Data Safety Toolkit

What is a data breach?
How do data breaches happen?
What is “data breach notification”?

Four key steps on how to respond to data breaches

Coping with media interest

Recognising types of data breaches and ways to prevent them

  • Case note 8:  Public kiosk security breach
  • Case note 13: Unauthorised photos published

Additional resources


Data breaches happen often. Agencies can lose or leak personal information through complacency, inadequate security, poor procedures or rare accidents. The ease of digital copying and transmission means the data breaches can range from the loss of one person’s information to hundreds of thousands of records. The cause of a breach can be accidental or through the deliberate actions of others. It is vital to any organisation’s reputation and its relationship with the people who trust it with their information that it does everything it can to prevent a data breach from happening. But when a data breach occurs, it is important to do everything it can to minimise the harm that it might cause.

This guidance provides tips to help organisations prevent common mistakes that lead to data breaches, and advice on what to do when a breach happens.

What is a data breach?

A data breach is when there is unauthorised or accidental access to or disclosure of personal information.

How do data breaches happen?

Data breaches happen in a number of ways. Some common examples include:

  • lost or stolen laptops, removable storage devices, or paper records containing personal information
  • computer hard disk drives being thrown away, recycled or returned to leasing companies, or serviced incorrectly, without the contents first being erased
  • databases of personal information being hacked or illegally accessed by others outside the agency or organisation
  • employees accessing or disclosing personal information outside their authorisation
  • paper documents taken from recycling or rubbish bins
  • personal information being given to the wrong person by sending information to the wrong physical or email address
  • releasing personal information to a person who is fraudulently pretending to be someone else.

What is “data breach notification”?

Data breach notification is the practice of notifying affected individuals and the Privacy Commissioner when their personal information has become available to unauthorised individuals or organisations. This enables those affected to take steps to prevent the misuse of their details.

Back to top 

Four key steps on how to respond to data breaches

These are four key steps in dealing with a data breach:

1.  Contain the breach and make a first assessment

2.  Evaluate the risks

3.  Notify affected people if necessary

4.  Prevent a repeat

Move quickly to investigate the suspected breach and its potential for harm. Consider the potential for harm to the individuals to whom the data relates, harm to the public’s trust in your organisation and harm to its reputation.

Steps 1, 2 and 3 should be undertaken either simultaneously or in quick succession. Step 4 provides recommendations for longer-term solutions and prevention strategies. The decision on how to respond should be made on a case-by-case basis.

STEP 1: Contain and make a first assessment

Once you have discovered that a data breach has occurred, you should quickly take common sense steps to stop the damage becoming worse:

  • Immediately contain the breach. For example, while you diagnose what went wrong, stop the unauthorised practice, try and get back the records, consider disabling the system that was breached, cancel or change the computer access codes and try to fix any weaknesses in the agency’s physical or electronic security.
  • Find a suitable person to lead the initial investigation. This person should be in a position within the organisation to carry out the early investigation and make the first recommendations. A more detailed review can be carried out later.
  • Decide whether to put a team together that could include people from other areas. This might include people from within the agency or those from outside who have the expertise to deal with the situation (for example, IT analysts or risk advisers).
  • Decide who needs to know within the organisation. Build up a list of those that need to be told. The person within the organisation who is responsible for privacy issues will need to be told as a matter of course. Consider whether your insurer needs to be informed, as well as your internal auditors, risk managers and legal advisers.
  • Notify the police if the breach appears to involve theft or other criminal activity.
  • Be careful not to destroy evidence that may be needed by your agency or the police in finding the cause of the problem or which might allow you to fix the issue.

Back to top

STEP 2: Evaluate the risks

To determine what other steps are needed, you need to assess the risks caused by the breach. An evaluation of the type of information involved will help you determine how to respond to the breach, who should be informed (including the Office of the Privacy Commissioner) and also whether it is appropriate to tell the individuals affected.

Here are some factors to consider:

  • Find out what kind of personal information is involved.  The more sensitive the information, the higher the risk of harm to the people affected. Health information, driver licence numbers, and credit card details can all cause harm on their own but if used together, it could be used for identity theft. A combination of personal information is typically more sensitive than a single piece of personal information.
  • What might that personal information show?  For example, a list of customers on a newspaper delivery route may not be sensitive. But the same information about customers who have requested that their deliveries be stopped while on holiday would be useful information to criminals.
  • Is the personal information easy to get at?  If the information is not password secured or encrypted, then there is a more real risk of it being misused.
  • What caused the breach?  Try and find out what caused the breach and if there is a risk of more breaches.
  • What is the extent of the breach?  Try and identify the size of the breach including the number and nature of the likely recipients as well as how many people’s personal information has been lost. It is also important to identify the risk of the information being circulated further. Find out if the breach is the result of a systemic problem or an isolated incident.
  • Assess whether harm could result from the breach.  Consider this from the point of view of the people affected. Types of harm could include identity theft, financial loss, loss of business or employment opportunities, or significant humiliation or loss of dignity. For example, a list of magazine subscribers to a niche publication may be potentially more harmful than a list of subscribers to a major daily newspaper.
  • Is the information in the hands of people whose intentions are unknown or possibly malicious?  For example, was the information taken by or given to an unknown recipient or one suspected of illegal activity?  Was the recipient a trusted, known person or organisation that could be expected to return the information?

