Stuff reports on a case in New Zealand that was cited in a newly-released annual report by the Privacy Commissioner. Disturbingly, the unnamed government agency not only did not set a great example for data protection, but they demonstrated less than admirable response to the incident of insider-wrongdoing that harmed a member of the public. Stuff reports:
A government employee in dispute with his neighbour snooped on him 73 times after accessing his employer’s “sensitive” records.
He also changed the man’s file to add allegations of “improper conduct”.
When the government agency found out about the privacy breach it reviewed its processes but was not willing to apologise to the neighbour or pay him compensation.[…]
The commissioner has called for changes to the Privacy Act to introduce “meaningful consequences” for non-compliance, including for the commissioner to decide which cases should go to the tribunal and for the commissioner to take the claims.
Read more on Stuff. That the agency didn’t even apologize for the anguish or harm to the individual is concerning.
It is one thing to argue that you had policies and procedures in place that you monitored, but despite that, an employee willfully managed to violate both, but then not to give the affected individual anything — even a “We agree with you with and have terminated the employee’s position with us,” well…. there has to be more redress and/or compensation for those whose complaints are founded. And government agencies should be setting good examples instead of needing to be dragged before a tribunal or sued.
More information on the Privacy Commissioner’s 2018 Report can be found on the Commission’s web site.
To jump directly to the annual report, go here.