Major Privacy Breach by one of NZ’s Largest Childcare Providers.
March 31, 2022.
In a major privacy breach, one of NZ’s largest providers of early childhood education mistakenly sent employees a file that included the names, email addresses, region, and date of birth of more than 1,000 other employees from around the country. The employees were relievers.
The email sent on Wednesday, is believed to have been recalled by the service provider. It has also apologised to those whose information it shared.
The service is taking steps to ensure such an error does not happen again and the Office of the Privacy Commissioner may or may not decide to undertake an investigation.
Should you have received the file, you are advised to delete it. If someone seeks to make use of this information they would be wrong to do so.
Why teacher date of birth is included in the contact list (and not other data such as years of experience) and whether age is used as a determining factor in what work they are offered, are matters that those affected by the privacy breach may wish to have a conversation with the service provider about.
What learning can be taken from what’s happened?
- Be careful what private information you share internally within your organisation.
- Before hitting the send button on an email, check if you have attached any documents by mistake. Also, open any attachments to make sure they are the files with the content that you intend to send.
- Ensure all staff are provided with training relating to the Privacy Act, 2020 relevant to their role and responsibilities. The Office of the Privacy Commissioner provides e-learning modules including topics of: ’employment and privacy’ and ‘privacy ABC for schools’ (this is relevant to all education services), and ‘privacy breach reporting’
