Two Pak'N'Save stores in Auckland have been slammed by the Privacy Commissioner after security guards from a third-party company shared images of customers, accompanied by allegations of criminal activity.
Both Pak'nSave Clendon (C Park Traders Limited) and Pak'nSave Royal Oak (Hutchinson Bros Limited) were found to have breached the Privacy Act for failing to provide adequate oversight of their third-party providers who were providing security services to the stores.
The incident involved third-party security guards, engaged to work in the stores, who shared images of customers, accompanied by allegations of theft or criminal activity. One incident also involved a store employee.
"As a result, both individuals whose images were shared faced a heightened risk of harassment and reputational harm," Privacy Commissioner Michael Webster said.
"We found similar issues of concern where both stores did not meet expectations set out in the Privacy Act relating to the storage and security of information.
"The decision to name the two individual stores is a significant step and was made because of the seriousness of the issues and their public interest," he said.
"Both stores lacked important safeguards that retailers should have in place when allowing third party providers access to sensitive information such as surveillance information," said Webster.
"Agencies engaging third-party agents who access or operate surveillance or loss-prevention technologies (such as CCTV) should ensure that privacy obligations are explicit, enforceable, and routinely monitored to prevent harm. That keeps information safe and maintains public confidence in how personal information is handled."
Webster said it was "rare for me to name agencies, but this served as a reminder to businesses that outsourcing functions does not outsource accountability".
"When contractors handle personal information, the agency who has hired them must ensure that their privacy expectations are clear, enforceable, and actively managed."
While the stores remained individually accountable for complying with the Privacy Act, the Privacy Commissioner was also working with Foodstuffs North Island Limited – as the co-op lead for the two stores – on remedial actions.
These included training for store personnel – including security contractors – on privacy obligations and requiring stores to have written agreements in place with all contractors who process personal information on behalf of stores, including security.
'We regret there were shortcomings' – Foodstuffs responds
In a statement, the company acknowledged the Office of the Privacy Commissioner's findings and said it took "responsibilities under the Privacy Act seriously".
"The two incidents involved separate and isolated actions taken by third-party security guards. Their behaviour did not meet the standards we set for anyone working in our stores, including contractors. The individuals concerned did not follow appropriate processes, and their conduct fell well short of what we expect," a Foodstuffs North Island spokesperson said.
The spokesperson said both stores had co-operated fully with the Privacy Commission throughout its inquiries.
"Pak'nSave Clendon is now under new ownership. Each store has completed additional training for all security team members and contractors who handle personal information. Updated written agreements are now in place with every security contractor, and our expectations on them are clear.
"We regret there were shortcomings in how our contractors handled the situations. Protecting customer privacy is essential, and we are committed to ensuring our systems and oversight remain strong, so this does not occur again."
SHARE ME