Private sector not immune to data blunders - expert

Photo / File photo

The privacy expert who investigated the ACC breach says data blunders are not confined to the public sector, and many organisations are at risk.

Malcolm Crompton said the 'benign' data breaches revealed so far show how vulnerable systems are to a more malicious attack.

The former Australian Privacy Commissioner and managing director of Information Integrity Solutions was in New Zealand speaking to a Law Society conference in Napier this week.

Mr Crompton led the independent review of ACC after the mistaken release of personal details of more than 6000 clients.

He said both public and private sector organisations were only just waking up to the value of the data they held, and the risk of not managing it well.

Recent public-sector breaches in New Zealand, such as those at ACC, EQC and Work and Income, were a wake-up call "of the most benign kind".

All were caused by errors, rather than deliberate attack. But Mr Crompton said too many inadvertent releases "means you're probably much too vulnerable to external attack as well".

Mr Crompton said private sector companies were also at risk, and many were not managing their information well.

But there were some reasons why public agencies may be more vulnerable.

The way government departments interacted with people was less controlled, and relied heavily on email.

In the case of the ACC breach, a worker emailing a client mistakenly dragged and dropped an unrelated attachment with private client details onto the message.

Mr Crompton said those kinds of errors could be prevented by safeguards within systems, such as only allowing one client file to be open at a time, or not allowing email addresses to auto-complete.

"Yes, the agencies are doing their best to keep up with the digital age ... but the staff are not being given the platforms and facilities to do that well and safely."

Fixing vulnerabilities in the public sector would be expensive, but was an investment in the future, he said. "The savings to the government and the improved services to the citizen will provide a return, but the investment needs to be made."

Individuals could also take more responsibility for their data, by being an active consumer, questioning why information is being collected, and using the Privacy Commissioner when issues arose.

Penalties for misusing information received in error also needed to be considered, Mr Crompton said.

There was no reason mistakenly released data should be treated differently from other personal property, like a lost wallet. "That message should be put out more often," he said.

"It is an obligation on citizens to return it quickly or show that they've destroyed it."

***

Privacy breaches:

- ACC sends private details of more than 6500 claimants to a client

- EQC sends 83,000 claimant details to the wrong recipient

- Work and Income kiosks are shut down after sensitive information is accessed

- Auckland DHB mistakenly sends a journalist private medical files

- Ministry for the Environment sends about 150 people each other's private email addresses

- IRD mistakenly sends emails containing confidential information to 47 people