An external review has found multiple failings at the Teaching Council of Aotearoa New Zealand following a shocking privacy breach, where details of inappropriate relationships between named students and teachers were accidentally published online.
It found the Teaching Council breached its own policies, and laid blame at the feet of a single employee, who had not been given the proper “privacy induction” required for the role.
The report comes after a 1News investigation found the professional body had accidentally uploaded information from dozens of private emails to the internet, detailing complaints against teachers, principals and schools all over the country.
The data had been indexed by Google, meaning it could be easily found by any member of the public with the right search terms. In one example, it could be found by simply searching the name of a student.
The mistake was only uncovered when it was found accidentally by 1News late last year, while researching an unrelated story. TVNZ notified the Teaching Council and the Privacy Commissioner and waited for the data to be removed before running any story.
In a report released today, external reviewer Jenn Bestwick found the breach was caused by a Teaching Council employee who was looking for technical help.
The worker had tried to redact sensitive details from a document, before sharing it with a former colleague, but accidentally missed screeds of highly identifiable information. The former colleague then went on to upload the data to a help forum on the internet, while trying to solve the technical issue.
Bestwick found the Teaching Council employee had failed to complete their privacy induction, ICT induction and “online privacy module” at the time, and it was not clear whether they fully understood the Council’s policies.
“It is also apparent that the Council had not complied with its own policy in relation to the induction of the employee both in relation to the responsibilities of the manager to arrange the induction and those of Human Resources to keep track of the completion of the induction process,” she wrote.
Their CEO claims the breach only affects 43 people, but 1News can reveal that number is a long way from the truth. (Source: 1News)
The training was only completed in late December – several days after TVNZ notified the Teaching Council of the breach – and the Council had also failed to offer proper “guidance” or “guardrails” to the employee.
“The Council failed to consider how the employee whose actions precipitated the breach was intended to obtain technical support and did not communicate its expectations to the employee in this regard,” the report reads.
“The failure of the Council to ensure the employee completed their induction may have contributed to the employee’s lack of knowledge or understanding of the Council’s policies and procedures relevant to the incident.”
Highly sensitive information discussing complaints and investigations against dozens of teachers and principals has been accidentally published online. (Source: 1News)
The Teaching Council has since apologised to 55 individuals it deemed to be “affected by the breach” and another 141 “named parties”.
They also accepted the report’s six recommendations, including strengthening induction processes and building on their security and privacy cultures, and say they are already working towards these improvements.
SHARE ME