The Heron report into the Covid privacy breach has been released.
Media release:
Findings of investigation into COVID-19 active cases privacy breach
Deputy State Services Commissioner Helene Quilter has today announced the findings of an investigation into a breach of privacy regarding sensitive personal information.
The investigation looked into who or what caused the disclosure of the information, and what might have prevented the information from being disclosed and what, if any, improvements might prevent that happening again in the future.
The deputy commissioner said the investigation, led by Mr Michael Heron, QC, found that sensitive personal information was passed to someone who was not authorised to see it, who then placed it in the public arena.
The breach happened after the then Acting Chief Executive of the Auckland Rescue Helicopter Trust, Ms Michelle Boag, passed on the information, without authorisation, to Mr Hamish Walker, MP. Mr Walker subsequently passed the information on to the media.The report findings around Ms Boag, the Auckland Rescue Helicopter Trust (ARHT) and Mr Walker have raised privacy issues which are outside the deputy commissioner’s jurisdiction. Ms Quilter has therefore referred the report to the Privacy Commissioner. In particular, she has referred the actions of Ms Boag, the ARHT and Mr Walker for specific attention. Mr Walker’s actions may fall outside the jurisdiction of the Privacy Commissioner but that is for him to determine.
The deputy commissioner has also shared the report with the Speaker of the House of Representatives and the Leader of the National Party, who are referred to in the report and who may have jurisdiction.
In relation to matters under the Commissioner’s jurisdiction, Ms Quilter said the policy around the security of personal information within the Ministry of Health could have been tighter and the agency should have reviewed this earlier.
The Director-General of Health, Dr Ashley Bloomfield, has assured the Commission that the agency is fixing the areas identified in the report for improvement.“The Ministry’s policy should have been reviewed when the context shifted and it was not,” said Ms Quilter.
“I am not going to criticise the Ministry of Health beyond that when lives have been saved as a result of their actions on the broader COVID-19 front.
“The information should not have been placed in the public arena. The Ministry of Health did not place it there.”
Report Executive Summary:
Ms Boag and Mr Walker were each responsible for the unauthorised disclosure of this sensitive personal information. Their motivations were political. Their actions were not justified or reasonable. Each acknowledged their error publicly and cooperated fully with this inquiry.
The Ministry of Health policy and process in notifying emergency services of active cases was a considered response to the pressures arising during the early stages of the crisis. Whether the policy was appropriate in the circumstances applicable in April 2020 will be the subject of further review by the Privacy Commissioner. The policy and process should have been reviewed once there were no longer cases in the community and the dissemination to emergency services of the personal information ought to have stopped. In any event, there ought to have been better protection over the personal information.
On Boag and Walker:
The statements of Ms Boag and Mr Walker indicate that the cause of the leak was, first and foremost, deliberate and politically motivated. Both have expressed their sincere regret at their poor judgement in distributing this sensitive personal information to others. I was contacted by a COVID-19 patient to convey their shock and dismay that such information would be passed around in this manner. The Ministry was aware of the risks of unauthorised disclosure of such information and the harm that could be caused. Given its sensitivity, disclosure of such personal information requires clear legal authority and careful judgement.
The Privacy Act is unlikely to apply to Mr Walker in these circumstances. Section 2 of the Act states that an “agency… does not include… a member of Parliament in his or her official capacity.” Mr Walker considers he received and disseminated the information in his capacity as an MP. He says and I accept that he sought to hold the Government to account with respect to the countries from which new cases were originating and with respect to the lack of security around personal information. Mr Walker accepted that the spreadsheet did not assist to prove the first point. In my view, however, Mr Walker was acting in his official capacity.
Ms Boag’s actions in disseminating the personal information would not have been compliant with ARHT policy.
The State Services Commissioner could consider a formal referral of Ms Boag and the ARHT to the Privacy Commissioner, who is the appropriate statutory body in their case. The Privacy Commissioner is, however, already reviewing the question of whether the Ministry policy was appropriate and can investigate this matter with or without a referral or complaint.
On Michael Woodhouse:
Ms Boag had earlier provided similar personal information (but different spreadsheets) to Michael Woodhouse, MP. I received information relating to those other occasions from Ms Boag and proactively from Mr Woodhouse. Mr Woodhouse advised he did not forward such information on and has now deleted it. I considered whether I should pursue the deletion further with Mr Woodhouse, but ultimately because the information was similar in nature and it was not central to my inquiry, I determined it was not necessary to pursue it. I accept Mr Woodhouse deleted the information. Ideally, he would have counselled Ms Boag not to disclose such information and/or alerted the Ministry or Minister.
Full report: