Wellington City Council has issued an apology over a recent privacy breach involving a spreadsheet that revealed the costings of a Council proposal to lower traffic speed limits around the city.
In a statement, the Council said it was sincerely sorry to anybody affected by the breach.
“…to the wider Wellington public: we will learn from this incident and endeavour to be a better kaitiaki (guardian) of personal information in the future,” Council said.
The leaked spreadsheet contained information about car crashes around Wellington from January 2015 to December 2019. In the spreadsheet, some information was included in ‘free text’ fields that in some cases could identify individuals – their name, car registration, contact information, address – or be used with other information to identify individuals.
“There is also other information about crashes in the spreadsheet which could identify some individuals. Some of this information is sensitive,” Council said.
“Not all entries in the spreadsheet included personal information. Not all people in the spreadsheet can be identified.”
The data in the spreadsheet was downloaded from ‘Crash Analysis System’ (CAS) which is managed by Waka Kotahi NZ Transport Agency, in September 2020. The privacy breach occurred in early July 2022 when the City Council responded to an official information request (under the Local Government Official Information and Meetings Act 1987).
“The request was made through FYI – a website that collates official information requests and publishes them. The Council responded to the request with the spreadsheet accidentally not redacting or deleting the free text fields. This meant that the spreadsheet was published on FYI,” Council said.
The Council has notified the Office of the Privacy Commissioner and has hired an external specialist consultancy to firstly support the response to the breach, and then secondly complete an independent review of the breach.
“After responding to the breach, the investigation into how it occurred and why will be completed. This will inform what steps need to be taken to change our system and processes to prevent this from happening again.”
The spreadsheet has been removed from the FYI website.
“We are working through the data to determine precisely who has been affected and how severely so that we can best address the impacts of the breach. Where possible, we will individually notify anyone who is identifiable through the information in the spreadsheet,” the Council said.
If you are worried you have been affected, contact email@example.com.