Print | Email this page Office of the Privacy Commissioner | Case note 294302 [2018] NZPriv Cmr 6: Sensible Sentencing Trust falsely labels man as paedophile

19 Dec 2018, 15:00

A man received a call from one of his customers, who had found the man’s picture listed on the Sensible Sentencing Trust's (SST) 'Offender Database' beside a description of a convicted paedophile. The convicted paedophile had the same first and last names as the man, but their middle names were different.

The man's image had been on the website for almost two years and the page received 574 unique views in that time. After notifying the SST about the error, the man complained to our Office.

Accuracy of personal information

The complaint raised issues under principle 8 of the Privacy Act, which says agencies must take reasonable steps to check that personal information is accurate, complete, relevant, up to date and not misleading before using or disclosing that information.

The SST confirmed that a member of the public had submitted the photo via its online offender submission page. The SST did not verify that the photo was accurate before uploading it to the website.

The SST said that unpaid volunteers operated its database and they had the discretion to approve and upload information. The SST did not know who submitted the photo, or who had approved its addition to the database. SST had not provided its volunteers with any privacy training. The SST had no processes in place to verify the accuracy of information it received from the public. It also hadn't assessed the privacy risks of the 'Offender Database'.

The man's photo was up for almost two years, and the SST did not identify the error until the man complained.

This error occurred less than two years after the SST signed a settlement with the Director of Human Rights Proceedings where it accepted it had breached principles 6, 8 and 11 of the Privacy Act, and agreed to provide privacy training to its staff.

The SST breached principle 8 because it did not have reasonable safeguards in place to prevent an error like this occurring. Relying the assistance of unpaid volunteers does not discharge an agency from its legal obligations.

Harm

For the Privacy Commissioner to find that there has been an interference with an individual's privacy, there needs to have been a breach of one or more of the privacy principles and evidence that the breach caused the individual harm. This harm must reach the threshold set out in section 66 of the Privacy Act.

The SST's actions caused the man pecuniary loss. He had to take a lot of time out of running his business to try to fix this issue. The customer who alerted the man to the fact that his picture was in the database, also told the man that they would no longer work with his business. The man was concerned that the picture may have driven other customers away.

Someone who saw the man's picture in the database posted on the Facebook pages of schools and community groups calling the man a threat to children. It took a lot of effort for him to get these social media posts removed. He contacted schools and community groups, as well as NetSafe and the Police. The man found it frustrating that he had to go to all this trouble to fix someone else's mistake.

The man described how this incident humiliated him and his family, affecting their dignity and injuring their feelings. He recounted his feelings of fear and anger and described this situation as an 'emotional nightmare'.

The man was uncertain how far the information had spread and was worried that the photo may be in similar databases across the internet. When he was in public, he found himself looking away from people for fear that someone would recognise him from the database. The man also described the difficulty he had in explaining the SST's mistake to his friends, who thought that they had been associating with a convicted paedophile.

We were satisfied the man suffered significant harm to meet the threshold required under section 66 of the Privacy Act. The SST has interfered with his privacy.

SST's response to the breach

The SST accepted a mistake was made and took some steps to respond to the man's concerns. Once the man drew the SST's attention to the error, it removed his picture from the database and provided verbal and written apologies. The SST called some of the man's clients, published a notice in a local school's newsletter, and offered to hold a public meeting to correct the mistake. It also continued to cooperate with us.

While acknowledging these actions, neither our office or the man were satisfied that the SST did enough to help mitigate the significant harm the man suffered. The SST could have been more proactive in assessing and fixing the harm it had caused.

Further actions

After we formed a final view that SST interfered with man's privacy, the SST took the 'Offender Database' down. The SST says it is now checking all the records on the database.

We arranged a conciliation conference between the SST representatives and the man and his family. The parties agreed that the SST would:

post a notice on its website explaining why the database was not operating

write to the principals of all primary schools and the manager of the shopping centre in the man's local area

contact the operators of a similar database in Australia to see if it held the man's details, and request their removal if necessary

contact Facebook and Google to see whether there were still defamatory posts about the man, and request removal if necessary

attempt to contact the person who had been defaming the man and explain the circumstances of the complaint

complete a privacy impact assessment of the personal information it collects, holds, and uses

provide its trustees and officers with privacy training, and require them to complete the relevant online training modules on our website

provide an assurance that its 'Offender Database' will not go online until it addresses relevant concerns about the accuracy of its information is addressed.

produce a document for processes and procedures for volunteers and trustees to follow when adding an entry into the database.

The man made a reasonable request for financial compensation to settle this complaint. The SST said it was unable to meet the proposed figure and offered a significantly lower amount. The parties were unable to reach a final settlement.

Conclusion

The SST's failure to check the accuracy of its information implicated an innocent person for a terrible crime, tarnished his reputation, caused him emotional harm, and potentially put him at risk of violence. The magnitude of the error raises concerns of other errors in the database, and whether the SST has the capability to operate it.

Our investigations are almost always confidential, but we have applied our naming policy in this instance to publicly identify the SST to inform the public of its bad practice and remind other agencies of the importance of their privacy obligations.

Due to the significance of this case, and the fact that it was not settled, the Privacy Commissioner will now refer it to the Director of Human Rights Proceedings.