Novopay privacy breach may bring sanctions

Otago Primary Principals' Association president Whetu Cormick reads an email from Novopay, hours after a privacy breach by the payroll system was revealed. Photo by Craig Baxter.The company behind flawed payroll system Novopay could be slapped with a financial penalty, after human error resulted in a privacy breach yesterday.

The Ministry of Education issued an apology after it was revealed a staff member from Talent2 incorrectly sent emails to payroll administrators at 1600 schools.

Of the 5600 transactions covered in the emails, 3400 identified an individual, with 40 of those containing personal information such as the amount of an advance or underpayment, or noting a relationship with other agencies.

Acting Secretary for Education Peter Hughes said the latest incident was a ''significant privacy issue; but I would not put it at the top end''.

Although any repercussion for the person responsible was a matter for the company, ''I have spoken to the New Zealand CEO for a detailed report on measures they intend to put in place to avoid a recurrence of this.''

He expected that report on his desk by the end of the week. Asked if the staff member's mistake may have been stress-related, he conceded ''we are all busy, but standards are standards ... and particularly when it comes to privacy and we need to meet those standards''.

While he was yet to receive legal advice concerning the privacy breach, the contract with Talent2 stipulated the company had to meet the requirement of New Zealand privacy law, and ''to have measures in place to avoid this sort of thing''.

''They have failed to meet those requirements and there are a range of things we can do under the contract including financial penalties,'' Mr Hughes said.

The emails had gone to professional payroll administrators and he was confident all emails would be deleted as requested.

''I treat this very seriously and sincerely apologise to those schools and staff.''

Otago Primary Principals' Association president Whetu Cormick, whose Bathgate Park School was sent the incorrect email, said the latest incident was disappointing.

Although he applauded Novopay and the ministry for trying to communicate unresolved payment issues, ''I think this reflects the poor system that Novopay is, and the sooner Novopay is dumped, the better''.

''I think the apology is unacceptable and I don't accept it.''

The Officer of the Privacy Commissioner has been advised.

ODT/directory - Local Businesses

CompanyLocationBusiness Type
Tourist Court Cottages MotelDunedinMotels
O.C. JewellersQueenstownJewellers
Print Central LtdQueenstownPrinters
Otago Commercial Wholesale LimitedMosgielCar Sales