Human error led to Teaching Council privacy breach – review

Human error was found to be the cause of a privacy breach by The Teaching Council of Aotearoa New Zealand, with the organisation strengthening its internal policies and procedures after accepting recommendations from an external review.

The privacy breach that occurred in December 2021 occurred when a staff member’s mistake led to a spreadsheet of information containing details of general enquiries and correspondence appearing on an online technology forum. An external cyber incident was ruled out as cause when the findings of the review were released on Tuesday 8 March.

Two reviews have been conducted into the breach: an internal incident review and an external review by independent professional director Jenn Bestwick. The findings of the internal incident report and management discussions were shared with the external reviewer and factored into the external reviewer’s report, said the Teach Council in a media statement.

“The external review found the circumstances that resulted in the privacy breach contravened existing Teaching Council privacy, technology, information, and employee induction policies.”

Recommendations include strengthening employee induction processes, establishing protocols for employees in specialist roles seeking external technical support, and ensuring all policies and procedures remain current and are reviewed regularly

Nicola Ngarewa, Teaching Council Chair said, “The Teaching Council accept the findings and it is committed to implementing all recommendations. We are accountable for ensuring similar mistakes do not happen again and commissioned the independent external review to understand where we need to improve our systems.

“While the external review found that in general the Teaching Council responded well to the breach, quickly moving to have the spreadsheet removed from the public site, advising the Office of the Privacy Commissioner, and communicating appropriately to those individuals deemed to be affected parties, we are disappointed that it happened in the first place.

“We are focussed on implementing the recommendations to provide confidence to our members and to ensure ongoing accountability. We will confirm when all the recommendations have been implemented”, she said.

The external review provided six key recommendations:

1. Strengthening staff on-boarding and induction processes to ensure they are more closely managed and consistently applied so all new employees understand the organisational policies and procedures and their own individual responsibilities.
2. Establishing operating protocols for “one-deep” specialist roles, recognising the need for employees in those roles to seek external peer support and advice when there is no other specialist expertise within the organisation, and ensuring they are supported to fulfill their role safely
3. Continue to build the organisation’s information security and privacy cultures, raising awareness of individual responsibilities in relation to both information security and privacy
4. Ensure all policies and procedures remain current and are reviewed within the documented review windows.
5. Continue to implement the recommendations from the recent Protective Security Requirements Information Security Assessment
6. Review the Council’s Incident Response Plan and protocols to include the establishment of a Governing Council incident response team and protocols for communicating to the Governing Council.

Chief Executive Lesley Hoskin said “We will take the learnings from this incident and do all we can to ensure this type of mistake does not happen again. It is clear that privacy protection must be a priority to ensure teachers can have confidence in our systems and processes.

“We have contacted the 55 individuals deemed to have been affected by the breach and an additional 141 named parties, and we apologise again for the mistake.

“The external review shows there are some things we must do better, and we are committed to making those changes as quickly as possible,” said Hoskin.