However, the Herald revealed the private details were not scrubbed and the entire spreadsheet was then publicly released under the Local Government Official Information and Meetings Act (LGOIMA).
Council staff, privacy experts and data processors were interviewed for the review conducted by INFO by Design and The Instillery.
The resulting report said the primary cause of the breach was human error and noted the spreadsheet was handled by seven council staff before it was published.
Nobody interviewed expressly recalled seeing the tabs in the spreadsheet containing the personal information when the LGOIMA request was being handled.
“Any effective review should have caught the personal information,” the report said.
Nobody interviewed could explain why the spreadsheet was created in the first place and whether a benefit-cost ratio was even required for the plan to lower speed limits.
Regardless, the review said downloading the full spreadsheet with all the crash data information was not necessary.
“A significant number of incidents were unrelated to the speed of the vehicle and therefore do not appear to relate to the policy question at hand.”
Examples include a car being stolen by children too young to have licences, deliberately using a vehicle to run someone over, and numerous incidents involving drugs, alcohol or medical events, the review said.
“Wellington City Council could have downloaded a limited subset of information or cleaned that data that was not necessary.”
Interviewees who had experience with large data sets said they were surprised the irrelevant data was not deleted from the outset.
“”Just because there is all that data, why would you need it” and that they were “shocked” that personal information had been left behind.”
The review said the council had obligations to the public that its analysis is transparent and can be reproduced.
In this case, the benefit-cost ratio was significantly miscalculated anyway and has been the subject of a separate review. The benefit of reducing crashes was overstated by more than $250 million.
As for WCC’s general ability to manage privacy, one interviewee said the council is “focused on new risks but has become blind” to older issues.
Another stressed that a balance is required between improving privacy and privacy not being used to erode transparency.
Someone else said there were still council staff who weren’t willing to accept their role in the privacy breach.
The review said the privacy function at Wellington City Council was reactive rather than proactive and “in an immature space”.
The council has one senior privacy adviser who was hired late last year.
However, the review said having one subject matter expert has been insufficient, especially considering the council provides about 400 services and has an operating budget of $817.6m for the current financial year.
The review’s recommendations include the council creating a policy on how to deal with large datasets, appointing a senior leader to champion the council’s official information process, and building a privacy culture and awareness through better training and resourcing.
Chief strategy and governance officer Stephen McArthur said he welcomed the review and the council will be implementing the recommendations.
The matter will be considered at a council Audit and Risk Committee meeting on Wednesday.
Georgina Campbell is a Wellington-based reporter who has a particular interest in local government, transport, and seismic issues. She joined the Herald in 2019 after working as a broadcast journalist.