Privacy breach reports jump since last year

Dozens of public and private organisations have dobbed themselves in for privacy breaches in the past three years, but it is unknown how many have actually happened.

A list of 121 data breaches, provided to The Dominion Post, includes one in which confidential court documents were found inside a government organisation's car that was sold at auction.

Another involved two men appearing at court on the same day, and one being given pages of information on the other, along with his own criminal history.

There are also numerous breaches involving thefts of documents, computers, USB sticks and a video camera containing recorded consultations with patients.

Several incidents of computer systems being hacked into have been reported.

But the self-reported breaches are probably only a sample of all those that have happened, as it is not mandatory to tell individuals concerned or the Privacy Commissioner when they happen.

Assistant Investigations Commissioner Mike Flahive said there was no way to tell if the statistics were an accurate representation.

"My guess is by and large most agencies are upfront about this. There's not a lot of subterfuge or malevolence going on in the background with this."

Self-reported breaches almost tripled this year, jumping from 26 to 71. This was because many organisations became extra cautious in the wake of high-profile cases involving ACC and Work and Income.

"There's an increase at the moment but, to be fair, a lot of stuff that is being reported to us shouldn't be reported to us. People are being a bit precious with things at the moment."

Last week the Privacy Commission issued its annual report, which showed public complaints continued to rise, with 1142 received in the year to June 30. The most complained-about organisation was ACC, with 173 complaints.

Mr Flahive said he was unable to name the organisations involved in the breaches, because doing so would lead to a drop in reporting.

"At the moment it's a useful conversation for us to be involved in . . . if you know by ringing the Privacy Commission it's going to become public knowledge, I think it would pour cold water over it."

Last year the Law Commission recommended serious data breach reporting was made mandatory, bringing New Zealand into line with several other countries.


June 2010: Folder containing private details is lost in a public place. (Public/Government)

May 2011: Loss of medical records from back of security truck while being taken away for shredding. (Private/Health)

June 2011: Video recorder with patient consultations recorded on it stolen from car. (Private/Health)

June 2012: Employee uploaded confidential list and background notes to internet that contained contact information of people. Background notes subsequently published on a blog. (Public/Government)

August 2012: Two men appeared in court on same day. One man was given his criminal history which contained pages of information about the second man. (Public/Government)

November 2012: Employee accidentally faxed medical records of deceased person to a news media organisation. (Public/Government)

The Dominion Post