Inquiry Into Unauthorised Data Matching By Courts
COMPLETION OF INQUIRY INTO UNAUTHORISED DATA MATCHING BY DEPARTMENT FOR COURTS
Statement by Bruce Slane, Privacy Commissioner
I have recently reported to the Ministers of Justice, Courts and Transport on an inquiry into events leading to a Government Department’s mass mail out of threatening notices to the wrong people. The problem originated with the matching of Department for Courts’ records against records held by the Land Transport Safety Authority in a data matching programme which had not been through the proper authorisation processes by Cabinet and Parliament nor been notified to and scrutinised by the Privacy Commissioner.
The fact that unauthorised information matching, which had not operated satisfactorily, was at the heart of the problem was discovered early on. My Office requested explanations about the mail out error from the Department. This was given with an indication that the match would not be repeated.
I decided to inquire further into the matter and commissioned Robert Stevens, an Auckland barrister specialising in privacy, to look into the events and in particular the involvement of other agencies such as the LTSA which manages the motor vehicle register on behalf of the Ministry of Transport. Mr Stevens also inquired of EDS (New Zealand) Ltd which provided computer processing services to both the Department for Courts and LTSA.
The inquiry has documented a number of matters of concern from an information privacy perspective including: · the operation of an information matching programme on a casual basis without going through the proper scrutiny and authorisation processes; · the matching was operated in an unsatisfactory way meaning that mass error went undetected until too late; · the dispatch of threatening notices which presumed guilt that should not have been inferred without allowing individuals an opportunity to respond; · the use by one department of data held by another public agency without having sought or obtained the cooperation or permission of the agencies having legal and operational responsibility for that data; · the carrying out of the matching process by an outside company on the instructions of one department without having the explicit instructions of the department whose records were to be matched.
Although two years have passed since the events in question, the matters uncovered in this inquiry remain of significant concern today with the ever quickening pace of electronic-government and the continuing use of contracted computer bureaux.
I am extremely concerned about departments undertaking significant data matching which has not been authorised for the purposes of Part X of the Privacy Act 1993. Such practice is at variance with previous Government assurances about the safeguards for citizens where data matching is to be undertaken. If public confidence is to be maintained in the fair handling of public sector information and in the responsible use of data matching, it is critical that departments submit to the rigorous process of justification and assessment in establishing a programme and that the practice be authorised at the highest level.
Officials are sometimes too quick to downplay the technical difficulties of data matching, overstate the benefits and disregard the effects on individuals. Those concerns remain as valid today as they were in 1993.
Privacy Act controls on authorised information matching programmes ensure that significant public benefits are achieved in an entirely fair manner. Careful checks are always necessary. People should not be presumed guilty simply on the evidence of a computer match.”
The widespread dissemination of this report to those who may be considering informal data matching should assist in ensuring that citizens’ rights are not imperilled by similar initiatives in the future.
Copies of the report Unauthorised information matching between the Department for Courts and Motor Vehicle Register, are available from the Office of the Privacy Commissioner and at http://www.privacy.org.nz.
B H Slane Privacy Commissioner, 6 September 2000
telephone: ddi: 09-302 8659 residence: 09-524 9884 email: BruceSlane@compuserve.com mobile: 021 927 689