News from WCC
The Wellington City Council’s parking services contractor Tenix Solutions has inadvertently released bulk personal information from about 120,000 parking tickets to an individual who made a routine information request.
The requestor has assisted the Council to recover and secure the information. Tenix Solutions has been instructed to ensure no recurrence of any such releases.
The council became aware of the privacy breach last month.
The requestor sought publicly-available information from Tenix about Council parking enforcement data over a two-year period. Tenix populated spreadsheets with that data from about 120,000 tickets issued to some lesser number of vehicle owners – both individuals and businesses.
Without notifying the Council, Tenix sent the spreadsheets to the requestor on three separate disks between August and November this year. While the information released was not of a sensitive nature and might otherwise have been obtained elsewhere, the spreadsheets included personal information about vehicle owners – specifically, the names and addresses of vehicle owners, and their vehicle registration numbers, issued with parking tickets during the past two financial years, mostly between April and June 2012 and April and June 2013.
Unable to obtain the information asked for, the requestor contacted the Council and also made us aware of the privacy breach on 19 November. Since then he has fully co-operated with Council officers investigating the breach, returned the three disks on which the information was sent, and satisfied the Council that the personal information has not been copied or used. The Council is still working with the requestor to provide the information sought, excluding any personal information.
Council Chief Executive Kevin Lavery has sought assurances from Tenix that appropriate systems and checks are in place to prevent this from occurring in future. He has instructed a full review to be undertaken by Tenix to provide those assurances.
“I would like to unreservedly apologise to those individuals whose personal information has been disclosed and, again, thank the requestor for returning the information.
“I have been clear with our contractor that its performance in this event was woeful. We should all have every confidence that our personal information is secure and that there are processes and systems in place to ensure this does not happen again.”
Privacy breach – Q&As
What private information has been released?
There has been an accidental bulk release of parking ticket data. The personal information contained in a ticket relates to:
Vehicle number plates
Names of registered vehicle owners
Contact addresses of registered vehicle owners.
How many people has this affected?
What we know is it is personal information populated from about 120,000 parking tickets issued over two years. It was included on three separate disks given to a member of the public in response to a request under the Local Government Official Information and Meetings Act.
This is not the information of 120,000 individuals, as many people received multiple tickets and the disks also included the details of businesses and other organisations that own vehicles.
The personal information relates only to individuals who received a parking ticket (or multiple tickets) during the past two financial years – mostly in the periods from April to June 2012 and April to June 2013. Details of number plates, and names and addresses of the registered vehicle owners were incorrectly included in the response.
Who got the information?
The information was compiled and formatted by our parking services contractor, Tenix, which provided it to an individual requestor who had sought detailed parking-enforcement information via the Local Government Official Information and Meetings Act.
When were they sent this?
The information was sent on three separate disks between August and November this year.
When did the Council find out?
The requestor alerted the Council to the disclosure of vehicle registration plates on 19 November. After further investigation, the Council became aware of the full extent of the disclosure, including names and contact addresses on 29 November. The Council has reported the breach to the Office of the Privacy Commissioner.
Has the requestor passed this information on to anyone else?
No. The Council’s Chief Executive, Kevin Lavery, and other senior managers have personally met the requestor. He has given us assurances that he has not copied the disks or retained or used the personal information. We emphasise he was the unintended recipient of personal information in this issue. He returned the disks earlier this week.
Our contractor did not follow proper process for dealing with information requests. All information requests to contractors have to be notified to the Council. The contractor did not do this in this instance.
Why did the requestor want that much information?
There is no requirement for a requestor to say why he or she wants official information. The requestor sought official information that could be provided publicly.
The Council has known about this for 2-3 weeks but you are only telling people now?
That’s correct. We had to determine exactly what information had been provided and when. We have been in contact with the requestor to get the disks back and to give him the information he wants. We have been working with the requestor to secure the return of the disks and he has cooperated fully. Our announcement is to confirm the security of that information.
How can people find out if their information has been disclosed?
This information has only gone to one person, who has not shared the information with any other parties, and has returned the disks back to the Council without retaining the data on them. If people are concerned their information may have been included on the disks they can email the Council at firstname.lastname@example.org. If possible they should include details infringement number (if known), name and address and vehicle registration number
We ask people not to ring our Contact Centre or Tenix because the staff there do not have authorisation to access to the parking data. It is best people email email@example.com
Anyone who wishes to seek further advice can also contact the Office of the Privacy Commissioner.