Police passed on the private health details of six people with Covid-19 to potential employers, but the infected job seekers had no idea their information had been shared.
Police have apologised for the privacy breaches, which came during police vetting procedures.
The Privacy Commissioner John Edwards has slated the behaviour as "inappropriate" and overstepping the organisation's role in helping to manage the pandemic.
Edwards today released the Inquiry into the Ministry of Health's disclosure of Covid-19 patient information to emergency services and recommended government agencies reviewed how they handled highly sensitive Covid-19 patient information.
He found that the Ministry of Health was initially justified in providing Covid patients' details to emergency services - but should have tightened up the rules once the country dropped down alert levels.
"We found a couple of instances where prospective employers were notified about people's Covid status - and that came as a surprise to the individuals concerned, and wasn't really justified," Edwards told Newstalk ZB.
Police assistant commissioner service Jevon McSkimming said the organisation accepted the findings and apologised for the behaviour.
"We are sorry for the release of information and we acknowledge that this should not have happened," he said.
"We have apologised to those people whose Covid-19 status we shared when we shouldn't have."
Emergency services were given daily updates of the personal details of people with Covid-19 from March onwards, when community transmission was rife, in case frontline staff came into contact with infectious people.
But by April, the Privacy Commission had received complaints from Covid-positive patients that police had told potential employers they had tested positive for Covid-19 as part of its vetting service.
"I think many people would have been surprised to know that an Auckland local emergency service was regularly getting spreadsheets containing the details of people in very controlled isolation: in the South Island, for example," Edwards said.
This information only came to light when former National Party president Michelle Boag quit the party after revelations she sent patients' private information to another National MP.
Boag, who received the information through her then role with the Auckland Rescue Helicopter Trust, shared the private details with disgraced National MP Hamish Walker in a bid to help him rebuild his reputation following allegations of racism.
Walker then leaked the information - including the patients' names, and dates of birth - to major media outlets to prove the Government's shortcomings on security of information, he said at the time.
Edwards said emergency services were justified in knowing the details of those who had tested positive for Covid, but police had overstepped by sharing it with employers.
"This means Police vetting staff are effectively making a judgment on the relevance of clinical information without clinical input," he said.
"It should not be up to police vetting staff to make this decision where that information is being relied on by the agency to make decisions such as determining a person's suitability for employment."
Police immediately stopped disclosing these details during the vetting process after Edwards raised concerns, he said.
Edwards made a number of recommendations to both the Ministry of Health and police following the inquiry, including that people being tested for Covid-19 will be told what will happen to their personal information, and to implement measures ensuring the security of someone's health information when it is shared with third parties.