Back to top

STEP 3: Notify affected people if necessary

Being open and transparent with individuals about how personal information is being handled is a fundamental rule of privacy. Notification can be a key step to help individuals affected by the breach and show the agency is doing the right thing. If a data breach creates a risk of harm to the individual, those affected should usually be notified. Prompt notification can help them lessen the damage by taking steps to protect themselves and regain control of that information.

But do not notify people unless you are sure of the people whose information has been compromised by the breach.  More damage can be done if the wrong people are notified in error.

When to notify: It is not always necessary to notify breaches although if there is no risk of harm, notification can be overkill and on occasion, notification can do more harm than good. Each incident needs to be considered on a case-by-case basis. Agencies are also encouraged to inform the Office of the Privacy Commissioner of material privacy breaches so it is also aware of the breach and can handle any related enquiries or complaints.

Agencies need to consider:

  • what is the risk of harm to people whose information has been breached?
  • is there a risk of identity theft or fraud?
  • is there a risk of physical harm?
  • is there a risk of humiliation or loss of dignity, damage to the individual’s reputation or relationships, for example, when the information lost includes mental health, medical or disciplinary records?
  • what is the person’s ability to avoid or minimise possible harm?
  • what are the legal and contractual obligations?

By now, you should have as complete a set of facts as possible and completed your risk assessment in order to determine whether to notify individuals. Notification should occur as soon as reasonably possible. But if law enforcement authorities are involved, check with those authorities on when to notify so that their investigation is not compromised.

How to notify:  It is always best to notify affected individuals directly – by phone, letter, email or in person. Direct notification is more sincere and personal. Indirect notification – website information, posted notices, media – should generally only occur where direct notification could cause further harm, is prohibitively costly or the contact information is not known. Using multiple methods of notification may also be appropriate. It is also important to consider whether notification might reveal the value of the missing information. For particularly vulnerable people, you might need to consider notifying them through or with a support person.

Who should notify:  The agency that has a direct relationship with the customer, client or employee should be the party to notify the affected people. For example, if a credit card information breach comes from a retailer, the credit card issuer would be the best agency to inform the customer. But on the other hand, if a courier company leaves a parcel on a doorstep and it is stolen, the organisation or agency that sent the parcel should be the one that lets the affected person know.

What to say:  Breach notifications should generally contain:

  • information about the incident, including when it happened
  • a description of the personal information that has been disclosed and what has not been disclosed
  • what the agency is doing to control or reduce the harm
  • what it is doing to help people and what steps they can take to protect themselves
  • contact information for enquiries and complaints
  • offers of assistance when necessary, for example, advice on changing passwords
  • whether the agency has notified the Office of the Privacy Commissioner
  • contact information for the Privacy Commissioner.

Notifying third parties: Agencies should also consider whether the following groups or organisations should also be informed. Bear in mind any obligations of confidentiality.

  • Police
  • insurers
  • professional or other regulatory bodies
  • credit card companies, financial institutions or credit reporting agencies
  • third party contractors or other parties who may be affected
  • internal business units not previously advised of the privacy breach, for example, government relations, communications and media relations, other members of senior management
  • the board and the government minister
  • union or other employee representatives.

One agency that should be notified of any serious breaches is the Office of the Privacy Commissioner. This will help the Privacy Commissioner respond to inquiries made by the public and to any complaints that might be received. The Privacy Commissioner may also be able to provide advice or guidance to your agency that may be helpful in responding to the breach. Notification helps to show that your agency is being responsible and taking the matter seriously.

 Back to top

Coping with media interest

An important rule of thumb in dealing with journalists is to respond as quickly as possible to their requests for information. It shows that you are treating an incident seriously and that you are not hiding from news coverage.

Remember that how you deal with the story (or fail to deal with it) could become as important as the incident itself.

Here are some other tips that can help minimise damage to your agency’s reputation while also demonstrating that you are seeking to maintain the public’s trust:

  • Get your senior managers and advisers together immediately to coordinate your agency’s media response.
  • Act fast, but not too fast. Consider your messages carefully before you deliver them.
  • Appoint one spokesperson so that the messages are consistent and not contradictory.
  • Media conferences are an effective way of getting an agency’s response in front of the public.
  • Run a free phone number for enquiries from the public.
  • Feed the news cycle. Keep journalists informed about what is being done.
  • Accept the blame, if all or some of the fault lies with the agency.
  • Monitor news media reports and social media chatter about the incident. Address misinformation and disinformation. Address perceptions that may be forming on social media networks and incorporate your responses into your wider communications and media strategy.
  • Get the tone right. Apologise if necessary. Demonstrate empathy for those most affected by the breach. Show that the wellbeing of those who may have been harmed is your agency’s highest priority.
  • Keep talking until the news story drops out of the news cycle and off the news agenda.

