The breach was made public the next day on the NZ Herald.
The breach involved an Excel spreadsheet calculating the costs and benefits of a Council proposal to lower traffic speed limits around the city under the ‘Speed Management Plan.’
We would like to take this time to explain what has happened. We also want to say we are sincerely sorry to anybody affected, and to the wider Wellington public: we will learn from this incident and endeavour to be a better kaitiaki (guardian) of personal information in the future.
What personal information is involved?
The spreadsheet contains information about car crashes around Wellington from January 2015 to December 2019. In the spreadsheet, some information was included in ‘free text’ fields that in some cases could identify individuals – their name, car registration, contact information, address – or be used with other information to identify individuals.
There is also other information about crashes in the spreadsheet which could identify some individuals. Some of this information is sensitive.
Not all entries in the spreadsheet included personal information. Not all people in the spreadsheet can be identified.
Where did the data come from?
To calculate the cost/benefit analysis, the costs of crashes needed to be looked at. To do this, the data in the spreadsheet was extracted from a system called the ‘Crash Analysis System’ (CAS) which is managed by Waka Kotahi NZ Transport Agency.
CAS records data collected by Police staff at the scene of a crash. That data from Police is transferred to Waka Kotahi NZ Transport Agency which adds more information in the CAS enterprise system including cost data.
CAS is used by councils, central government, engineering companies and academics to research road safety. You can read more about CAS on Waka Kotahi website.
The data in the spreadsheet was downloaded from CAS in September 2020. The privacy breach occurred in early July 2022 when the City Council responded to an official information request (under the Local Government Official Information and Meetings Act 1987).
The request was made through FYI – a website that collates official information requests and publishes them. The Council responded to the request with the spreadsheet accidentally not redacting or deleting the free text fields.
This meant that the spreadsheet was published on FYI.
What happens now?
The Council has notified the Office of the Privacy Commissioner and has hired an external specialist consultancy to firstly support the response to the breach, and then secondly complete an independent review of the breach. After responding to the breach, the investigation into how it occurred and why will be completed. This will inform what steps need to be taken to change our system and processes to prevent this from happening again.
The spreadsheet has been removed from the FYI website.
We are working through the data to determine precisely who has been affected and how severely so that we can best address the impacts of the breach. Where possible, we will individually notify anyone who is identifiable through the information in the spreadsheet.
If you are worried you have been affected, you can contact us on firstname.lastname@example.org.
After following a triage process we concluded a low number of individuals met a threshold of consideration for direct notification. We determined a short list after discussion with NZ Police and Waka Kotahi of individuals that warranted personal notification (i.e. phone call or email). We worked with the Police to obtain contact information for these. Police have indicated that they have out of date contact information for some of the individuals.
We concluded with the Police, Office of the Privacy Commissioner, and Waka Kotahi not to notify these individuals on the basis of the following:
- Wellington City Council have had a public notice up for some time.
- We would have to use information collected for other purposes (which we don’t hold) to find these individuals and to contact them, in light of the Police not readily having contact details, given how long ago these incidents occurred.
- The original privacy breach was publicised – concerned individuals have had opportunity to contact Wellington City Council, and will continue to have this opportunity.
- There would likely be privacy concerns if further contact details from Waka Kotahi were sought. On balance and considering all these points, no further action has been taken.