Agencies too slow in destroying shared data

PRIVATE EYES: New Zealand Privacy Commissioner Marie Shroff.
PRIVATE EYES: New Zealand Privacy Commissioner Marie Shroff.

Kiwis' private information is being mishandled by government agencies, which break their own rules when sharing people's details.

Reports from the Office of the Privacy Commissioner reveal agreements between Government agencies to share personal information have been "non-compliant" and have had "substantial issues".

Several agencies have been caught holding on to the information of hundreds of thousands of people after they had previously agreed to destroy it.

The Ministry of Justice was caught three times over a year holding on to personal information of fine dodgers it had received from Immigration New Zealand, Inland Revenue and the Ministry of Social Development. The details the ministry was meant to destroy included cellphone numbers, passport details and employment records.

In another report, the Ministry of Health was criticised for incorrectly retaining death records and running the risk of assuming someone alive was dead.

In another, the Ministry of Social Development was caught tracking people using their tax numbers, which is illegal under the Privacy Act.

Privacy Commissioner Marie Shroff said the breaches were disturbing. "This is a highly complex environment with huge amounts of citizens' data, and you do need a watchdog carefully checking what is going on to keep them honest."

Her warning comes after several high-profile state privacy breaches in the past two years and growing public concerns about how supposedly private information is handled.

The new breaches were all made under tightly regulated data-matching agreements. The agreements allow government agencies to share the personal details of millions of citizens with one another for a specific purpose, such as catching fine dodgers or tracking down non-registered voters.

Of the 54 agreements, many were compliant, but 22 were not. Ten agreements had "substantial issues", including not destroying private information or sharing the wrong information.

Agencies with "substantial issues" included the ministries of justice, health and social development, Inland Revenue, the New Zealand Transport Agency, and the Ministry of Business, Innovation and Employment.

Ministry of Justice collections manager Bryre Patchell said the privacy commissioner raised problems with how information was stored, not used.

"The information in question is not visible to staff and has not been used for operational purposes," he said.

Private details from Immigration New Zealand was now being destroyed, but tax and welfare details had been retained to help keep records accurate.

The information had already been used to recover $80 million in unpaid fines and did not breach anyone's privacy, he said.

Other agencies said problems identified by the commissioner had been fixed or were being improved. All said nobody's privacy had been breached by the errors.

In the past financial year, there have been 107 data breaches reports to the privacy commissioner, more than double the previous year. The vast majority came from Government agencies, dobbing themselves in.

The Dominion Post