Sensitive info published online in Teaching Council privacy breach

Source: 1News

A 1News investigation can reveal a massive privacy breach at the Teaching Council of Aotearoa New Zealand, with details relating to dozens of complaints against teachers and principals accidentally published online.

The highly sensitive data appears to have been publicly available on Google for around two months, leaving some in the sector “horrified”.

An investigation is now underway at the Teaching Council with its chief executive, Lesley Hoskin, apologising “unreservedly” to those caught up in the incident.

The breach was inadvertently discovered by 1News late last week and popped up in a Google search result while this reporter was researching an unrelated story.

The publicly available spreadsheet contained hundreds of private communications received by the Teaching Council in 2020 and 2021. It appears the document had been accidentally uploaded to the internet and then indexed by Google, meaning it could be found thousands of different ways by any member of the public.

Data in the breach included the names of dozens of teachers, principals and complainants at schools around the country, in connection with formal complaints, investigations, mandatory reports and other issues.

It listed highly sensitive information including the full names of students involved in what are described as inappropriate relationships with teachers, some of them sexual.

Teacher in a classroom.

Some of those cases name children who appear to be aged under 16 – meaning if you googled them, their sensitive information would appear online.

It also included police inquiries about teachers and discussion about everything from historical abuse at schools to the mental health of students. 1News alerted the Teaching Council and the Privacy Commissioner last week and waited until the link was removed, before running this story.

Teaching Council chief executive Lesley Hoskin says it was “human error” and has written to 43 people to apologise.

“We're still investigating exactly how far it went and what happened, we've removed the data and the spreadsheet,” she said.

“I unreservedly offer an apology for the mistake that occurred, of course every member of the public and every teacher should be able to trust us and in this instance we have let ourselves down and we've let the profession down.”

PPTA president Melanie Webber described the breach as “very, very serious”.

“We were horrified, we understand that mistakes do happen but the level of confidential information that had been put out publicly was just dreadful,” she said.

“I’ve had principals get in touch with me who are hugely concerned about this breach, because they know both the student and the teacher, and the impact on them and on the school is huge.”

Associate Professor Gehan Gunasekara of the Privacy Foundation said it was at the “higher end” in the terms of a privacy breach.

“Now this is something that serious harm is very easy to see, both to those people who have been accused as well as the alleged victims, because all of those people's identities need to be protected,” he said.

Hoskin says it appears the incident happened when the spreadsheet was uploaded to a technical help forum in October.

But what’s less clear is how many people have read it.

“The post that was made where the technical question was asked was viewed 79 times, the spreadsheet that held the private data we understand thus far is was downloaded once,” she said.

But she couldn’t say how many how many times it was downloaded on Google, saying “we are working with Google to understand more”.

Leaving those exposed by the breach wondering just how far their information has gone.