A privacy breach by Archives NZ has let people see royal commission records containing abuse survivors’ sensitive health information.
The breach was discovered months ago but officials kept it from the public.
An internal report released under the OIA to RNZ revealed: “On 19 September 2022, Archives New Zealand discovered that Royal Commission records were marked as open access on Collections Search when they should have been marked as restricted.
“Two members of the public accessed files containing sensitive health information which could cause harm to individuals named in those files.”
It does not say how many individuals or what happened to the information.
The royal commission has been hearing survivors’ accounts of abuse in state and faith-based institutions. Archives NZ is the repository for the records.
The internal report dated November 17 from Archives deputy chief executive Hoani Lambert said. “This issue resulted from a data input error. Archives New Zealand took immediate action to rectify the privacy breach and determined it was an isolated incident.
“In consultation with Te Whatu Ora [Health NZ, the controlling office of the records], a public notification of the privacy breach is planned for early December”.
When RNZ asked for more details, the Department of Internal Affairs, which oversees Archives, said it had been developing a plan to notify the public by early this month but had now shifted that to mid-January.
This was “on the advice this timing would minimise potential further negative impacts to survivors”, it said.
“Our priority is the people who may be impacted through this breach, advice is that a mid-January notification will allow the right supports for people to be in place.”
Internal Affairs Minister Jan Tinetti said Archives had been keeping her informed. It had the mid-January plan in place “based on the needs of survivors”, and she added this was an operational matter.
Te Whatu Ora asked for more time to comment.
Separate breach alerts shut down system
The abuse survivor breach is in addition to further revelations about the extent and nature of other, separate Archives shutdowns and potential privacy breaches caused by its new technology malfunctioning:
Three breach alerts triggering shutdowns for several days each since February - only in one case was the reason made public
At least 8900 files mistakenly made public from February to September when they should have been restricted - “mostly political papers and slides”.
The new $4m search system shut down for 700 hours - equal to 29 days - since February.
The system’s Swedish supplier Axiell knew about the system’s syncing error “but did not advise Archives”.
One person accessed two of the mistakenly opened records but these “did not contain sensitive material”, the reports said.
Investigations, while the system was shut down each time, showed restricted information was put into the public realm but “there were no privacy breaches” because “no confidential information was accessed”.
Two of the three major outages were in August - three days - and October, for eight days.
What to tell the public?
On October 28, Archives told Tinetti: “So far, Archives New Zealand has described these two outages as ‘for essential maintenance”.
“We have been sending updates to regular users and will need to send a further update in November.
“We will need to decide how much information to provide on the reason for the October outage,” the agency told Tinetti.
By contrast, an Archives communications plan in June said: “We will be open, proactive, and transparent with internal and external communications, including media.”
On October 20, it said: “A communications plan has been developed to ensure that staff, stakeholders, users of Archives collections and members of the public are kept informed as appropriate.”
A third major outage ran for 11 days from November 11.
The potential security and privacy breach that sparked it was made public after RNZ had inquired about a related matter.
The OIA reports show the title and description of “a series of family proceeding records” were made visible when they were restricted.
Archives restarted the search system on November 22, telling RNZ “as it currently stands, we are satisfied there has been no privacy breach”.
Two days later, in an internal weekly status report, it said it did not know for sure.
“A privacy risk assessment of the records involved in the 11 November 2022 incident is underway,” it said.
“Axiell is due to provide further information on whether any members of the public accessed this material while it had the incorrect settings.”
This would lead to a “final” privacy risk assessment and an update to the Privacy Commissioner on “if further action is needed”.
The shutdowns are further complicating problems with the whole system from the word go.
The Collections search system was slow, difficult to use and “inferior” to the old Archway system it replaced, various reports said.
The problems have contributed to hold-ups in court cases, and Māori land and marine hearings, because it is taking twice as long for researchers and lawyers to get records.
The newly-released reports state the risks included “a significant reputational risk” to Internal Affairs and to “public confidence”.
“There is a lack of trust in the integrity of the data due to concerns around discrepancies in what staff and customers have access to,” a report in August said.
Other risks were “wellbeing of staff” who were having to field hundreds of complaints - Archives looked at bringing in a contact centre to help - and “ongoing media requests”.
The system was set up remotely by Axiell during Covid-19, without full testing by users due to the pandemic and without full functionality when it went live in February.
Archives said it met with senior Axiell staff and told them that their not advising the agency that they knew about the syncing error, “is not satisfactory”.
Archives has been forced to put syncing on hold till it gets a software release in December - due in June, but delayed - to deliver “critical functionality”.