The Office of the Privacy Commissioner says it received reports of 222 breaches of security of personal information from agencies during the year to June 2019. That compares to about 168 in 2017-18 and 15 in 2009-10.
The most common type of breach was email error followed by employee browsing.
The Office’s annual report notes that with the introduction of mandatory privacy breach notifications under the Privacy Bill, the number of breaches reported to it will “likely increase significantly”.
The report says that bill will make it mandatory for agencies to notify the Office of significant privacy breaches. “We support this and see it as critical in making agencies more accountable for their handling of personal information.”
During the year the Office answered 7,947 public enquiries, while 16,852 public searches were made through its online FAQ service, AskUs.
MSD 'systematically misused' its powers
One of its most significant operations was an investigation into the Ministry of Social Development (MSD).
The annual report says the Office completed an inquiry into MSD’s use of its compulsory information collection powers under section 11 of the Social Security Act 1964 to collect “any information” about a person on a benefit in order to assess their entitlements.
“The inquiry found that while pursuing instances of benefit fraud, MSD had systematically misused its investigatory powers and failed in its obligations under the Privacy Act 1993. In doing so, MSD had unjustifiably intruded on the privacy of many beneficiaries and others.”
The report made five recommendations, including that MSD immediately cease its blanket application of the ‘prejudice to the maintenance of the law’ exception when issuing section 11 notices. Following the Office’s report and recommendation, MSD changed its approach to high risk fraud investigations.