Privacy Commissioner Frustrated By Firearms Privacy Breach
The Privacy Commissioner is frustrated by the New Zealand Police’s recent serious privacy breach.
The breach involved the inadvertent disclosure of 147 firearm owner’s email addresses by Te Tari Pūreke, the police’s new firearms safety authority on Wednesday, 26 July, 2023.
"This is frustrating, given the significant known risk of email address errors and the opportunity the new authority had to design in system guardrails," says Privacy Commissioner Michael Webster.
This is the fourth breach of firearm owners’ personal information by the police in under four years.
"We found out about this privacy breach via the media. We had to ask the police to notify us," said the Commissioner.
The Office of the Privacy Commissioner was formally notified by the police at 10.28pm on July 27 of the serious breach.
"We understand the police sent out an email to affected people within minutes of the serious breach occurring. But this was an avoidable serious privacy breach.
"The purpose of the firearms register is to effectively regulate the legitimate possession and use of firearms to keep all communities safe. It can only do this if firearms owners trust that their personal information will be protected’, says Mr Webster.
The email error meant recipients of a bulk email were able to see the email addresses of everyone else who received the message.
"Email address errors were significant known risks, which were clearly signalled by my Office during the firearms registry policy process and by other privacy experts in the design and implementation of Te Tari Pūreke’s systems and processes. This should have been better managed", said Mr Webster.
"I regard email privacy breaches caused by typical human mistakes as system design errors. I expect any agency that relies on communication via email, especially bulk email, to have system and process guardrails in place to help prevent human error and keep staff and the public safe.
Mr Webster said it was his hope the establishment of a special purpose Firearms Safety Authority would contribute to community safety - and the secure management of firearm owners’ personal information is an important part of that.
"I note that since the email breach, Te Tari Pūreke has put in place a new interim email policy and a pause on all email to groups while technology-based guardrails are put in place.
‘I will be asking Te Tari Pūreke to provide me with assurance that they have implemented robust systems and processes across the authority to protect the sensitive personal information they hold.
This work is essential to gaining the trust and confidence of firearms owners in the new authority," says the Commissioner.
For agencies who rely on email, particularly bulk email, to communicate with the public, some useful guardrails include:
- ‘delay-send’ rules to allow
errors to be identified and reversed;
- disabling ‘auto-complete’
addressing functions to reduce the risk of the incorrect email address
being used;
- removing access to the ‘cc’
line to eliminate the potential for common "cc" vs "bcc" mistakes; and
- ensuring that email
addresses are checked and potentially tested before being used to send
communications or information, particularly sensitive information.