Working from home can create privacy problems as couples handle sensitive information. Photo / 123rf
Working from home can create privacy problems as couples handle sensitive information. Photo / 123rf
The ex-partner of an insurance worker claims she breached the privacy of customers by sharing images of insurance claims with him while they were in a relationship.
But the insurer says its investigation found there was no breach and the man viewed the information on their former employee’s laptop whilein the same household without the employee’s permission.
The situation has raised issues about privacy within households, particularly with the rise in the number of workers doing their work from home in the wake of the Covid pandemic.
The man, who wants to remain anonymous, claims his ex-partner sent him details of insurance claims while working for Suncorp New Zealand in 2021. She has since left the company for a new job.
He says those insurance claims included details of a man whose pet had died, requiring his boat to be stripped down and cleaned, and another for Westland Milk, which was claiming on its insurance due to losing milk powder in a shipment.
“I have enough of his details to pretend to be the individual and say ‘can you pay out this claim to this bank account?’ And especially as it is for a boat it is a lot of money,” the man said.
He said his ex-partner sent him photos of the first claim because she found it entertaining, while the second one was to show him how much the broker was making.
He says at the time he didn’t realise it was a possible privacy breach. It was after the relationship turned sour and he rang the Privacy Commission to ask for advice in relation to a court case that he realised it could be a breach.
The man said he reported the alleged breach to Suncorp in December but had heard nothing back from the company despite promises that it would investigate.
The man said he had contacted Suncorp’s privacy officer several times in recent weeks but had heard nothing back.
“At the end of the day, you want an investigation carried out and an acknowledgment from the other party.”
Companies are not required to report privacy breaches to the Office of the Privacy Commissioner unless they are likely to cause serious harm to the individuals whose data has been breached. Photo / 123rf
A Suncorp New Zealand spokeswoman said once it was made aware of the alleged privacy breach, an investigation was launched and the matter escalated to all relevant parts of the organisation.
“This investigation concluded that a privacy or Code of Conduct breach by the employee was not substantiated.
“It does, however, appear that a member of their household viewed information on our employee’s laptop without their knowledge in late 2021. Any use of the information by that individual is itself a breach of the Privacy Act and should not be occurring.”
She said Suncorp New Zealand took customer information privacy and security extremely seriously and followed guidance from the Office of the Privacy Commissioner when managing privacy breaches.
“Every Suncorp New Zealand employee is required to complete privacy and security awareness training annually and affirm their commitment to Suncorp’s Code of Conduct.
“The training includes guidance on data protection and, as part of the terms of use of Suncorp New Zealand technology infrastructure/use of equipment, each employee is required to comply with Suncorp’s IT Acceptable Use Policy.”
A spokeswoman for the Office of the Privacy Commissioner said under the Privacy Act, agencies that collect and hold personal information have a duty to protect and respect it to avoid causing harm to the people whose information they hold in trust.
“This includes ensuring personal information is carefully managed, and that it is only shared with people who have a legitimate reason to view it.
“It is our expectation that agencies have privacy policies supported by training programmes which ensure that staff are aware of their personal responsibilities and know how to keep the information they have access to safe and secure. This includes when they are working from home.”
She said companies were not required to report privacy breaches to the Office of the Privacy Commissioner unless the breach had caused or was likely to cause serious harm to the individuals whose data has been breached.
She said the extent to which an incident was a serious-harm privacy breach depended to a large extent on what the recipient of the data did with it.
“If they returned it to the company, deleted their copy and did not attempt to do anything to cause harm to the individuals whose personal information was contained in the claims they allege they saw, then the breach is unlikely to reach the threshold for a serious-harm privacy breach.”
She said despite the man reporting the alleged breach to the company he was not entitled to know what occurred as a result of any investigation.
“Should the company determine that an investigation is necessary it would be a breach of the privacy of their employee to inform your correspondent of any resulting action or inaction.”