Back to top

STEP 4: Prevent a repeat

Don’t assume that there’s nothing that can be fixed or done to prevent future mistakes. There’s a system failure behind many errors and now is a good opportunity to learn from the mistake. There are a number of steps agencies can take to minimise or prevent data breaches. The most effective is having a well thought-out security plan for all personal information. A strong security standard to use is the International Standards Organisation Information Security Management Standard (AS/NZS ISO/IEC 27001:2006).

In the aftermath of a breach, agencies should review policies to minimise the collection and retention of personal information. Agencies need to take the time to investigate the cause of the breach and make changes to their prevention plan (especially when it clearly didn’t work) and how it is being applied.

The amount of effort should reflect the significance of the breach, and whether it happened as a result of a systemic problem or an isolated event.  It could include:

  • a security audit of both physical and technical security
  • a review of policies and procedures
  • a review of employee training practices
  • a review of any service delivery partners caught up in the breach.

The resulting prevention plan may include a requirement for an audit to ensure that the plan has been fully embedded into the organisation.

Back to top

Recognising types of data breaches and ways to prevent them


1.    Preventing the theft or loss of computers, mobile devices and documents

2.    Preventing employees deliberately or accidentally disclosing information

3.    Preventing employee browsing

4.    Storing personal information safely and securely

5.    Disposing or re-using information and documents safely

6.    Lessening the chances of emails and faxes going to wrong destinations

7.    When personal information is published on websites or elsewhere

8.    Keeping software up-to-date and using strong password security

1.  Preventing the theft or loss of computers, mobile devices and documents

  • Pay particular attention to the physical security of mobile and portable devices. These include USB sticks and portable hard drives as well as smart phones and laptops.
  • What is in your agency’s policy about what kind of information can be stored on a portable device?
  • Use extra security measures for portable devices such as encryption, password locks, remote wipe ability and physical security.
  • Make sure your security policies cover mobile devices as well as workstations or laptops.
  • Make sure there is also proper physical security for electronic data and paper documents.
  • Lock up workstations and laptops.
  • Lock your work space, files and equipment when leaving the office, studio or home.
  • Don’t leave papers, computers or other electronic devices visible in homes or parked cars.
  • Don’t leave sensitive information lying around, including on printers, fax machines, photocopiers, or in storage. This includes old hard drives as well as paper files.
  • If work information can be accessed through a device, that device should be password protected. Consider implementing and running a mobile device management suite.
  • Delete personal information and other data when it is no longer needed.
  • Report thefts to Police and let them know if the stolen equipment contains sensitive information.
  • Have a comprehensive workplace security policy for BYOD (bring your own device).

Back to top

CASE NOTE 1 – Finding information in the street

A staff member from a government department dropped a paper file in a city street. The file contained a list with sensitive personal information about a large number of individuals. It was then passed to media outlets.

The department followed the Office of the Privacy Commissioner’s privacy breach notification guidelines and informed all individuals affected.

Some of the individuals complained to the Privacy Commissioner. The complaint raised issues under principle 5 of the Privacy Act which requires that personal information is protected against unauthorised loss and use, access or disclosure.

The department acted promptly to mitigate the harm to individuals. They took the following steps:

  • retrieving the original file and copies
  • seeking and receiving legal undertakings from media outlets that the information would not be published or disclosed
  • seeking advice from the Privacy Commissioner
  • notifying all those affected; and
  • investigating and taking steps to reduce the likelihood of the situation happening again.

The department managed to contain the disclosure because it took these steps. The file was promptly recovered and had not been widely circulated. The incident had the potential to cause harm but the steps taken meant the affected people suffered no harm.

Although the department breached principle 5, the Privacy Commissioner found there was no interference with privacy because no one would have been harmed.

CASE NOTE 2 – Employee information lost

A memory stick containing the records of 150 employees of an Australian company was found to be missing. The information included the names, salary information, IRD numbers, home addresses, phone numbers, birth dates and, in some cases, health information of current staff. The data on the memory stick was not encrypted.

Due to the sensitivity of the unencrypted information – not only the extent and variety of the information, but also the inclusion of health information – the company decided to notify employees of the breach. Anticipating that individuals may, at some point, complain, it also notified the Australian Office of the Privacy Commissioner of the breach and explained what steps it was taking to resolve the situation.

A senior manager then emailed the affected staff members to notify them of the breach. In the notification she offered an apology, explained what types of information were involved, and advised that the privacy authority had been informed. She also explained what steps had been put in place to prevent this type of a breach occurring in the future. The manager also informed staff that they could make a complaint to the Australian Privacy Commissioner if they were unhappy with the steps the company had taken.

CASE NOTE 3 – Application forms disclosed

A person contacted an agency because they had received completed application forms that belonged to a number of other people. The person had originally completed an application for a service provider. The service provider had then mailed the form back to the client because not all the fields in the form had been filled in.

However, the employee at the agency who returned the incomplete form inadvertently included the completed forms from 17 other clients in the envelope that was sent out to the person.

