Digital Service Delivery Channel

Miss W. Forest made this Official Information request to Privacy Commissioner

The request was partially successful.

From: Miss W. Forest

Dear Privacy Commissioner,

Related to general handling of privacy complaints or enquiries,

Please note I am referring FY2017 as the Income Tax Financial Year 2017, which can be alternatively any other such reasonable period that the data can be processed with aim that numbers provided can be comparable across the separate questions.

1) How many privacy complaints did you receive in total FY2017?

2) When does a complaint become an enquiry and other way around given complaints are labeled as enquiries if there is a difference between the two?

3) What is the difference between a complaint and an enquiry if any in respect of 2)

4) How many complaints did you receive originally submitted via the secure web form within your website within FY2017?

5) How many complaints did you receive originally submitted via insecure e-mail within FY2017?

6) How long the secure web form channel submission has been live?

7) How long the insecure e-mail channel submission has been live?

8) Was any of the technical service delivery elements regarding handling complaints subjected to a review, audit or such and if any please provide a copy. technical elements are your website secure form, complaint data handling and e-mail service delivery.

9) If a member of a public has alerted you to potential complaint data breach, what actions do you take and who provides oversight to this?

10) If a member of public has alerted you to a technical problem that can result breach of complaint data where there is a history of proven data breaches, what actions do you take and who provides oversight to this?

11) How many alerts from the members of public related to 9) and 10) you received during FY2017?

12) How do you evaluate potential or materialised data breaches on your complaint data that you hold, have sent or received? e.g. do you have a policy

13) When you have to forward or transfer the data from or to another commissioner how do you handle this? e.g. do you have a policy

14) What technical delivery is used for the transfer in respect of 13) e.g. insecure e-mail or "iron key" process using USB keys (MSD uses this) or physical paper form?

15) Has the transfer process from or to another body been formally designed and reviewed or is this up to the individual officer involved?

16) If you notice ad-hoc process created by individual officers relating to technical aspects of handling data and there is concern from a member public, is there any policy that addresses this?

17) During handling a complaint you need information from the complainant, complained party or a 3rd party, what data transfer method do you use or is this up to individual officer case-by-case basis?

18) Did the officers handling the complaints receive information security related training during FY2017.

19) Is there any information security policy related to handling complaints data? please provide a copy.

I would like also to request the below information regarding the data as part of the complaints;

a) How long has the current practice of copying the whole complaint data originally submitted and trusted via a secure https form into insecure e-mail has taken place?

b) Do you classify the data within complaints? e.g. as containing sensitive or medical data etc.

c) Are there any retention rules applied and what are these?

d) Is the complaint data stored in any searchable database?

e) Where else the complaint data is stored e.g. in e-mail inboxes/outboxes?

f) If you receive a letter of complaint in paper form via post, do you digitize this?

g) If the complaint in f) is digitized is it a subject of same treatment as originally digitally received complaint?

h) Can I have a copy of your policy regarding of using e-mail and complaint data protection

i) Does the secure web complaint form from the front-end web server transmit the complaint data to an internal e-mail address or to a secure database or such and is it a secure channel and what internet protocols are used?

j) Are there are e-mail forwarders in use where the complaint data gets copied incidentally to an officers personal e-mail for example.

k) Do you have rules with your e-mail provider in place that no e-mail forwarding in respect of j) can happen.

l) Can you audit who and when has inspected data from individual data, e.g, if you are in possession of health information or other sensitive data as part of the complaint.

m) Do you have any restrictions what data and when can individual officers access to e.g. only the cases they are handling.

n) Do you encrypt any of the complaint data you handle by practice or is this up to the individual officers on case by case basis?

Yours faithfully,

Miss W. Forest

Link to this

From: Privacy No Reply
Privacy Commissioner


Attachment image003.jpg
0K Download

Attachment image004.png
0K Download

Attachment image005.jpg
4K Download


Thank you for your email.  We are assessing your enquiry, and will contact
you within three working days.

 

Please do not reply to this email as it is not monitored – direct replies
to [1][Privacy Commissioner request email]

 

If you would like to visit our  [2]website in the meantime, please feel
free to do so. We also have a privacy knowledge base “[3]Ask Us” which may
assist you.

 

Kind regards,

Enquiries Team

 

Office of the Privacy Commissioner  Te Mana Matapono Matatapu
PO Box 10094, The Terrace, Wellington 6143

T   0800 803 909

E [4][Privacy Commissioner request email]

privacy.org.nz    

 

Privacy is about protecting personal information, yours and others’. To
find out how, and to stay informed, [5]subscribe to our newsletter
or follow us online. [6][IMG] [7][IMG]

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.

 

[8][IMG]

 

 

References

Visible links
1. mailto:[Privacy Commissioner request email]
2. https://www.privacy.org.nz/
3. https://www.privacy.org.nz/further-resou...
4. mailto:[Privacy Commissioner request email]
5. http://privacy.org.nz/subscribe/
6. http://www.facebook.com/PrivacyNZ
7. https://twitter.com/NZPrivacy
8. https://privacy.org.nz/further-resources...

Link to this

From: Miss W. Forest

Dear Privacy Commissioner,

You are past the 20 days allowed, a breach under the OIA s. 15(1).

Please provide a response.

p.s. You may want to remove the misleading automatic e-mail responder indicating 2-3 days expected response or provide separate e-mail address for OIA so your incoming data does not get mixed up in the same mailbox.

Yours sincerely,

Miss W. Forest

Link to this

From: Sharyn Leonard
Privacy Commissioner


Attachment image001.jpg
2K Download

Attachment image002.jpg
0K Download

Attachment image003.png
0K Download

Attachment 2018 05 02 response to OIA.pdf
187K Download View as HTML


Good afternoon Miss Forest

 

Please find attached the Office of the Privacy Commissioner’s response to
your Official Information request.

 

Regards

 

 

 

 

Sharyn

 

 

Sharyn Leonard  

Secretary, Communications and Litigation

 

Office of the Privacy Commissioner  Te Mana Matapono Matatapu
PO Box 10094, The Terrace, Wellington 6143

Level 8, 109 Featherston Street, Wellington, New Zealand

E    [1][email address]

privacy.org.nz 

[2]25 years logo 30mm x 30mm_Over 25mm_GREYSCALE

 

 

Privacy is about protecting personal information, yours and others. To
find out how, and to stay informed, [3]subscribe to our newsletter
or follow us online. [4]Description: Description: Description: Small
facebook icon [5]Description: twitter-bird-blue-on-whiteHave a privacy
question? [6]AskUs

 

Caution: If you have received this message in error please notify the
sender immediately and delete this message along with any attachments. 
Please treat the contents of this message as private and confidential.
Thank you.

 

 

 

 

References

Visible links
1. mailto:[email address]
3. http://privacy.org.nz/subscribe/
4. http://www.facebook.com/PrivacyNZ
5. https://twitter.com/NZPrivacy
6. http://www.privacy.org.nz/ask

Link to this

Things to do with this request

Anyone:
Privacy Commissioner only: