16 Dec 2022

Archives NZ breach allows access to sensitive health information

5:34 pm on 16 December 2022
Archives New Zealand, Archives building, 10 Mulgrave Street, Wellington

Archives NZ will eventually be the repository for Royal Commission survivor records. Photo: Wikimedia Commons / Nick-D / Creative Commons Attribution-Share Alike 3.0 Unported

A privacy breach by Archives NZ has let people see records containing abuse survivors' sensitive health information.

The breach was discovered months ago but officials kept it from the public.

An internal report released under the OIA to RNZ revealed: "On 19 September 2022, Archives New Zealand discovered that Royal Commission records were marked as open access on Collections Search, when they should have been marked as restricted.

"Two members of the public accessed files containing sensitive health information which could cause harm to individuals named in those files."

It does not say how many individuals or what happened to the information.

Archives later said it was "records related to the Royal Commission Inquiry" that were wrongly marked.

The Royal Commission has been hearing survivors' accounts of abuse in state and faith-based institutions.

Archives will eventually be the repository for the survivor records but only when the abuse inquiry has been completed.

The internal report dated November 17 from Archives deputy chief executive Hoani Lambert said.

"This issue resulted from a data input error. Archives New Zealand took immediate action to rectify the privacy breach and determined it was an isolated incident.

"In consultation with Te Whatu Ora [Health NZ, the controlling office of the records], a public notification of the privacy breach is planned for early December".

When RNZ asked for more details, the Department of Internal Affairs, which oversees Archives, said it had been developing a plan to notify the public by early this month but had now shifted that to mid-January.

This was "on the advice this timing would minimise potential further negative impacts to survivors", it said.

"Our priority is the people who may be impacted through this breach, advice is that a mid-January notification will allow the right supports for people to be in place."

Te Whatu Ora said it was aware of digitised historical health records held by Archives being "inadvertently made publicly accessible".

"Three sets of health records from the 1952-73 time period relating to one mental health facility in Canterbury were viewed by two people, one of whom alerted Archives NZ to the issue," it said.

"As some of those affected by this incident are current or former tangata whaiora, we are appealing for the media's ongoing understanding and support in reporting sensitively on this topic."

It said it was working with Archives to prepare a public notification addressing those people who may have been impacted.

Internal Affairs Minister Jan Tinetti said Archives had been keeping her informed. It had the mid-January plan in place "based on the needs of survivors", and she added this was an operational matter.

Separate breach alerts shut down system

The abuse survivor breach is in addition to further revelations about the extent and nature of other, separate Archives shutdowns and potential privacy breaches caused by its new technology malfunctioning:

  • three breach alerts triggering shutdowns for several days each since February - only in one case was the reason made public
  • at least 8900 files mistakenly made public from February to September when they should have been restricted - "mostly political papers and slides".
  • the new $4m search system shut down for 700 hours - equal to 29 days - since February.
  • the system's Swedish supplier Axiell knew about the system's syncing error "but did not advise Archives."

One person accessed two of the mistakenly opened records but these "did not contain sensitive material", the reports said.

Investigations while the system was shut down each time showed that while restricted information was put into the public realm, "there were no privacy breaches" because "no confidential information was accessed".

Two of the three major outages were in August - three days - and October, for eight days.

What to tell the public?

On 28 October, Archives told Internal Affairs Minister Jan Tinetti: "So far Archives New Zealand has described these two outages as 'for essential maintenance'.

"We have been sending updates to regular users and will need to send a further update in November.

"We will need to decide how much information to provide on the reason for the October outage," the agency told Tinetti.

By contrast, an Archives communications plan in June said: "We will be open, proactive and transparent with internal and external communications, including media."

On 20 October, it said: "A communications plan has been developed to ensure that staff, stakeholders, users of Archives collections and members of the public are kept informed as appropriate."

A third major outage ran for 11 days from 11 November.

The potential security and privacy breach that sparked it was made public after RNZ had enquired about a related matter.

The OIA reports show the title and description of "a series of family proceeding records" were made visible when they were restricted.

Archives restarted the search system on 22 November, telling RNZ "as it currently stands, we are satisfied there has been no privacy breach".

Two days later, in an internal weekly status report, it said it did not know for sure.

"A privacy risk assessment of the records involved in the 11 November 2022 incident is underway," it said.

"Axiell is due to provide further information on whether any members of the public accessed this material while it had the incorrect settings."

This would lead to a "final" privacy risk assessment and an update to the Privacy Commissioner on "if further action is needed".

The shutdowns are the further complicating problems with the whole system from the word go.

The Collections search system was slow, difficult to use and "inferior" to the old Archway system it replaced, various reports said.

The problems have contributed to hold-ups in court cases, and Māori land and marine hearings, because it is taking twice as long for researchers and lawyers to get records.

The newly-released reports state the risks included "a significant reputational risk" to Internal Affairs and to "public confidence".

"There is a lack of trust in the integrity of the data due to concerns around discrepancies in what staff and customers have access to," a report in August said.

Other risks were "wellbeing of staff" who were having to field hundreds of complaints - Archives looked at bringing in a contact centre to help - and "ongoing media requests".

The system was set up remotely by Axiell during Covid-19, without full testing by users due to the pandemic and without full functionality when it went live in February.

Archives said it met with senior Axiell staff and told them that their not advising the agency that they knew about the syncing error, "is not satisfactory".

Archives has been forced to put syncing on hold till it gets a software release in December - due in June, but delayed - to deliver "critical functionality".

"Work to address long-term digital solutions will be addressed in future budget bids," Archives told Tinetti in October.

Anyone affected by this story can call or text 1737 to talk to a counsellor 24/7- all calls are free and confidential. Or talk to your GP or healthcare provider.

  • Archives NZ shuts down search tool amid fears of security breach
  • Historian wants inquiry into limits on Archives NZ's services
  • Archives NZ reinstates online search tool after data mishap