On Monday, Public Address blogger Keith Ng released an expose revealing the accessibility of a wide range of personal information about Work and Income New Zealand ('WINZ') clients to people logging into publicly accessible computer kiosks in WINZ. Some of this information was highly sensitive, including medical information, legal bills, details of fraud investigations, details of care and protection arrangements for children, and in one case details of how a community group provided support to a family after a suicide attempt. Full names were used in many cases. The lack of information security is not a good look for the Ministry of Social Development (MSD). But have they breached their obligations to the public? And just how securely does personal information need to be held by agencies?

What information may be collected?

Agencies can only collect personal information about a person if they are doing so for a lawful purpose connected with the function or activity of the agency, and only if the collection of the personal information is necessary for that purpose. Agencies must collect the information from the person it relates to, unless there is good reason not to (for example if the information is already publicly available, if it is not reasonably practical to collect the information from the person, or if collecting it from the person would prejudice the purpose of collection). In the case of the MSD for example, it would be permissible for an investigator to collect information about a person from their neighbours or acquaintances if that person was under investigation for benefit fraud and information could not therefore be reliably collected from the person themselves.

When an agency is collecting personal information from the person it relates to directly, it has to tell the person what the information will be used for, where it will be stored, who will have access to it, and what will happen if the person doesn't provide the information. Agencies also have to tell people about their rights to access and correct information that is held about them. Again, there are exceptions to these requirements if there are certain good reasons why this information can't or shouldn't be provided to the individual it relates to.

Agencies must dispose of personal information about an individual as soon as it is no longer necessary to hold the information for the purposes for which it was collected.

How do I know what information is held about me?

Where information is held in a way that allows it to be readily retrieved, individuals have the right to ask agencies what information is held about them, and to be given access to that information, unless there are reasons not to provide the information which meet the criteria set out in part four of the Privacy Act 1993. When people are given access to their information, they are also entitled to request correction of any information they believe is incorrect.

If a person is not satisfied with how the agency that they believe is holding information about them responds, that individual may file a complaint with the Privacy Commissioner who will then determine whether an investigation should take place.

How securely does information need to be held?

Agencies are required to keep information safe, by putting in place such security measures as are reasonable in the circumstances to protect the information from loss or unauthorised access or disclosure. Where an agency needs to give personal information to another person or organisation so that they can provide a service, the agency needs to do everything reasonably within their power to prevent unauthorised use or disclosure of the information.

What is reasonable will depend upon the circumstances, including the nature of the information, how the information is accessed and used, and the nature of the agency itself. Information held by government departments such as the MSD is often highly sensitive, and individuals have a strong interest in keeping such information confidential. It is reasonable to expect that government agencies dealing with the public should have a good understanding of what is required by the Privacy Act, and should have robust privacy protocols in place to keep information secure.

There is always going to be a chance of personal information being mistakenly disclosed, even where systems to protect privacy are in place (for example due to human error, where a conversation is overheard by a third party, or where a folder is left in a taxi). It is equally possible that even an agency with fairly robust information storage procedures may be subject to hacking by a particularly determined person who then acquires the information.

In the case of the breach at the MSD, the computers that were accessed were in a public place and had been made available for use by members of the public. The computers at the WINZ offices were made available so that people could use them for activities like online job-searching and preparing CVs. Some basic features had been disabled so that it was not obvious the computers were linked into the central network, but since they were linked, Keith Ng, the blogger who broke the story, was able to access the unsecured computers in the network by using the open file dialogue in Microsoft Office.

As was noted in Mr Ng's blog, there was no need for the public computers to be connected to the Ministry of Social Development corporate network.

It seems that in addition to the availability of personal information to the public, there were issues with the way the information was held. For example, information that should have been kept confidential within WINZ was accessible to any computer on the corporate network. This means that any WINZ staff member, regardless of position, could have accessed information which should have been considered highly confidential, such as the addresses and school details of vulnerable children who were under CYFS protection. From the information that was accessed, it appears that information such as call logs and invoices were not treated with the degree of caution they should have been, given that identifying details of individuals involved with the MSD were included linked to the information.

What happens if privacy is breached?

Mr Ng was very careful not to release any information he obtained about individuals when he highlighted the risk of a breach of privacy. In order for a breach of privacy to constitute an interference with privacy under the Privacy Act, the breach must have led to:

  • financial loss or other injury;

  • adverse effect on a right, benefit, privilege, obligation or interest; and

  • significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual.

In this particular case, it is unlikely that any individual could show that their privacy has been interfered with as a result of the breach (ie as it does not appear that each of the three elements above have been satisfied), such that a complaint to the Privacy Commissioner would be unlikely to succeed.

In the event of a breach of this nature, where information is accessed, disclosed or used without authorisation, the first step for the affected agency is to ensure that the unauthorised actions cannot continue. In the case of MSD, they have shut down all of the publicly accessible computers until more information about the issue can be obtained. When a privacy issue arises, agencies should consider any risks that may have arisen as a result of the breach, and then consider if anyone needs to be notified about what has happened. Under New Zealand privacy law, there is no requirement that a person be notified that their information has been subject to unauthorised access, though the agency involved may consider that letting people know what has happened may mitigate the effects of the issue.

When there is a privacy breach, the agency involved should look into how the breach occurred and how to prevent such breaches in the future. It is likely the Ministry of Social Development has already begun this process, and will be working closely with the Office of the Privacy Commissioner to put its house in order.