Digital Service Delivery Channel
Miss W. Forest made this Official Information request to Privacy Commissioner
The request was partially successful.
From: Miss W. Forest
Dear Privacy Commissioner,
Related to general handling of privacy complaints or enquiries,
Please note I am referring FY2017 as the Income Tax Financial Year 2017, which can be alternatively any other such reasonable period that the data can be processed with aim that numbers provided can be comparable across the separate questions.
1) How many privacy complaints did you receive in total FY2017?
2) When does a complaint become an enquiry and other way around given complaints are labeled as enquiries if there is a difference between the two?
3) What is the difference between a complaint and an enquiry if any in respect of 2)
4) How many complaints did you receive originally submitted via the secure web form within your website within FY2017?
5) How many complaints did you receive originally submitted via insecure e-mail within FY2017?
6) How long the secure web form channel submission has been live?
7) How long the insecure e-mail channel submission has been live?
8) Was any of the technical service delivery elements regarding handling complaints subjected to a review, audit or such and if any please provide a copy. technical elements are your website secure form, complaint data handling and e-mail service delivery.
9) If a member of a public has alerted you to potential complaint data breach, what actions do you take and who provides oversight to this?
10) If a member of public has alerted you to a technical problem that can result breach of complaint data where there is a history of proven data breaches, what actions do you take and who provides oversight to this?
11) How many alerts from the members of public related to 9) and 10) you received during FY2017?
12) How do you evaluate potential or materialised data breaches on your complaint data that you hold, have sent or received? e.g. do you have a policy
13) When you have to forward or transfer the data from or to another commissioner how do you handle this? e.g. do you have a policy
14) What technical delivery is used for the transfer in respect of 13) e.g. insecure e-mail or "iron key" process using USB keys (MSD uses this) or physical paper form?
15) Has the transfer process from or to another body been formally designed and reviewed or is this up to the individual officer involved?
16) If you notice ad-hoc process created by individual officers relating to technical aspects of handling data and there is concern from a member public, is there any policy that addresses this?
17) During handling a complaint you need information from the complainant, complained party or a 3rd party, what data transfer method do you use or is this up to individual officer case-by-case basis?
18) Did the officers handling the complaints receive information security related training during FY2017.
19) Is there any information security policy related to handling complaints data? please provide a copy.
I would like also to request the below information regarding the data as part of the complaints;
a) How long has the current practice of copying the whole complaint data originally submitted and trusted via a secure https form into insecure e-mail has taken place?
b) Do you classify the data within complaints? e.g. as containing sensitive or medical data etc.
c) Are there any retention rules applied and what are these?
d) Is the complaint data stored in any searchable database?
e) Where else the complaint data is stored e.g. in e-mail inboxes/outboxes?
f) If you receive a letter of complaint in paper form via post, do you digitize this?
g) If the complaint in f) is digitized is it a subject of same treatment as originally digitally received complaint?
h) Can I have a copy of your policy regarding of using e-mail and complaint data protection
i) Does the secure web complaint form from the front-end web server transmit the complaint data to an internal e-mail address or to a secure database or such and is it a secure channel and what internet protocols are used?
j) Are there are e-mail forwarders in use where the complaint data gets copied incidentally to an officers personal e-mail for example.
k) Do you have rules with your e-mail provider in place that no e-mail forwarding in respect of j) can happen.
l) Can you audit who and when has inspected data from individual data, e.g, if you are in possession of health information or other sensitive data as part of the complaint.
m) Do you have any restrictions what data and when can individual officers access to e.g. only the cases they are handling.
n) Do you encrypt any of the complaint data you handle by practice or is this up to the individual officers on case by case basis?
Yours faithfully,
Miss W. Forest
From: Privacy No Reply
Privacy Commissioner
Thank you for your email. We are assessing your enquiry, and will contact
you within three working days.
Please do not reply to this email as it is not monitored – direct replies
to [1][Privacy Commissioner request email]
If you would like to visit our [2]website in the meantime, please feel
free to do so. We also have a privacy knowledge base “[3]Ask Us” which may
assist you.
Kind regards,
Enquiries Team
Office of the Privacy Commissioner Te Mana Matapono Matatapu
PO Box 10094, The Terrace, Wellington 6143
T 0800 803 909
E [4][Privacy Commissioner request email]
privacy.org.nz
Privacy is about protecting personal information, yours and others’. To
find out how, and to stay informed, [5]subscribe to our newsletter
or follow us online. [6][IMG] [7][IMG]
Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments.
Please treat the contents of this message as private and confidential.
Thank you.
[8][IMG]
References
Visible links
1. mailto:[Privacy Commissioner request email]
2. https://www.privacy.org.nz/
3. https://www.privacy.org.nz/further-resou...
4. mailto:[Privacy Commissioner request email]
5. http://privacy.org.nz/subscribe/
6. http://www.facebook.com/PrivacyNZ
7. https://twitter.com/NZPrivacy
8. https://privacy.org.nz/further-resources...
From: Miss W. Forest
Dear Privacy Commissioner,
You are past the 20 days allowed, a breach under the OIA s. 15(1).
Please provide a response.
p.s. You may want to remove the misleading automatic e-mail responder indicating 2-3 days expected response or provide separate e-mail address for OIA so your incoming data does not get mixed up in the same mailbox.
Yours sincerely,
Miss W. Forest
From: Sharyn Leonard
Privacy Commissioner
Good afternoon Miss Forest
Please find attached the Office of the Privacy Commissioner’s response to
your Official Information request.
Regards
Sharyn
Sharyn Leonard
Secretary, Communications and Litigation
Office of the Privacy Commissioner Te Mana Matapono Matatapu
PO Box 10094, The Terrace, Wellington 6143
Level 8, 109 Featherston Street, Wellington, New Zealand
E [1][email address]
privacy.org.nz
[2]25 years logo 30mm x 30mm_Over 25mm_GREYSCALE
Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [3]subscribe to our newsletter
or follow us online. [4]Description: Description: Description: Small
facebook icon [5]Description: twitter-bird-blue-on-whiteHave a privacy
question? [6]AskUs
Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments.
Please treat the contents of this message as private and confidential.
Thank you.
References
Visible links
1. mailto:[email address]
3. http://privacy.org.nz/subscribe/
4. http://www.facebook.com/PrivacyNZ
5. https://twitter.com/NZPrivacy
6. http://www.privacy.org.nz/ask
Things to do with this request
- Add an annotation (to help the requester or others)
- Download a zip file of all correspondence