Privacy breaches which have hit the headlines in recent weeks suggest vigilance about protection of personal information can be poor in places where we might least expect it.
Most recent was the shocking revelation that electronic images of identity documents including passports, birth certificates and driver's licences for 302 people applying for a Manatu Taonga Ministry for Culture and Heritage programme had been insecurely stored and at risk of unauthorised use since June.
The information was held on an external website commissioned for the ministry's Tuia 250 Voyage trainee programme. The majority of the 373 documents affected were passports.
It seems the blunder was only revealed after someone fraudulently tried to buy a concert ticket online using one of the driver's licences. A parent of one of the applicants found out and notified the police.
The website has now been shut down and the ministry is paying for the reissuing of passports and driver's licences. The details of how this happened presumably will be revealed after a full investigation. Also, those government departments considered to have small IT capability are now obliged to use approved providers from a special list, whereas previously using this list was voluntary.
But many other organisations, outside of government agencies, may require people to provide copies of their ID documents. Online, often people can be blase about the use of their data by the technology giants, Facebook and Google, but it is likely they would be horrified if they handed over their passport information to, say, a trusted local private education provider, and later found someone had stolen their identity.
As we blithely hand over photocopies or images of our driver's licences, passports, birth certificates or other documents, do we ever ask how that information is stored and protected or do we just trust that it will be safe?
Another privacy breach that made the news recently was the case of the medical receptionist who revealed information at a social gathering about a couple's sexual health test. The receptionist had initially refused to give any information but was pressured to do so by a friend of the couple.
So far, so awful. But what the privacy commissioner found, when the matter was investigated, was that the medical centre's electronic patient file system could show when a staff member edited a file, but not when staff accessed files. The centre concerned was advised that this was contrary to its obligations, under the Health Information Privacy Code, to secure information against inappropriate browsing.
The receptionist in that case, who admitted the breach, lost her job. But what if a case were less clearcut? If a health service provider could not show who had seen the files, and the person who had wrongly shared the information was a convincing liar, it might be hard for any genuinely aggrieved patient to pursue their case.
Do many patients pay much attention to what their health service providers do in this regard or do they assume all have good practices which include regular auditing of access to files to ensure nobody is playing up?
Earlier this year, a different sort of privacy breach was highlighted in the story of a job-seeker being subjected to a group job interview in the middle of a busy Dunedin Burger King restaurant, something for which the employer has since apologised and insisted it is not common practice.
However, how many employers have yet to work out that cafes are not the appropriate place to conduct staff appraisals or discuss other confidential employment matters with their employees where other patrons can see and hear? Maybe employees feel powerless to object to such practices.
All of these examples highlight the need to think broadly about what constitutes good privacy practice, and pay more than lip service to it, individually and within organisations, large and small.
