Data details Ministry staff viewing court documents without justified reasons. Photo / Stock
Data details Ministry staff viewing court documents without justified reasons. Photo / Stock
Bay of Plenty courts and tribunals logged the third-highest number of breaches of confidential personal and criminal information in the country in recent years, it can be revealed.
A total of 64 breaches have been recorded over the Bay of Plenty region since 2015 - substantially higher than regions with similar populations.
The Tauranga District Court and public defence service offices saw 34 total breaches, according to the information obtained under the Official Information Act. An hour down the road, the Rotorua District Court recorded 26 breaches.
Whakatāne District Court recorded just two, with two further breaches recorded as occurring elsewhere in the Bay.
For comparison, the Bay of Plenty's total 64 breaches is double that of the Waikato, three times that of Hawkes Bay and Manawatū-Whanganui, and sixteen times that of Taranaki.
The incidents made up part of 1537 recorded privacy breaches nationwide since 2015.
Of those, 409 happened last year alone - four times the number of breaches in 2015.
As of the beginning of May, 103 privacy breaches had so far been recorded across 2022. Most of the total nationwide breaches were seen in the Wellington region, the home of New Zealand's senior judiciary as well as the Supreme Court and Court of Appeal. Auckland followed closely behind - again likely explained by the region's substantial caseload.
Staff found snooping through court records after tip-off
Also detailed in the data was the number of Ministry staff who were the subject of employment action after breaching privacy rules. This related to viewing court documents without a justified reason.
That data showed 150 staff were formally warned and a single additional staffer was dismissed between 2015 and 2021. The locations of the staff are not known.
All of those incidents happened in 2020. Outside of 2020, not a single employment action was taken against a staff member.
The Ministry of Justice said the employment investigations came after concerns were raised about staff accessing documents they shouldn't be. The Ministry did not confirm when those concerns were raised.
However, the relevant breaches happened in 2018 and 2019, with the employment investigations completed and action taken against staff in 2020.
Privacy_Breaches_OLE
The Ministry said the reason for the delay was that it took time to carry out the process properly.
Questions remain, however, over why there was employment action against 151 staff in one year, but none in any of the other years when breaches occurred.
The Ministry strongly denied any suggestion that lax breach-monitoring processes were the reason no action was taken in the other five years.
The Ministry denied any suggestion relaxed breach-monitoring processes were the reason no breaches were identified in the other five years.
"Our information security policies meet the government standard."
Ministry's own staff the 'biggest risk' - professor
Speaking to Open Justice, Auckland University associate professor in commercial law Gehan Gunasekara, who also serves as the chair of the Privacy Foundation, said the breaches among the Ministry's own staff were always the biggest risk for an agency of that size.
"I would think that's massive; that's the trojan horse, your biggest risk," the professor said. "You want to make sure you've got trustworthy people on the inside.
"It would be disappointing if Ministry of Justice officials were essentially not following the law."
Around 2700 Ministry staff work in or around courts and tribunals. The Ministry did not confirm the approximate number of those staff who have access to court documents through their roles.
On the increase in privacy breaches more broadly, Gunasekara said there may be a link between the rise in privacy breaches in the last two years and a change in the Privacy Act, which now requires all serious breaches to be reported almost immediately.
Under the Privacy Act, any security breach that is likely to cause serious harm must be reported directly to the Privacy Commissioner within 72 hours.
The data provided to Open Justice includes all breaches of any personal information - both serious and minor.
Acting Privacy Commissioner Liz MacPherson confirmed the number of total breaches was vastly higher than the number of serious breaches reported to her.
"Sometimes there is a misconception that privacy breaches only occur where personal information is inadvertently shared to, or inappropriately accessed by, someone external to the agency," MacPherson said.
"That's not the case. Internal issues such as employees looking up other people's personal records without good reason are also privacy breaches."
In a statement, the Ministry's chief operating officer Carl Crafar said the organisation had since taken steps to review its processes and introduce further prevention strategies, regular training and reminding staff of the code of conduct.
