Last month, the council wrote to 472 people whose email addresses were mistakenly shared twice after they submitted on the draft regional public transport plan.
Now, council chief executive Richard Saunders has again apologised while informing submitters the council’s investigation had concluded.
"We have now completed our investigation into the privacy breaches impacting submitters to the draft Otago regional public transport plan," he said in an email last Friday.
"We take our privacy responsibilities seriously and apologise for the mistakes made here."
He advised submitters that not only were their email addresses mistakenly shared twice with other submitters, but the council’s investigation found its "summary of submissions", briefly hosted on the council website, had included a further series of privacy breaches as well.
"Unfortunately, in the summary of submissions, a small number of the submitters’ details included additional identifying personal information: seven names were matched directly with partial email addresses, one phone number was matched against a submitter’s name, and in another two instances occupations were matched to submitters’ names.
"While many of the summaries of submissions created by us included references to general locations and bus routes, some contained more specific information."
In his email to submitters last Friday, obtained by the Otago Daily Times, Mr Saunders said the summary of submissions was published on the council’s website from May 8 until May 14, and by the time it was taken down, it was accessed four times.
"In light of these breaches, we have reviewed and will continue to review our practices to ensure that the risk of a further breach of personal information of this nature is removed."
The first breach was made when submitters were copied, not "blind copied", into an email acknowledging the submissions.
When the council recognised that mistake it issued a "recall email", except "the recall again reshared recipient email addresses", Mr Saunders said.
The council had asked recipients to delete those emails and then spoke to the privacy commissioner.
As the council worked to identify the extent of the privacy breach from that incident, the further breaches were uncovered.
Based on the information received to date from affected people, the council determined that these privacy breaches had not caused "serious harm" and were not likely to cause serious harm.
For a privacy breach to cause serious harm it would need to have led to "physical harm or intimidation, financial fraud including unauthorised credit card transactions or credit fraud, family violence, and psychological or emotional harm", Mr Saunders said.
The breaches did not meet this threshold and therefore the council determined this was a "non-notifiable privacy breach", meaning it was not mandatory for the council to notify the privacy commissioner of the breaches.
Hearings concluded last month.
Councillors are expected to consider adopting the plan at this month’s council meeting.
