Source: Privacy Commissioner
A staff member had saved the woman’s completed review form, which they believed was a blank template, to their computer desktop for easy access the next time they needed to send a form of this type to a future client. In fact, while the front page was blank, subsequent pages contained the woman’s personal information. The staff member sent the woman’s completed form, believing it was a blank template, to other clients. One of those recipients then located the woman on social media and informed her that she had received her information from the agency in error. Additionally, an anonymous person contacted people who knew the woman, revealing her personal information that had been contained in the form. We were satisfied the agency’s actions had breached IPPs 5 and 11 in this case.
Summary
The extent of this privacy breach caused the complainant and her whānau significant stress and inconvenience over many months. As a result of careless filing, the complainant’s personal and other sensitive information was disclosed to multiple people and ultimately was circulated. Despite the agency’s efforts to contact those who had received the form, there was no way to guarantee that the information was no longer in circulation. The woman reported feeling that her mana and integrity were diminished because of the agency’s failure to keep her information safe. We agreed the agency’s breaches of IPP’s 5 and 11 met the threshold in section 69(b)(iii) of the Privacy Act and resulted in significant humiliation, significant loss of dignity, and significant injury to the feelings of the woman. We worked with the parties to resolve the matter. The agency provided a formal letter of apology and agreed to remind staff of the importance of keeping personal information safe. The agency ensured the document was removed from the staff member’s desktop and reminded all staff about the correct process for sending templates and storing client information. The agency also agreed to pay the woman $15,000 in compensation for the interference with her privacy.
Commentary
This case note highlights the importance for agencies to strengthen their internal privacy guidelines and be mindful when filing and sending documents. Agencies need to make sure that it is simple for staff to send and use the templates and documents they require for their day-to-day work. If systems are not easy to use, then staff might resort to workarounds (like saving things to desktops) that result in great risk to personal information. Agencies also need to create a culture of checking emails and attachments before they go out. The greater the sensitivity of the information, the more checks that should be made. As we saw in this case, a simple mistake can result in significant harm to individuals.
