Privacy Law and Policy Reporter
I have recently reported to the Ministers of Justice, Courts and Transport on an inquiry into events leading to a Government Department’s mass mailout of threatening notices to the wrong people. The problem originated with the matching of Department for Courts’ records against records held by the Land Transport Safety Authority (LTSA) in a data matching program which had not been through the proper authorisation processes by Cabinet and Parliament nor notified to and scrutinised by the Privacy Commissioner.
The fact that unauthorised information matching which had not operated satisfactorily was at the heart of the problem was discovered early on. My Office requested explanations about the mailout error from the Department. This was given with an indication that the match would not be repeated.
I decided to inquire further into the matter and commissioned Robert Stevens, an Auckland barrister specialising in privacy, to look into the events and in particular the involvement of other agencies such as the LTSA which manages the motor vehicle register on behalf of the Ministry of Transport. Mr Stevens also inquired of EDS (New Zealand) Ltd which provided computer processing services to both the Department for Courts and the LTSA.
The inquiry has documented a number of matters of concern from an information privacy perspective, including:
Although two years have passed since the events in question, the matters uncovered in this inquiry remain of significant concern today with the ever quickening pace of electronic-government and the continuing use of contracted computer bureaux.
I am extremely concerned about departments undertaking significant data matching which has not been authorised for the purposes of Pt X of the Privacy Act 1993 (NZ). Such practice is at variance with previous government assurances about the safeguards for citizens where data matching is to be undertaken. If public confidence is to be maintained in the fair handling of public sector information and in the responsible use of data matching, it is critical that departments submit to the rigorous process of justification and assessment in establishing a program and that the practice be authorised at the highest level.
Officials are sometimes too quick to downplay the technical difficulties of data matching, overstate the benefits and disregard the effects on individuals. Those concerns remain as valid today as they were in 1993.
Privacy Act controls on authorised information matching programs ensure that significant public benefits are achieved in an entirely fair manner. Careful checks are always necessary. People should not be presumed guilty simply on the evidence of a computer match.
The widespread dissemination of this report to those who may be considering informal data matching should assist in ensuring that citizens’ rights are not imperilled by similar initiatives in the future.
Bruce Slane, New Zealand Privacy Commissioner.
Copies of the report Unauthorised information matching between the Department for Courts and Motor Vehicle Register are available from the Office of the Privacy Commissioner and at <http://www.privacy.org.nz>. This article is based on a press release by the Privacy Commissioner, 6 September 2000.