Hardline law and order advocates the Sensible Sentencing Trust have been labelled "negligent and cavalier" after wrongly posting an innocent man's photo next to the details of a convicted paedophile on its website.
The SST's online offender database listed the man's picture with the description of a convicted paedophile with a similar name for almost two years, leading to social media abuse and fears that the man's tarnished reputation would damage his business.
The entire database has now been deactivated. The trust was founded by former Conservative Party candidate Garth McVicar.
The blunder was only discovered after the innocent man discovered it and complained to the Office of the Privacy Commissioner.
In a statement released today, Privacy Commissioner John Edwards lambasted SST.
He said it was important for New Zealanders to be aware of the breach to warn them of SST's "continuously negligent, cavalier, and dangerous approach to privacy".
The case highlights the lack of an effective enforcement regime in the Privacy Act, he said.
When explaining the error to Edwards, SST said a member of the public submitted the man's photo before a volunteer uploaded it to the database - but without taking any steps to verify its accuracy.
The trust admitted it did not know who had submitted the photo or who uploaded it, while also confessing it did not provide its volunteers with privacy training.
This disclosure came despite a 2014 assurance from the trust to provide relevant personnel with privacy training.
"Agencies must take reasonable steps to check that personal information is accurate before they use it," Edwards said.
"Relying on the assistance of unpaid volunteers does not excuse the SST of its legal obligations."
The Privacy Commissioner's investigation found SST clearly harmed the man with its actions, who was the victim of social media abuse and afraid his tarnished reputation would damage his business.
"The SST claims that the purpose of its 'offender database' is to protect the public from
harm and help keep offenders accountable. In this case it has done the exact opposite," Edwards said.
"The magnitude of this error calls the SST's capabilities into question and raises concerns that the database may have contained other significant errors," Edwards said.
In response to the investigation, SST acknowledged the mistake and deactivated its database.
The Privacy Commissioner will now refer the man's complaint to the Director of Human Rights Proceedings after he and SST were unable to reach a settlement.
In a settlement with the director for another privacy case in 2014, SST had agreed to provide relevant personnel with privacy training.
The Privacy Commissioner said in today's statement he understands SST provided one person with training, but they left the trust shortly after.
"It's very disappointing that – having previously been found in breach and agreeing as part of a settlement to improve its compliance – SST has failed to meet its obligations, at the cost of an innocent man's reputation and peace of mind," Edwards said.