As originally published by Archives New Zealand on Monday 19 December 2022 https://www.archives.govt.nz/about-us/whats-new/chief-archivist-notifies-public-of-privacy-incident.
This is a public apology and notification of a privacy incident that may have involved some of your personal information held by Archives New Zealand. This notice will explain what happened, how we have responded, and the support available to you if you are concerned your information has been affected by this incident.
How to access further information and support
We sincerely apologise for this incident, which was a result of human error. We want to reassure you that immediate corrective steps have been taken. We understand if you may feel anxious or worried about this breach of information. You can call or text 1737 any time of the day or night to talk to a counsellor – all calls are free and confidential. You can also reach out to your family doctor or healthcare provider.
If you suspect that you might have been affected by this incident, have any concerns about what has happened, or would like further information, you can contact Te Whatu Ora - Health New Zealand at hnzprivacy@health.govt.nz.
If you feel you have been harmed by this privacy breach, you are entitled to make a complaint to the Office of the Privacy Commissioner. You can do this at www.privacy.org.nz, by emailing enquiries@privacy.org.nz, or by calling 0800 803 909.
What happened?
On Monday 19 September 2022 it was discovered that some digitised historical health records held by Archives NZ had been made ‘Open Access’ in error. These records were marked as ‘Restricted Access’ in the Collections Database but were unintentionally viewable by public users of ‘Rosetta’, the Archives NZ digital images System.
We have identified two instances of access to these records. The first instance was by a former Archives New Zealand staff member who discovered the records on 19 September 2022 and immediately alerted us to the situation. An unknown member of the public also accessed the records on two occasions in August 2022. While we have not been able to identify the second user who accessed the records, the access was for less than five minutes on each occasion.
What information was affected?
- A Sunnyside Hospital book of admissions, voluntary boarders' and discharges 1952-56 containing names, age, marital status and the condition people were admitted for.
- A Sunnyside hospital diary for 1968 containing names of people admitted, discharged, on leave and names of patients who had died.
- A Sunnyside Hospital Admission Book 1966 -1973 for people admitted after committing a criminal offence. This contains brief patient details, health condition, offence committed and noting any prior institutions admitted to.
What have we done in response to this incident?
We have worked closely with the Office of the Privacy Commissioner, and Te Whatu Ora to investigate and resolve this incident. The steps we have taken include:
- As soon as we were notified, we restricted access to the files in question.
- We formally notified the Office of the Privacy Commission of the potential privacy breach while we investigated further. We also notified Te Whatu Ora, the agency to whom the files belong.
- We have worked to confirm the cause, scope, and scale of the issue. It has not been possible to determine whether images were downloaded or shared during the access events.
- We checked all images uploaded by the staff member, and the rest of the open images in the Sunnyside records and no further errors were identified. We have a high degree of confidence that the scope is limited, and that this is a one-off case due to human error rather than systemic issues.
- We have worked with Te Whatu Ora to develop a plan to communicate with affected individuals.