In trying to do the right thing, the agency was over eager in attempting to notify the people whose forms had been accidentally sent to the wrong person. In doing so, it made assumptions about who the other people were, only to find out later that none of the people it had notified had been involved in the mix-up.

The agency then had to contact the 17 people whose information had been accidentally disclosed and also apologise to those other people who had first been mistakenly contacted about the breach.

Insights from agencies

“Develop a high degree of personal responsibility with BYOD (bring your own device). Personal phones and tablets are under a user’s control and do not come under organisational control. While managing personal phones is seen as intrusive, guidelines are necessary because many employees use them to access work information.”

“Accept collective responsibility. In many cases, it is often an organisation’s fault and not the individual employee because workers were not made aware of the risks.”

“Use the lessons learned as a teachable moment for workers throughout your agency.”

Back to top

2.  Preventing employees deliberately or accidentally disclosing information

  • If the action is deliberate, cut off an employee’s access to electronic systems and include the return of keys and access cards.
  • Make sure employees understand the importance of protecting personal information when taking work home.
  • Train employees to use password protected portable storage devices when moving information physically.
  • Keep electronic and paper documents in offices and not in cars or other locations outside the office.
  • Store paper records in locked filing cabinets. Lock up mobile phones, laptops and other portable storage devices.
  • Control which staff members have the authority to access sensitive information.
  • Keep files separate on electronic content management systems and put in place access controls.
  • Make sure electronic files can be audited and carry out those audits routinely.
  • Check to see if there is personal information stored on obsolete databases.
  • Put controls in place that limit access to personal information on a need-to-know basis and carry out audits regularly.
  • Adopt a clear desk policy and ensure paper documents are locked away at the end of the day.

CASE NOTE 4 – Debtor details disclosed

A man asked a company for access to his personal information. In response, the company sent a list of debtors’ details which contained not only personal information about the man, but also about several other people. The employee who sent the information was inexperienced, and did not comply with the company’s usual procedures.

The company realised that a mistake had been made. It immediately contacted the Office of the Privacy Commissioner to say there had been a privacy breach. It also contacted all the people whose details had been inadvertently released, to let them know what had happened.

The man approached a newspaper which wrote a story about the company’s mistake. One woman whose details had been included on the list was approached by a journalist. Although she was not featured in the story, she was embarrassed by the fact that details of her debt had ended up in the hands of the media.

She complained to Privacy Commissioner about the company’s breach of her privacy. The company apologised to her and made a small payment in compensation for the embarrassment she had suffered. The woman accepted this as a settlement of her complaint.

The company provided specific training to the employee who made the mistake, and additional training for all staff responsible for handling requests for personal information. It also improved its internal documentation on handling requests for personal information.

CASE NOTE 5 – Health information disclosed

A woman was being treated for a serious illness at her local hospital. Her doctor dictated a file note about the woman’s illness and the proposed treatment. This was transcribed by a hospital employee.

The employee had been a close friend of the woman, and was able to identify her from the notes. The hospital employee then told a mutual friend about the woman’s illness. The friend made contact with the woman to express their concern.

The woman had not told anyone of her illness at that point, and was very upset that information about her had been disclosed.

Rule 11 of the Health Information Privacy Code 2004 prohibits a health agency from disclosing health information about an individual unless one of the specified exceptions applied.

The Office of the Privacy Commissioner did not consider that any of the exceptions applied and the hospital agreed. It accepted that its employee had breached rule 11, and caused emotional harm to the woman.

The woman and the hospital agreed to settle this complaint. The hospital provided an apology to the woman for the stress that had been caused to her, and also paid financial compensation.

Insights from agencies

“Do not treat the news media as an enemy. Adopt a cooperative and collegial approach. It works better than having an antagonistic stance, especially if your agency has stuffed up.”

“Change a blame culture if one exists. A better approach is to make people feel safe to come and admit what has happened, knowing there will be a fair and honest procedure to handle the error. Such a culture will allow more reporting of breaches and near-misses and lead to better management of organisational risk.”

Back to top

3.  Preventing employee browsing

  • Agencies should have systems that monitor employee access to files.
  • Build barriers to prevent employees accessing files for non-work purposes.
  • Include a policy about employee browsing in the workplace’s code of conduct.
  • The consequences of an employee having unauthorised access to a client’s information should also be clearly set out.
  • Have different levels of security for types of files, for example, general access and restricted.
  • A client should be able to tell the agency if they are aware of a staff member who may have a conflict of interest with their particular case. But be aware of the principles of natural justice when discussing accusations with an employee.
  • Ensure that staff members are well aware of agency practices around monitoring and auditing of file access.
  • If you are developing a new IT system, employ Privacy By Design techniques to reduce future risk.

CASE NOTE 6 – Employee browsing

An Australian government agency undertook a periodic audit of its records. The audit revealed an unusual pattern of client account enquiries in one branch of the agency over a 12 month period. The client records contained address information, financial information, and other details.

