A "significant and serious" privacy breach has seen the details of thousands of ticketed motorists mistakenly released by Wellington City Council's parking contractor.
Tenix Solutions, responding to a request for information by a member of the public, created a spreadsheet with data relating to about 120,000 tickets issued in the past two financial years.
But the company forgot to remove names, addresses and vehicle registration numbers before sending the information out on three disks, without informing the council.
The requester, realising the disks contained private information, contacted the council on November 19 and returned the material.
Council chief executive Kevin Lavery said assurances had been sought from Tenix that the breach would not happen again, and a full review had been requested.
"I have been clear with our contractor that its performance in this event was woeful," Mr Lavery said.
"We should all have every confidence that our personal information is secure and that there are processes and systems in place to ensure this does not happen again."
Tenix - which receives ratepayers' money to run the city's parking services - refused to answer questions from The Dominion Post and referred all comment to the council.
Privacy lawyer Kathryn Dalziel said the breach was of a similar size to the EQC leak in Christchurch, in which personal details of thousands of claimants were mistakenly released.
"For New Zealand, that's still a significant and serious data breach."
It was fortunate the data had been sent to a helpful member of the public, and it was good the council was being honest about what had happened, she said.
Privacy breaches would continue to occur as human error was inevitable, but it was important for organisations to be proactive about trying to minimise problems.
"For the council, privacy should be on the agenda as something the CEO reports back on.
"It should be right up there with health and safety."
Council chief operating officer Greg Orchard said Tenix was "very apologetic" and would be producing a full investigation report.
"I would expect it in pretty quick order, to be honest. They've basically said it's an error by an individual.
"It's just been solely that; it's not a systemic issue.
"But they're undertaking a full investigation that I'm yet to see."
He said he did not want to underplay the breach, but the information was not sensitive and could mostly be obtained publicly from other sources.
Tenix's contract expires in June, and a tender process for a parking contractor is near completion.
The breach would not affect Tenix's prospects during the tender process, Mr Orchard said.
A spokesman for the privacy commissioner said the council had informed it of the breach a few days ago.
If people contacted the office with complaints, they would be investigated.
Anyone concerned their information may have been included on the disks should email the council at firstname.lastname@example.org.
- The Dominion Post
Is it worth it to fund a war museum in the capital for $18m?