Privacy Commissioner questions VTNZ about leak to gang members

The Privacy Commissioner says he's deeply concerned a VTNZ employee leaked personal information about a police informant to gang members and is looking for answers from the company.

As part of the sentencing decision yesterday of six members of the Head Hunters gang for the kidnapping and manslaughter of Jindarat Prutsiriporn, Justice Matthew Palmer says one of the gang members had been able to get the details of a motorist who reported the group behaving suspiciously.

This action was done through a Vehicle Testing New Zealand (VTNZ) employee who had access to the company’s database.

Earlier this year, when the gang sent individuals to kidnap Ms Prutsiriporn, the court says a member of the public became suspicious about the group of men waiting outside her home. As a result of the police complaint, the kidnappers then left the location.

It was this person’s details that were released by the VTNZ employee, according to Justice Palmer’s oral comments.

Ms Prutsiriporn was successfully kidnapped on the gang’s second attempt. The High Court says Ms Prutsiriporn was involved in criminal drugs and was lured to the kidnapper’s car under the guise of a drug deal.

She spent 22 hours tied up and gagged at several Auckland locations. She later died in hospital on March 1 from a strike to her head gained during an attempt to escape from the back of a car while being moved between locations.

Six men have been jailed for the kidnapping and manslaughter of the 50-year-old.

VTNZ general manager of operations Greg O’Connor says an investigation into the unauthorised release of personal information has been conducted and that the employee left the company before the disciplinary process had been completed.

He says it is not possible to stop all breaches, especially when an employee “went out of their way to act fraudulently."

In a statement to NBR, Mr O'Connor says the company takes privacy and the security of client information seriously.

“In the case in question, we acted as soon as we were notified by police about the potential of a breach of our systems and we worked closely with them on their investigation.

“Unauthorised access of client information is a serious breach of our policies and procedures and goes against the training all VTNZ staff must go through.  We will not hesitate to act and we have disciplined people who breach our policies.”

He says it was a “deliberate and conscious breach of the system by someone who knows how it works, and whose job as a Customer Service Representative involved regularly accessing customer information – in this case, their home address.

“Everyone in the organisation feels disappointed and let down by the incident and we have reviewed our policies and processes since then.”

Privacy Commissioner John Edwards says he has written to VTNZ about his concerns and agrees that human error is sometimes all it takes to circumvent policy.

“You can throw whatever money you want at technical security solutions, but if you don’t pay sufficient attention to culture and the human element, then you retain a significant vulnerability. Either because of the capacity for human frailty or the expectations for security are not sufficiently wired into the culture, employees believe they can get away with it."

Mr Edwards says even when the external pressure to release sensitive information is high, having good internal security and privacy procedures and policies will help staff resist those pressures.

According to Mr O'Connor, VTNZ staff are required to complete an annual declaration confirming they understand and adhere to VTNZ’s code of ethics. 

“All new employees must also complete and pass training that includes our privacy policy and how to deal with customer information. Since the incident, we have also increased audit and procedural controls,” he says.

“We’re always looking for ways to improve the way we manage customer information and are already speaking to the Privacy Commissioner. We welcome the involvement of his office and if needed, we will make improvements to our systems and processes.”

All content copyright NBR. Do not reproduce in any form without permission, even if you have a paid subscription.