After some investigation, it was found that a staff member had been browsing the client accounts of his family and friends without any legitimate purpose or authorisation. There was no evidence that client information had been disclosed to a third party.

The agency recognised that some of the information was sensitive information that was not readily available. The agency considered there was a real risk of embarrassment or other harm from the release of that information. The staff member had a personal relationship with the affected people and could have combined the information with details about the people that he already knew.

The government agency decided to notify the individuals affected by the unauthorised access. It also took measures to prevent unauthorised access to client accounts by staff, and to ensure that all staff members were aware of their obligations to act appropriately.

The agency considered that, because of the sensitivity of the information and the context of the breach, the breach was sufficiently serious to warrant notification to the Australian privacy authority.

CASE NOTE 7 – Family member accesses file

A man found himself in a financial dispute with his sister. The sister worked for IRD and during the financial dispute, it became apparent to the man that she was accessing his IRD files. The man told IRD of his concerns and IRD agreed to investigate them.

The man’s concerns were confirmed and he again brought this to IRD’s attention. The man made a complaint to the Office of the Privacy Commissioner about the fact that IRD had let his sister access his files even though he had warned them that this might be happening.

Principle 5 of the Privacy Act provides that agencies must protect personal information by safeguards that are reasonable in the circumstances.

However principle 5 is not primarily concerned with individual instances of unauthorised access. Rather it focuses upon the overall systems in place to prevent such occurrences.

IRD said it had a stringent code of conduct designed to ensure that staff are aware that they may not access personal information for non-work reasons. Any breach was considered by IRD to be serious misconduct.

IRD advised that it took action but found that at the time the man initially raised his concerns, there was no evidence of unauthorised access. IRD made the decision that it was not necessary to restrict access to the man’s files at that time. It said with a staff of over 5,000, it must rely on the integrity of its employees.

After the man raised his concerns again at a later date, IRD conducted a further investigation, found that the sister had accessed his files and therefore breached the code of conduct, and took disciplinary action against her.

The Privacy Commissioner formed the opinion that the general security safeguards IRD had in place were reasonable. This was a case in which a staff member decided to breach her workplace obligations and IRD’s code of conduct.

But the Privacy Commissioner felt that IRD could have handled the man’s concerns in a better way and IRD agreed to fully restrict access to the man’s files and to apologise to him for the incident.

Insights from agencies

“Make privacy and information security top priorities for your organisation. People need to have confidence that their personal information is protected.”

“Ensure that workers are getting training on how to respect people’s information, how to manage their data and how to prevent breaches.”

“Carry out spot audits on what information is being accessed, for what reasons and by whom.”

Back to top

4.  Storing personal information safely and securely

  • Know who has access to sensitive information.
  • Be sure that sensitive information cannot be accessed publicly through your website or the internet. If you can access it online without a password, so can others.
  • Send data safely, especially in remote access and client/server transmissions.
  • Don’t use open wi-fi when working with or sending data.
  • Don’t email or instant message unencrypted sensitive information.
  • Check for sensitive information in email attachments especially when forwarding them on to others.

CASE NOTE 8 – Public kiosk security breach

A freelance journalist revealed that files on Ministry of Social Development (MSD) computer servers could be accessed through Work and Income (WINZ) job seeker kiosks. The information he was able to access included the personal details of at-risk children.

The journalist published his discovery on a widely read blog explaining how he was able to access and download thousands of files stored on the agency’s server. He also contacted the Privacy Commissioner to hand over the documents.

MSD responded by closing all the kiosks around the country and ordering an urgent internal investigation into the data breach. It also had discussions with Privacy Commissioner and other stakeholders and issued the terms of reference for an independent review.

Deloitte were commissioned to undertake the external investigation and provided two reports.

The Phase I report focused on the circumstances and causes of the kiosk security breach and the Phase II report looked at whether the breach was symptomatic of governance, cultural and technical problems across the Ministry.

The Phase I report found three key issues:

  1. MSD had put insufficient focus on security and privacy during designing and building the kiosks.
  2. MSD had responded inadequately to findings which came from security testing the system.
  3. MSD had poor risk management processes which did not alert top management to security problems.

The Phase II report found significant governance issues, including that:

•    information security was not explicitly spelled out in MSD’s governance arrangements
•    there was a lack of coordination across MSD over information security
•    there was a lack of a whole organisation approach to information security risk management
•    and there were no performance measures for information security.

The recommendations included:

•    establishing one central point for managing information security
•    improving information security risk management; and
•    integrating information security into strategic planning and performance monitoring.

In response, MSD said it would recruit a chief information security officer to implement the Deloitte recommendations. The appointment would take responsibility for managing information security across the organisation.

Insights from agencies

“Develop a whole-organisation approach to privacy, one that values personal information and treats it with care. For example, privacy is not just the responsibility of an agency’s legal department because it also involves information technology, human resources and other areas.”

“Accountability structures need to be clear so top and senior management recognise that they are ultimately responsible for information breaches.”

“Where an information system is broken, shutting it down is a drastic resort but may work in some cases to stop a wider breach.”

