A woman’s sensitive information was circulated for months after a government agency sent a document, saved to a worker’s desktop and believed to be blank, to several “clients”. 

The woman, who has not been named in a recent decision from the Office of the Privacy Commissioner, only found out when an anonymous stranger contacted her on social media months later. 

“The stranger sent the woman an image of the woman’s own form, apparently having been sent it in error when asking for a separate review of a decision,” the findings said. 

“The agency investigated what had happened and confirmed that the woman’s information had been accidentally sent to several other email addresses over a nine-month period.” 

She has now been compensated $15,000 by the agency, which was not named in the decision, and has received a written apology from it for failing to safeguard her personal information. 

It was found the agency had breached the Privacy Act 2020, with the slip-up causing the woman and her family “significant stress and inconvenience over many months”. 

“As a result of careless filing, the complainant’s personal and other sensitive information was disclosed to multiple people and ultimately was circulated,” the ruling said. 

“Despite the agency’s efforts to contact those who had received the form, there was no way to guarantee that the information was no longer in circulation.” 

The findings said the breach caused significant humiliation, loss of dignity and “injury to the feelings of the woman”. 

The document, a form asking a government agency to review their decision on an outstanding debt, was saved to a worker’s desktop for easy access and sent on to multiple clients over nine months. 

Despite the front page of the document being blank, the rest of the file contained the woman’s personal information which she submitted in 2021. 

When the form was sent to several clients, one contacted the woman on social media to let her know they were in possession of her personal information. 

Another contacted people who knew her, divulging the personal information that was meant for the agency only. 

After the incident, the woman reported feeling that her mana and integrity were diminished because of the agency’s failure to keep her information safe. 

A formal written apology was provided to the woman, as well as $15,000 in compensation. 

“The agency ensured the document was removed from the staff member’s desktop and reminded all staff about the correct process for sending templates and storing client information.” 

The commission said the incident showed agencies need to make sure their systems are simple for workers, and if they are not “workarounds” like saving a document to a desktop could result in a “great risk to personal information”. 

“Agencies also need to create a culture of checking emails and attachments before they go out. The greater the sensitivity of the information, the more checks that should be made,” the decision said. 

“As we saw in this case, a simple mistake can result in significant harm to individuals.” 

Hazel Osborne is an Open Justice reporter for NZME and is based in Te Whanganui-a-Tara, Wellington. She joined the Open Justice team at the beginning of 2022, previously working in Whakatāne as a court and crime reporter in the Eastern Bay of Plenty.