On June 20, 2023, the Wellington City Council identified a privacy breach that raised significant concerns regarding the handling of personal data. The incident first came to light in an article published by the NZ Herald the following day.
The breach centered on an Excel spreadsheet which calculated the cost and benefits related to a proposal aimed at reducing traffic speed limits across the city, as part of the 'Speed Management Plan.'
"We would like to take this time to explain what has happened. We also want to say we are sincerely sorry to anybody affected, and to the wider Wellington public: we will learn from this incident and endeavour to be a better kaitiaki (guardian) of personal information in the future," said a council spokesperson, reflecting the organization's commitment to rectify the situation.
The spreadsheet reportedly contained data about vehicle crashes in Wellington from January 2015 to December 2019. Within this document, certain entries included 'free text' fields that could potentially divulge the identities of individuals through personal details such as their name, car registration, and contact information. "Some of this information is sensitive," added the spokesperson, indicating the gravity of the breach.
"Some of this information is sensitive,"
Not every entry was associated with identifiable personal information, but the implications of the incident have prompted serious concern. The data utilized for the cost-benefit analysis stemmed from the 'Crash Analysis System' (CAS), a platform managed by Waka Kotahi, the New Zealand Transport Agency.
By the Numbers
The CAS possesses thorough records compiled by police at the scenes of road incidents. This data is subsequently augmented by Waka Kotahi with additional information, including cost assessments. "CAS is used by councils, central government, engineering companies and academics to research road safety," emphasized the council's representative.
"CAS is used by councils, central government, engineering companies and academics to research road safety,"
The council inadvertently released the spreadsheet during its response to an official information request made through the FYI website in July 2022. The response mistakenly included unredacted free text fields, allowing sensitive information to be publicized.
To manage the fallout from the breach, the council has taken several steps, including notifying the Office of the Privacy Commissioner. Also, they have recruited an external consultancy to assist in addressing the breach and to conduct an independent review. "After responding to the breach, the investigation into how it occurred and why will be completed. This will inform what steps need to be taken to change our system and processes to prevent this from happening again," the council spokesperson explained.
In a proactive measure, the spreadsheet has been removed from the FYI platform. The council is in the process of assessing who may have been affected, striving to address the implications of the breach effectively. "Where possible, we will individually notify anyone who is identifiable through the information in the spreadsheet," they noted.
"Where possible, we will individually notify anyone who is identifiable through the information in the spreadsheet,"
For individuals who believe they might be affected, the council is facilitating communication via assurance@wcc.govt.nz, offering support and information.
In a subsequent update, the council concluded that only a small number of individuals required direct notification after a thorough triage process. Discussions with the New Zealand Police and Waka Kotahi led to an agreed-upon list of those who warranted personal notification. However, the police indicated that contact details for some individuals were outdated.
"We concluded with the Police, Office of the Privacy Commissioner, and Waka Kotahi not to notify these individuals on the basis of the following: there would be challenges in reaching them effectively," clarified a council representative, emphasizing the complexities involved.
"We concluded with the Police, Office of the Privacy Commissioner, and Waka Kotahi not to notify these individuals on the basis of the following: there would be challenges in reaching them effectively,"
Looking Ahead
As the council navigates this situation, they are committed to improving their data management practices to mitigate future risks. The ongoing review and engagement with public stakeholders are crucial steps in rebuilding trust and ensuring the protection of personal information in Wellington.
Moving forward, the council aims to implement the necessary changes in their protocols and systems to safeguard against similar breaches and maintain public confidence in their governance. The promise of accountability and transparency stands central to their response in the wake of this incident.