 Back to top

5.  Disposing or re-using information and documents safely

  • Destroy or securely delete sensitive information prior to re-use or disposal of equipment or media.
  • Shred unwanted sensitive paper or photographic records and documents.
  • Do not re-use paper records where the information could be exposed.

CASE NOTE 9 – Psych records found in abandoned building

An amateur photographer broke into an abandoned building that had once been part of Sunnyside Hospital, a mental health institution in Christchurch. She found confidential records about former hospital patients. They included a 1989 duty diary which detailed deaths, suicides, assaults, escapes and patient treatment. The woman also found a number of patient information sheets containing bank account numbers, social security numbers and next of kin.

The photographer held on to the documents for some time and the Christchurch Press reported it in 2002, saying that confidential psychiatric records had been found in one of the abandoned hospital buildings. The newspaper did not reveal the identity of the finder or the exact building where the records came from.

An internal Canterbury DHB inquiry into the breach was initiated and the Privacy Commissioner and the Health and Disability Commissioner were informed.

The DHB demanded that the newspaper return the files. The general manager of mental health services apologised for the breach and reassured patients and their families that no patient files were among the documents returned by the newspaper. He also advised that the former hospital buildings should have been cleared of documents when it was closed in 2000.

Because the identity of the finder had not been disclosed, the DHB was not able to discover the exact building the documents were taken from because a number of buildings on the former Sunnyside (now Hillmorton) hospital site were no longer in use.

The DHB acknowledged the incident highlighted that better safeguards should have been in place for the protection of the health information and it accepted that all patient information should have been removed. But it said the buildings had been secured and the information disclosed was the result of illegal entry and theft.

The DHB then implemented a more thorough process for decommissioning the buildings which included the removal of all documents. It also formalised the process for the decommissioning of future sites.

CASE NOTE 10 – Mobile phone data re-used

A woman bought a mobile phone for her teenage daughter, but the phone stopped working shortly afterwards. She returned the phone to the mobile phone retailer and received a replacement. She waited in the store while the retailer supposedly erased her daughter’s information from the phone.

Around two months later, the woman’s daughter received a text message from a friend. The friend said that a stranger had been sending her text messages asking about the daughter. The woman discovered that the mobile phone retailer had repaired her daughter’s original mobile phone and had then on-sold it to the stranger. The phone still contained the daughter’s contact list and photographs, and the stranger was using this information to try to find out more about the daughter. The woman was very concerned for her daughter’s safety, and the daughter was upset that her details were in the hands of a stranger.

The Office of the Privacy Commissioner contacted the retailer, and informed it of the woman’s complaint. The retailer unreservedly apologised for the incident. Its policy was to make every attempt to ensure that personal information was deleted when customers had phones swapped as part of the warranty process.

The retailer recovered the phone from the second owner, deleted the daughter’s information and then destroyed the phone. It sent a message to all staff stressing that they must protect their customers’ privacy by checking all phones and clearing all stored information. It also gave the daughter a new phone. The mother was satisfied with the steps that the retailer had taken to address her concerns.

Insights from agencies

“Prepare for and anticipate the likelihood of a breach. Encrypt information on portable storage devices to anticipate their accidental loss or deliberate theft.”

“Develop simple and easy to understand policies and guidelines about privacy.”

“Have a no surprises policy. Tell everyone who needs to know what has happened. The Prime Minister, relevant government ministers, heads of departments and other partner agencies may be annoyed if they find out about an issue through the news media and not directly from your agency.”

 Back to top

6.  Lessening the chances of emails and faxes going to the wrong destinations

  • Establish email procedures that involve double‐checking the address to ensure it is correct prior to sending. For example, external addresses might display in a different colour.
  • For mass emails, double‐check that all emails are contained in the bcc section.
  • Ensure staff members are aware what they can and cannot email.
  • When including attachments, make sure it is the right one.
  • Spreadsheets can contain a lot of information. Protect them using passwords. Remind people to make sure the right document has been attached. It is also important to check what other information is hidden behind spreadsheet document tabs and in pivot tables.
  • Have a policy on emailing spreadsheets. Is it really necessary to send the information in a spreadsheet format? If so, get employees to check if the entire document needs to be sent or if there is a way of extracting only the relevant information intended for the recipient.
  • Develop a secure fax procedure. Double check fax numbers prior to sending and use a fax cover sheet with a privacy warning and your contact information for a misdirected fax.
  • Use pre‐entered numbers for routine faxes and ensure you are selecting the correct key prior to sending.
  • Confirm the recipient fax machine is secure and confirm receipt of the fax.

CASE NOTE 11 – Email “cc” vs “bcc” fields

A recruitment agency sent an email out to a number of its clients with each of the clients’ email addresses visible. One of the clients complained to the agency about how his email address could be seen and received an apology. But he did not consider that the apology was satisfactory and complained to the Privacy Commissioner.

Principle 11 of the Privacy Act states that an agency that holds personal information must not disclose that information unless one of the specified exceptions applies. In this case, the recruitment agency acknowledged that they had mistakenly revealed the man’s email address to a number of other people. The actions of the recruitment agency therefore constituted a breach of principle 11 of the Privacy Act.

