Accessible News

Top storiesNew ZealandPoliticsBusinessEntertainmentSportsWorld

Police privacy breach underscores the need for stronger privacy laws

Wednesday, 4 December 2019

Police Minister Stuart Nash says anyone found to have illegally accessed and distributed information from the police gun buy-back database will be prosecuted.
Police Minister Stuart Nash says anyone found to have illegally accessed and distributed information from the police gun buy-back database will be prosecuted.

OPINION: The best defence, they say, is a good offence. So it was on Monday, when Police Minister Stuart Nash threatened to prosecute anyone found to have illegally accessed and distributed information from the police gun buy-back database.

'Police will hold people to account,' he warned.

Never mind that police themselves had leaked gun owners' personal information, through a software system provided by German-based multi-national SAP.

Never mind that the error was detected, not by police, but by a firearms dealer and user of the database who called the authorities.

**READ MORE:

* Police say gun buyback data was breached by just one dealer - lobbyists disagree

Deputy Police Commissioner Mike Clement says the data was available to a select group of gun dealers since November 27.
Deputy Police Commissioner Mike Clement says the data was available to a select group of gun dealers since November 27.

* Police meet with gang leaders to try and convince them to surrender guns during amnesty**

It wasn't until Tuesday that police and Nash began to emphasise the loss of private information and the responsibilities police owe to those injured gun-owners who had handed over to police not just their weapons, but their personal information, including bank account details, to participate in the mandated buy-back scheme.

Police say 35 people had their full details accessed, while hundreds may have had their names and addresses accessed.

It remains contested exactly how many unauthorised people viewed the details. But it is increasingly apparent that government agencies more broadly have a privacy problem.

The gun buy-back scheme started in July.

While efforts to beef up the Privacy Act have been emphasised to business and the private sector, it's high time those new responsibilities were better established in the public sector as well.

The broad brush strokes of the gun buy-back leak echo another breach suffered earlier this year by the Ministry for Culture and Heritage.

In that case the ministry commissioned an external website as part of a historical commemoration.

Hundreds of prospective trainees who applied to participate in nautical celebrations were affected and copies of over 370 of their documents, including driving licences, passports and birth certificates were accidentally published.

As with police, it was not the department itself that discovered the breach, but rather a parent of one of the applicants, who had been the subject of a fraud attempt.

Police say 35 gun owners have had their full details accessed, while hundreds may have had their names and addresses accessed.
Police say 35 gun owners have had their full details accessed, while hundreds may have had their names and addresses accessed.

Similarly, when the Financial Markets Authority accidentally published private details contained in complaints documents the problem was discovered, not internally, but by a journalist who alerted the agency.

Changes to New Zealand's outdated Privacy Act are currently making their way toward their third reading in Parliament and are expected to be enacted next year.

They are not revolutionary. But they will require all public and private sector agencies to report harmful privacy breaches to the Privacy Commissioner. Currently notification is voluntary.

That means New Zealanders should soon get a clearer picture of the number of privacy breaches that come to light, according to Guy Smith, an associate at Duncan Cotterill which specialises in privacy law.

And the number is likely to be much bigger than those we currently know of.

A possible privacy breach has troubled police
A possible privacy breach has troubled police's gun buyback scheme.

The Privacy Commissioner's most recent report said the public sector owned up to 95 privacy breaches in the last year, a little higher than in the two previous years.

Overseas, last month the Office of the Privacy Commissioner of Canada reported that in the first full year after mandatory reporting was introduced the numbers 'skyrocketed … six times in volume.'

Those figures only related to the private sector since Canadian government rules already mandated that public agencies report all 'material' breaches to the privacy commissioner.

The experience in Australia, which is also a little over one year into mandatory reporting, was very similar. The number of breaches that the public learned of increased six fold.

New Zealand's expected new rules are similar to those in Australia and Canada, although the fines the privacy commissioner can levy against recalcitrants are much lower.

Deputy Police Commissioner Mike Clement, inadvertently underscored the main reason the public sector needs to up its game when he defended his agency in an interview with RNZ on Monday.

Police keep 'millions of pieces of information from members of the public and many databases that we protect all of the time', he said. Trust us, he implied.

The fact that police hold so much of the public's information is less a reason for trust than it is for wariness.

After all, we can't shop around for a security agency with a better track record. Neither for a Financial Markets Authority nor an Accident Compensation Corporation nor a tax collector.

A clearer privacy picture is overdue.