Wellington Council privacy breach – FAQDecember 16 - 8am
Following news that Wellington City Council’s parking services contractor, Tenix Solutions, inadvertently released personal information of 120,000 New Zealanders, here are some FAQs to help put Kiwi minds at rest.
The Council claims the matter is in hand, and that they are confident the data wasn’t leaked further, releasing the following FAQs in a bid to ease concern.
What private information has been released?
There has been an accidental bulk release of parking ticket data. The personal information contained in a ticket relates to:
* Vehicle number plates
* Names of registered vehicle owners
* Contact addresses of registered vehicle owners.
How many people has this affected?
What we know is it is personal information populated from about 120,000 parking tickets issued over two years. It was included on three separate disks given to a member of the public in response to a request under the Local Government Official Information and Meetings Act.
This is not the information of 120,000 individuals, as many people received multiple tickets and the disks also included the details of businesses and other organisations that own vehicles.
The personal information relates only to individuals who received a parking ticket (or multiple tickets) during the past two financial years – mostly in the periods from April to June 2012 and April to June 2013. Details of number plates, and names and addresses of the registered vehicle owners were incorrectly included in the response.
Who got the information?
The information was compiled and formatted by our parking services contractor, Tenix, which provided it to an individual requestor who had sought detailed parking-enforcement information via the Local Government Official Information and Meetings Act.
When were they sent this?
The information was sent on three separate disks between August and November this year.
When did the Council find out?
The requestor alerted the Council to the disclosure of vehicle registration plates on 19 November. After further investigation, the Council became aware of the full extent of the disclosure, including names and contact addresses on 29 November. The Council has reported the breach to the Office of the Privacy Commissioner.
Has the requestor passed this information on to anyone else?
No. The Council’s Chief Executive, Kevin Lavery, and other senior managers have personally met with the requestor. He has given us assurances that he has not copied the disks or retained or used the personal information. We emphasise he was the unintended recipient of personal information in this issue.
He returned the disks earlier this week.
Our contractor did not follow proper process for dealing with information requests. All information requests to contractors have to be notified to the Council. The contractor did not do this in this instance.
Why did the requestor want that much information?
There is no requirement for a requestor to say why he or she wants official information. The requestor sought official information that could be provided publicly.
The Council has known about this for 2-3 weeks but you are only telling people now?
That’s correct. We had to determine exactly what information had been provided and when. We have been in contact with the requestor to get the disks back and to give him the information he wants. We have been working with the requestor to secure the return of the disks and he has cooperated fully. Our announcement is to confirm the security of that information.
How can people find out if their information has been disclosed?
This information has only gone to one person, who has not shared the information with any other parties, and has returned the disks back to the Council without retaining the data on them.
If people are concerned their information may have been included on the disks they can email the Council at firstname.lastname@example.org