The recruitment agency explained that the error had occurred as the ‘cc’ field had been used instead of the ‘bcc’ field and that it had been a one-off incident. They expressed their sincere apologies and stated that the mistake was unacceptable, given the nature of their business where confidentiality is important. They assured the Privacy Commissioner and the man that they had implemented processes to ensure that the mistake did not occur again.

The man accepted this further apology from the recruitment agency and the complaint file was closed.

CASE NOTE 12 – Spreadsheet attachment

A woman contacted a government agency seeking a registration form but in an email replying to her, an employee inadvertently sent her a spreadsheet attachment instead.

The spreadsheet contained the details of 1500 other applications for that particular registration dating back several years. The spreadsheet is sent to all of the agency’s call centre staff so if they receive a request for a progress update on their application, employees can inform them by referring to the document.

The document listed names and birth dates of people, but no address information or even general information about their location.

The woman who received the wrong information called the agency to tell them what had happened. She assured a staff member that she had deleted the spreadsheet and all she wanted was a copy of the form she had requested.

An internal inquiry revealed that the first employee did not follow internal protocol when sending the request form and simply went to the ‘recent document’ tab in the database and right-clicked on the wrong form. The employee also did not check what they were sending before they sent the email.

The agency said the spreadsheet had been identified as a risk months earlier and it was only two weeks away from implementing a new system when the mistake happened.

The agency followed breach notification guidelines and decided not to notify the people whose information was on the spreadsheet. The reasoning was the individuals could not be clearly identified by the information and the recipient had deleted the document. Therefore there was no risk to them and contacting them could cause unnecessary concern.

The new electronic system that did not involve sending spreadsheets to call centre staff has since been put in place.

Insights from agencies

“Make sure you have a privacy officer in your agency who staff can contact to notify any suspicion or threat of a data breach.”

“Make changes to any processes and address any knowledge or skill gaps among staff that may result in a similar breach happening again.”

“Alert the privacy regulator and other relevant agencies. For example, if a doctor’s prescription fax is sent to the wrong fax number, the DHB, the pharmacy and the patient should be told. Programme the number in the fax machine to eliminate the chances of misdialling a number.”

 Back to top

7.  When personal information is published on websites or elsewhere

  • The website or business should be contacted and a request made to take the information down immediately.
  • If a business or website does not comply with a takedown request, a complaint can be made to the Office of the Privacy Commissioner.
  • Make sure you have a copy of the information before it is deleted from the website so you know who the affected people are.
  • Identify how the material managed to end up being published on the website.

CASE NOTE 13 – Unauthorised photos published

A mother enrolled her daughter in a school holiday programme run by a regional sports trust. When filling out the enrolment form, the mother ticked ‘No’ to the question whether she gave permission for her daughter’s name, photo and/or video to be published in programme newsletters or used for publicity.

A local newspaper published a photograph of the daughter and three other children. The photograph named the children and identified them as participants in the holiday programme. It stated where the programme was held. The mother complained that her daughter’s privacy had been breached.

The complaint raised issues under principle 11 of the Privacy Act. This principle provides in part that an agency that holds personal information about an individual shall not disclose that information unless the agency believes, on reasonable grounds, that one of the exceptions to principle 11 applies.

The Trust did not seek to rely on any of the exceptions to principle 11 and in the view of the Privacy Commissioner, none of those exceptions applied. Accordingly, the Trust was found to have breached principle 11 by publishing the daughter’s photograph.

In order to find an interference with privacy, the Privacy Commissioner must be satisfied that there has been a breach of a privacy principle and the breach has caused the individual some harm, loss or detriment as set out in section 66 of the Act.

The mother advised that she and her daughter had in the past been harassed by the mother’s former partner. She had contacted Police who had advised the mother that no information should be disclosed to the former partner that would enable him to have access to the family. The daughter also explained that since her photograph had been published, she no longer felt safe.

The Privacy Commissioner was satisfied the daughter had suffered harm of the type and extent required by section 66. It was clear that the publication of the daughter’s name, photograph and location could adversely affect her interests given the safety concerns.

The Trust apologised for the inadvertent disclosure of the girl’s personal information and expressed genuine regret at what had happened. The Trust also put new procedures in place to prevent any recurrence of this situation.

The Trust offered the girl a 12-month gym membership to one of its facilities. But the mother did not find this acceptable and sought $500 in compensation.

Where there is an interference with privacy, the Privacy Commissioner encourages the parties to settle the matter. If they cannot do so, the matter can be referred to the Director of Human Rights Proceedings, who decides whether to bring proceedings to the Human Rights Review Tribunal.

While the mother’s request for compensation was modest, the Trust was not in fact in a position to pay. It had made another offer of settlement, of equivalent value, in good faith.

Taking everything into consideration, the Privacy Commissioner exercised his discretion not to refer the complaint to the Director. But the mother was advised of her right to take the matter up with the Director of Human Rights Proceedings, if she wished.

