An unknown member of the public accessed hospital records on two occasions in August.

Michael Webster (Privacy Commissioner) Credit: Supplied

The Privacy Commissioner has acknowledged an apology from Archives NZ following a privacy breach involving personal mental health information.

Archives NZ today explained what happened and how it had responded and outlined support available to anyone concerned their information had been affected.

"We sincerely apologise for this incident, which was a result of human error," Archives NZ said. "We want to reassure you that immediate corrective steps have been taken."

On 19 September it was discovered some digitised historical health records held by Archives NZ had been made "open access" in error.

These records were marked as "restricted access" in the collections database but were unintentionally viewable by public users of "Rosetta", the Archives NZ digital image system.

"We have identified two instances of access to these records" Archives said. "The first instance was by a former Archives NZ staff member who discovered the records on 19 September, 2022, and immediately alerted us to the situation."

However, an unknown member of the public also accessed the records on two occasions in August.

"While we have not been able to identify the second user who accessed the records, the access was for less than five minutes on each occasion," Archives said.

Information affected related to some records of Sunnyside Hospital, a Christchurch mental hospital and former lunatic asylum, spanning the 1950s through to the early 1970s.



Archives NZ said the files were immediately restricted once the coding error was discovered. The agency had also worked with the Office of the Privacy Commissioner and Te Whatu Ora - Health NZ to investigate and resolve the incident.

It had not, however, been possible to determine whether images were downloaded.



"We have a high degree of confidence that the scope is limited, and that this is a one-off case due to human error rather than systemic issues," Archives NZ wrote.

A plan to communicate with affected individuals was being developed.

There were lessons to be learned from the breach, Privacy Commissioner Michael Webster said.

“We acknowledge today’s public apology from Archives New Zealand to the affected individuals," Webster said. "People need to be put first and this office expects notification of breaches to be carefully handled and with pace.

“We understand the mere knowledge that someone may have looked at your sensitive health information could be triggering and cause distress. We encourage you to reach out to people you trust for support.”

Every government agency and business that held people’s personal information must take their obligations to protect it seriously, Webster said. That included letting people know when their data has been accessed by someone who should not be accessing it.

The Privacy Act did allow for individuals to not be informed where knowing that their data had been breached would cause them greater harm, but this was "the exception not the rule".

Anyone harmed by the privacy breach could make a complaint to the Office of the Privacy Commissioner.