People are being asked to take a closer look at their Earthquake Commission emails as more privacy breaches are suspected.
Earthquake Recovery Minister Gerry Brownlee admitted yesterday it was likely there had been other cases of people being sent information not intended for them.
He did not think the issue was widespread, but is asking people who have received information from EQC to check those emails and let the embattled organisation know if they find something they should not have been sent.
On Monday last week, EQC said a spreadsheet containing private information about tens of thousands of Christchurch homeowners had accidentally been sent to claims advocate Bryan Staples.
On Thursday, a second leak was revealed involving an email sent to a member of the public, containing information relating to stopped cheques, totalling about $23 million.
Later that day, EQC shut down its website, email, database and Twitter account to get to the bottom of the breaches.
About a dozen staff worked during the Easter weekend to check the system.
EQC chief executive Ian Simpson said the claims management system would be working today, so customers who phoned the call centre would be able to get information about their files.
But it would be at least two more days before the external email system was up and running, he said.
Today EQC staff would be reviewing and archiving or deleting files containing customer information so the files could not be accidentally sent to members of the public, Simpson said.
Brownlee said EQC had confirmed the breaches were caused by human error and not a computer system failure.
"One thing that does concern me is how many other breaches of information have been sent out in the last 2 years?"
He said that because staff had access to information, there was a possibility other outgoing emails could have included attachments with information not intended for the recipient.
Given the volume of email traffic in the past 2 years, it would be an "incredibly difficult exercise" for EQC to go through the system itself to see if any more breaches had been made, Brownlee said.
He was expecting to receive a report into the incident, which would contain a series of recommendations, today.
"There are clearly some protocols around the handling of information that need to be tidied up and that is what is being worked on at the moment."
No action would be taken against the EQC staff behind the privacy breach because there was nothing malicious in their actions, Brownlee said.
"A mistake is a mistake."
Labour earthquake recovery spokeswoman Lianne Dalziel said Brownlee had been quick to point out it was human error, but data protection systems were supposed to mitigate against the risk of human error.
- The Press
What do you think of claims Kiwis have been misled about mass surveillance?Related story: US spy base in NZ?