Insights from agencies

“Banning social media is not a strategy. Many organisations bring in customers through networking. With guidance and training, employees can be encouraged to do this safely.”

“The term ‘data’ is not helpful and can invite complacency because it makes people forget that it is information about people.”

 Back to top

8.  Keeping software up-to-date and using strong password security

  • New vulnerabilities are being found in computer operating systems and third party applications on a daily basis. Patches are regularly issued to address these vulnerabilities and they will protect you from hackers if you install them.
  • Make sure all systems that contain or access sensitive information have all necessary operating system and third-party application security patches and updates.
  • Carry out regular security checks and audits. Consider penetration testing as an option.
  • Use strong passwords and don’t share or reveal passwords.
  • If a computer is used by different people – for instance, a shared laptop for presentations – it should still have a strong password if it connects to your work network. If possible, don’t connect to the work network because that increases the risk.
  • Use different passwords for accounts that provide access to restricted information than for less-sensitive accounts.
  • Change passwords regularly.
  • Install anti-virus, anti-malware and anti-spyware software and make sure it is always up-to-date.
  • Don’t click on unknown or unexpected links or attachments because these can infect your computer.
  • Don’t open files sent via IM (instant messaging) or P2P (peer-to-peer) software on a machine that contains restricted data because these files can bypass anti-virus screening.
  • Don’t install unknown or suspicious programs on your computer because these can be computer viruses or open a “back door” giving others access to your computer without your knowledge. Consider restricting the ability to install software.

CASE NOTE 14 – Phishing

An online recruitment agency accepted CVs from jobseekers and made them available to employers on a password protected website.

Jane, a jobseeker whose CV was on the website, received an email which she suspected was a ‘phishing’ email. The email was personalised and contained information from her CV. It contained a number of spelling mistakes and offered her a job. The email claimed that all Jane had to do to secure the job was to provide her bank account details so she could be paid. Jane told the recruitment agency of her suspicions, and forwarded a copy of the email to the agency.

The recruitment agency then assigned a member from its IT team to investigate. The investigator discovered that the email was indeed a phishing email. It claimed to be from an employer and directed the jobseeker to a website that asked them to enter further information. It also installed spyware on the jobseeker’s computer.

The recruitment agency then attempted to establish how phishers came to have the CV details of the jobseeker. The preliminary assessment revealed that the phishers had stolen legitimate user names and passwords from employers who used the agency’s website and that the phishers had fraudulently accessed jobseeker information.

The IT team brought the problem to the attention of senior management and quickly contained the breach by disabling the compromised employer accounts. Based on the IT team’s assessment, senior staff moved to evaluate risks associated with the breach and considered what actions should be taken to mitigate any potential harm.

The recruitment agency then upgraded the security on its website to prevent future breaches of employer and jobseeker information. To prevent a similar breach, it also informed employers that used its services that it had put in place stricter log-in protocols.

CASE NOTE 15 – Computer hack

A popular Australian online gaming service sold access to its gaming network on a subscription basis. It collected and held a range of personal information from its customers in order to create a user account and deal with subscription payments. Details included names, dates of birth, email addresses, postal addresses, and credit card numbers.

During a routine security check, the gaming service discovered through the use of intrusion detection software that the server containing its account information had been compromised, and the account information of over 500,000 customers had been hacked and, most likely, copied.

The gaming service took immediate steps to contain the breach (including temporarily shutting down its servers) and notified the Australian privacy authority. Based on its belief that criminal activity had been involved, it also contacted Police.

Police then investigated, during which time they asked the company not to release any information about the breach. The company also engaged a technology security firm to enhance the security of its accounts systems.

When Police were satisfied it would not compromise their investigation, the company notified the affected customers. It explained exactly what happened and when, that Police were investigating and the privacy authority had been notified. It also suggested that affected customers monitor their credit card accounts and contact their financial institution if they had any concerns.

Insights from agencies

“Carry out regular audits on your agency’s IT security. Employ an IT security company to conduct penetration tests on your system to look for security flaws. Fix any weaknesses that are identified.”

“Have a notice counting the days since the last data breach and celebrate as an agency when the time elapsed breaks a previous record.”

Back to top

Additional resources

Finding other people’s information

People sometimes have information sent to them that’s not theirs, or they may find other people’s information in places like cafes or on public transport. If this happens to you, you should treat the information like the valuable lost property it is. You have legal obligations once you are in possession of information that identifies other people, or that is clearly confidential.

Privacy breach guidelines

The Office of the Privacy Commissioner’s voluntary privacy breach guidelines provide the key steps for agencies to respond to privacy breaches.

How to contact the Office of the Privacy Commissioner


Write to us:
PO Box 10-094
The Terrace, Wellington 6143.
Fax:  (04) 474 7595

Enquiries Line (for general enquiries):
0800 803 909 (from 8.30am to 5pm, Monday to Friday)

Call us:
04-474 7590 (Wellington)
09-302 8680 (Auckland)

Media Enquiries (for media use only):
021 509 735

View the pdf of the Data Safety Toolkit.