The Teaching Council violated its own privacy policy

An external review has found several shortcomings at the Teaching Council of Aotearoa New Zealand, following a shocking breach of privacy that saw details of inappropriate relationships between named students and teachers inadvertently published online.

It found that the teaching council had violated its own policies, blaming a single employee for not receiving the “privacy briefing” required for the role.

The report comes after an investigation by 1News found the professional body accidentally uploaded information from dozens of private emails to the internet detailing complaints against teachers, principals and schools across the country.

The data was indexed by Google so that any citizen could easily find it with the right search terms. In one example, it could be found by simply searching for a student’s name.

The flaw was only discovered when it was accidentally spotted by 1News late last year while researching an unrelated story. TVNZ notified the Teaching Council and Data Protection Officer and waited for the data to be removed before publishing a story.

In a report released today, external reviewer Jenn Bestwick found that the breach was caused by a Teaching Council staff member seeking technical assistance.

The employee had attempted to redact sensitive details from a document before sharing it with a former colleague, but accidentally missed screeds containing highly identifiable information. The former colleague then uploaded the data to an online help forum while trying to solve the technical problem.

Bestwick noted that the Teaching Council staff had not completed their privacy briefing, ICT briefing and the ‘Online Privacy Module’ at that time and it was not clear if they fully understood the Council’s policies.

“It is also evident that the Council has failed to uphold its own policy in relation to employee onboarding, both in terms of the manager’s responsibilities in arranging onboarding and those of Human Resources in completing onboarding to track process,” she wrote.

The training was only completed at the end of December – several days after TVNZ informed the teaching council of the breach – and the council had also failed to offer the staff member adequate “guidance” or “guard rails”.

“The council did not consider how the employee whose actions triggered the violation should receive technical assistance and did not communicate to the employee its expectations in this regard,” the report said.

“The council’s failure to ensure that the employee completed their onboarding may have contributed to the employee’s ignorance or understanding of the council’s policies and procedures relevant to the incident.”

The teaching council has since apologized to 55 people it considered “affected by the violation” and a further 141 “named parties”.

They also accepted the report’s six recommendations, including strengthening adoption processes and building on their security and privacy culture, and say they are already working toward those improvements.

Comments are closed.