Auckland Council will decide if an upgraded Eden Park or a new stadium will be the city's national stadium and Auckland Transport struggles to collect bus and transit lane fines.
Oranga Tamariki faced “grievous” privacy breaches, including unauthorised data access leading to physical harm.
A review highlighted 35 serious breaches, revealing lax data practices and staff resistance to privacy rules.
Oranga Tamariki has since implemented a privacy improvement plan and appointed Philip Grady as chief privacy officer.
“Grievous” privacy breaches have been revealed at Oranga Tamariki, including a staff member who took a screenshot of a mother’s file and shared it with the child’s father, leading to further physical abuse to the mother.
Eight other such cases are outlined in a newly released review of the Children’s Ministry’s slack approach to masses of children’s and whānau sensitive data, released publicly almost a year after it was completed.
In each case, “unauthorised and inappropriate access and disclosure of personal information put children and others at real risk of physical harm, which in some cases actually occurred”, said the 67-page report.
In another case, a sensitive family group conference was secretly recorded, then video of the child talking at the meeting was published online.
Lawyers were called in to investigate Oranga Tamariki (OT) after a high number – 35 – of serious privacy breaches were notified to the Privacy Commissioner in 2022 and 2023.
The lawyers found social workers who “hated” privacy rules, sensitive files that were wide open to trainees and a casual approach to children’s most sensitive data. The issues started at the top of an organisation that has been beleaguered by horrendous oversights and scathing reviews, since its establishment in 2017.
The nine cases of harm the review listed in the report were “just a snapshot”, it said.
a social worker gave the address of a child and their mother to the child’s father, who was on bail at the time for the alleged rape of a young person living with the mother;
sensitive notes from an interview – including allegations of abuse against the mother of a child – were sent to the child’s grandmother;
information about a child was inappropriately accessed by a staff member and provided to the staff member’s family;
a social worker shared the identity of an alleged abuser from historic and unsubstantiated claims with the man’s whānau and others;
the identity of a person who had made a report of concern about a child was shared with family members, because the individual’s personal information was unnecessarily included in court documents;
multiple copies of client files were found by a road worker in rubbish left in Ngauranga Gorge, with the files incorrectly disposed of by a psychologist;
a locked cabinet full of client and staff files was donated to charity, and later thrown into a skip.
“Each case represents a grievous breach,” said the 67-page independent report by Dentons lawyer Linda Clark.
“The deputy privacy commissioner described some of the breaches as the worst she had seen.”
Oranga Tamariki's slack approach to masses of sensitive data has been highlighted in a new report. Photo / NZME
The report was completed in April 2024, but was not released publicly for almost a year by OT or the privacy commissioner.
Even as the breaches were occurring, social workers and other staff were describing themselves as “too busy to think about privacy”, while also worrying that “people would be harmed as a result of poor personal information management”.
Dangerously lax privacy practices went on for years, but did not show up early due to regulatory gaps, such as leaving it to OT to assess itself, before a watchdog signed that off.
Oranga Tamariki was established in 2017, and it was only at the end of 2020 that the Privacy Commissioner made it compulsory for agencies to tell it about serious privacy breaches.
After 35 notifications – most about adults' private information – the review was launched.
In the review, Clark acknowledged that social workers who were carrying heavy caseloads could make mistakes.
Lawyers were called in to investigate Oranga Tamariki after a high number – 35 – of serious privacy breaches were notified to the Privacy Commissioner in 2022 and 2023.
“In one of the notified breaches, for example, a social worker under duress from a child’s mother provided her with the address of the child’s father”, which was “potentially dangerous”.
“Any social worker in those circumstances requires support and processes on which they can rely to de-escalate the situation, including, if necessary, having another social worker step in.
“In practice, however, we were told social workers managing multiple cases with complex clients commonly perceive privacy as an add-on which complicates their interactions.”
An interviewee told Clark that some social workers could not see the connection between protecting privacy and protecting the child.
“They hated it. They couldn’t see the connection,” they were quoted.
A fundamental change had to occur, the review said.
It said it was surprising that less than 1% of the “extraordinarily large amounts of personal information about thousands of vulnerable children and their families” was considered sensitive enough by OT to restrict access to it among staff. Some files were 30,000 pages long.
Since the report was completed in 2024, Philip Grady has been elevated to chief privacy officer at the level of a deputy chief executive to fix these issues.
“We note that Oranga Tamariki has not had any notifiable privacy breaches in the last 12 months,” Grady told RNZ investigative reporter Anusha Bradley in a statement.
Bradley sought the report under the OIA in November 2024 but was denied it, on the basis it would “soon” be made public, but it was only released last week.
The true extent of breaches may never be known.
Clark stated: “We were provided with no information indicating Oranga Tamariki has a complete picture of all privacy breaches or near misses across all of its work.
“To the contrary, we were told by a number of interviewees that they knew not all privacy breaches are reported.
“Overall, because Oranga Tamariki does not have an accurate picture of all breaches, it cannot identify patterns or the causation of breaches that fall below the notifiable ‘likely to cause serious harm’ threshold.”
The shortcomings included:
The main database CYRAS could have layers of security restrictions added to block access, “but the agency has opted not to introduce this”;
The weak privacy team had to go through three middle managers to find out about a breach and how likely harm was;
Some staff used personal phones to record information with no controls;
When responding to an internal request for information, personal information about a child or young person that was not relevant to the specific request was attached and shared with a wide group, and no one reported this.
Staff did not think these practices were risky.
The agency’s high-trust model led to some social workers resisting training, and its fragmented computer systems made things worse.
“There are no random checks to test whether kaimahi are using their privilege of access responsibly.
“New frontline recruits have access to CYRAS even before they have their formal induction.”
Notifiable breaches were generally reported to the privacy commissioner on time, and the agency would intervene, even to the point of relocating a family or putting in alarms at a home.
“But such responses are quite literally an ambulance at the bottom of the cliff,” the April 2024 report said.
Linda Clark. Photo / Q+A
Who was watching?
The Government’s chief privacy officer in 2023 stated it was clear there was “a broad awareness of privacy responsibilities across the ministry”.
That opinion relied on OT’s own self-assessment under the Government’s Privacy Maturity Assessment Framework.
“The accuracy of their findings will naturally be limited by the reliability of those self-reflections,” Clark wrote.
The ministry had scored itself positively since 2021. “We consider the self-assessment of Oranga Tamariki to be generous”, which made it more difficult for it to figure out how to improve.
“Even after repeated reviews, high profile media criticism of privacy breaches and the introduction of the post-2020 notification regime, many Oranga Tamariki kaimahi still appear to find the Privacy Act either confusing or distracting.
“If Oranga Tamariki is to prevent further notifiable breaches these attitudes need to be addressed,” said the April 2024 review.
Bradley’s series on the treatment of children by the agency in late 2024 revealed mistakes and unchecked claims that endangered whānau.
The agency has been the subject of more than a dozen scathing reviews.
These reviews followed a pattern where findings are made that show children are being put at risk or OT has large gaps; the agency accepts recommendations to fix the deficiencies; and the agency later says it has done that and improved.
The same pattern is repeated here. “We released a report in 2025 that reviewed how we manage privacy in our work,” the agency said on its website.
“This was so we can improve our practices and minimise risks.”
It was committed to addressing these issues, and had elevated Grady to his new role, set up a privacy improvement plan and a privacy steering group to monitor the plan.
It would do another review next year, it said.
Sign up to The Daily H, a free newsletter curated by our editors and delivered straight to your inbox every weekday.
