ZB ZB
Opinion
Live now
Start time
Playing for
End time
Listen live
Listen to NAME OF STATION
Up next
Listen live on
ZB

Review finds Wellington City Council crash data breach was preventable

Author
Georgina Campbell,
Publish Date
Sun, 8 Oct 2023, 4:43pm
The review found 1380 rows of data containing personal information relating to road crashes in Wellington. Photo / Alex Cairns
The review found 1380 rows of data containing personal information relating to road crashes in Wellington. Photo / Alex Cairns

Review finds Wellington City Council crash data breach was preventable

Author
Georgina Campbell,
Publish Date
Sun, 8 Oct 2023, 4:43pm

An independent review has found a serious harm data breach, in which Wellington City Council released personal details of people involved in local road crashes, was preventable and a result of human error.

Furthermore, it found much of the private information, downloaded in a spreadsheet, was entirely irrelevant to the council’s purposes.

The review identified 1380 rows of data with personal information including contact details, drug and alcohol readings, who the police thought was responsible for the crash, and injuries. The most sensitive information was contained in 80 rows.

The council has previously apologised for the breach and commissioned the independent review in June, while Wellington Mayor Tory Whanau has expressed her disappointment and frustration.

The tightly-held Waka Kotahi NZ Transport Agency crash data was downloaded by a council official as part of a benefit-cost ratio analysis for a plan to lower speed limits in the city.

However, the Herald revealed the private details were not scrubbed and the entire spreadsheet was then publicly released under the Local Government Official Information and Meetings Act (LGOIMA).

Council staff, privacy experts and data processors were interviewed for the review conducted by INFO by Design and The Instillery.

The resulting report said the primary cause of the breach was human error and noted the spreadsheet was handled by seven council staff before it was published.

Nobody interviewed expressly recalled seeing the tabs in the spreadsheet containing the personal information when the LGOIMA request was being handled.

“Any effective review should have caught the personal information,” the report said.

Nobody interviewed could explain why the spreadsheet was created in the first place and whether a benefit-cost ratio was even required for the plan to lower speed limits.

Regardless, the review said downloading the full spreadsheet with all the crash data information was not necessary.

“A significant number of incidents were unrelated to the speed of the vehicle and therefore do not appear to relate to the policy question at hand.”

Examples include a car being stolen by children too young to have licences, deliberately using a vehicle to run someone over, and numerous incidents involving drugs, alcohol or medical events, the review said.

“Wellington City Council could have downloaded a limited subset of information or cleaned that data that was not necessary.”

Interviewees who had experience with large data sets said they were surprised the irrelevant data was not deleted from the outset.

“”Just because there is all that data, why would you need it” and that they were “shocked” that personal information had been left behind.”

The review said the council had obligations to the public that its analysis is transparent and can be reproduced.

In this case, the benefit-cost ratio was significantly miscalculated anyway and has been the subject of a separate review. The benefit of reducing crashes was overstated by more than $250 million.

As for WCC’s general ability to manage privacy, one interviewee said the council is “focused on new risks but has become blind” to older issues.

Another stressed that a balance is required between improving privacy and privacy not being used to erode transparency.

Someone else said there were still council staff who weren’t willing to accept their role in the privacy breach.

The review said the privacy function at Wellington City Council was reactive rather than proactive and “in an immature space”.

The council has one senior privacy adviser who was hired late last year.

However, the review said having one subject matter expert has been insufficient, especially considering the council provides about 400 services and has an operating budget of $817.6m for the current financial year.

The review’s recommendations include the council creating a policy on how to deal with large datasets, appointing a senior leader to champion the council’s official information process, and building a privacy culture and awareness through better training and resourcing.

Chief strategy and governance officer Stephen McArthur said he welcomed the review and the council will be implementing the recommendations.

The matter will be considered at a council Audit and Risk Committee meeting on Wednesday.

Georgina Campbell is a Wellington-based reporter who has a particular interest in local government, transport, and seismic issues. She joined the Herald in 2019 after working as a broadcast journalist.

 

Take your Radio, Podcasts and Music with you