Scams and cyber threats cause many people to worry about their privacy, but it’s simple workplace mistakes that are just as likely to lead to personal information being threatened, writes Privacy Commissioner Michael Webster.
Human error is a common factor in many privacy breaches, but just because it was an accident doesn’t reduce the amount of harm these mistakes can cause.
We recently wrote up a privacy story for our website involving a lost USB stick, which might not seem a major concern, but it belonged to a health agency and contained the personal details of around 2,000 people, making its loss potentially significant.
The device was not encrypted or password protected and contained names, dates of birth, NHI numbers, types of services accessed, and some medical conditions.
It also included pay history for some staff, meaning this one mistake put a lot of other people’s health, personal and financial information at risk.
In this case, someone was attempting a workaround solution and didn’t follow company polices when copying information and they also failed to password protect the device.
“It’s not the first time that we’ve seen a breach caused by a staff member using a short cut to achieve an outcome…
It’s not the first time that we’ve seen a breach caused by a staff member using a short cut to achieve an outcome. Sometimes it’s due to them having to work with an inflexible IT system, but sometimes it’s simply due to them trying to save some time and admin.
These are examples of breaches that could have been prevented if the agency had put privacy at the centre of their planning and systems and it’s a good lesson on how adding a few steps can help stop small mistakes turning into a potential privacy breach.
Accidental loss of personal information held by an agency can constitute a notifiable privacy breach under the Privacy Act, even when it may seem unlikely someone will locate and access it.
Michael Webster.
The agency notified us on a precautionary basis but did not believe a notifiable privacy breach had occurred.
But we formed a view that it was reasonable to believe this breach was likely to cause serious harm to affected individuals, so it met the notifiable privacy breach threshold for the Privacy Act.
We accepted the agency’s view that the incident was a result of human error, but considered gaps in privacy awareness should be addressed to ensure the agency’s information and privacy policy is correctly followed by staff.
Using extra security measures for portable devices such as encryption, password locks, and remote wiping would have largely removed the risks when the USB stick was lost and is a step I strongly suggest all agencies implement.
Developing and implementing a privacy training programme that covers how to appropriately collect, use, protect, disclose, and dispose of personal information, supported by documented policies and procedures, will also help prevent issues like this.
Michael Webster is New Zealand’s Privacy Commissioner.
