned.”

 

Media queries can be directed to Office of the Privacy Commissioner media contact: Jared Nicoll at jared.nicoll@privacy.org.nz or 021 959 050