The Four Points by Sheraton Hotel in Auckland, being used as a Government managed isolation facility, is at the centre of a leak scandal.
A security guard leaked details of returnees at an Auckland isolation facility via Snapchat, Stuff can reveal.
A privacy law expert describes the breach as “very serious” and says those affected could sue for $100,000 each.
The First Security worker posted the image to a private group on the social media platform on Saturday morning while on duty at the Sheraton Four Points managed isolation facility in central Auckland.
Stuff received word of the leak on Saturday, but the Ministry of Business, Innovation & Employment (MBIE) would not confirm or comment on it until Tuesday afternoon ahead of a general media release.
* Coronavirus: Testing of isolation facilities a ‘gap’ in NZ’s Covid-19 defence
* Coronavirus: Returnee’s ‘brief’ bout of freedom from managed isolation facility
* Coronavirus: Woman arrested after entering Auckland isolation facility through ‘faulty car park door’
The image included a printed list containing the names, room numbers, and arrival and departure dates of 27 returnees staying at the facility, along with the names and room numbers of five staff members.
MBIE managed isolation and quarantine deputy chief executive Megan Main said in a statement the photo was posted early on Saturday and removed about noon the same day.
First Security had confirmed the image had since been deleted from the guard’s phone, Main said.
“The investigation into this incident has established the guard had legitimate access to the list, as part of their role processing and monitoring returnees going outside the building for exercise or other reasons,” Main said.
Do you know more? Email email@example.com
“The actions of this person were unacceptable, and we sincerely apologise to those people whose privacy was breached. We have contacted all of those affected to inform them of the incident.”
The guard has been removed from duty at any managed isolation facility and First Security has launched an investigation, she said.
Director-General of Health confirmed the August 18 numbers at the 1pm press conference.
“We have expressed our concerns about this incident to the employer.
“There is no information to suggest the guard is responsible for any other inappropriate disclosures of information.”
The Office of the Privacy Commissioner confirmed it had been notified of the breach.
University of Auckland associate professor of law Gehan Gunasekara researches information privacy and is chair of the Privacy Foundation NZ.
He took a dim view of the leak: “That’s a very serious breach.”
Gunasekara said the leak was not necessarily a criminal act.
However, the people affected could take a civil action under the Privacy Act against the agency which contracted the security guard, he said.
Similar actions had resulted in large awards, but success would depend on them being able to prove harm, for example if they could show they were vilified, humiliated or suffered emotional distress as a result of the leak.
“Each one could sue for $100,000,” Gunasekara said.
“They’d have to show harm, that’s the difficult thing.”
The current Privacy Act, due to be updated in December once the Privacy Act 2020 comes into force, does not allow for class actions so each person affected would have to take an individual action.
But Gunasekara said Principal Five of the current act, which would apply in the case of this breach, says agencies holding personal data must ensure the information is protected by such security safeguards that are reasonable in the circumstances.
“You could argue it hasn’t been kept reasonably secure.”