Unauthorised information matching between

Department for Courts and motor vehicle register

______

Report to the Ministers of Justice, Courts and Transport in relation to an inquiry into events surrounding unauthorised information matching programme operated in mid-1998

______

25 August 2000

1

REPORT TO MINISTER IN RELATION TO AN INQUIRY INTO

AN UNAUTHORISED INFORMATION MATCHING PROGRAMME

Introduction by the Privacy Commissioner

In the New ZealandHerald of 30 July 1998 Aucklanders read of a major mail-out error whereby cards warning people that they had “48 hours” to pay fines or face penalties had been wrongly sent out to up to 4,000 people. The Department candidly admitted that a different form of data matching had been used and while the Department had tried to be “a little clever” it hadn’t worked.[1]

My staff took the matter up with the Department and ascertained that the list of fines defaulters had been matched against personal details on the motor vehicle register. Data problems had been encountered which were not discovered or resolved prior to the mail-out. My office had been unaware that the Department was intending to undertake such data matching and it had not been authorised in the normal way whereby statutory authority would have been obtained with the programme listed as an “authorised information matching programme” subject to the procedures and safeguards in Part X of the Privacy Act 1993.

The actions of the Department for Courts were of concern to me. The Department was well aware of the processes for evaluating and authorising information matching programmes to be brought under Part X as it had been involved in seeking and obtaining authorisation for matches with both the social security and tax departments. It had been involved in inter-departmental and Cabinet committee processes relating to other matching proposals. The unilateral action in undertaking significant information matching without bringing the programme within Part X represents a major risk to privacy. Had the programme been authorised under Part X it would have been established in such a way that the significant data quality problems would have been discovered and avoided. Nor would it have been possible for notices, which could be described as threatening, to have been dispatched in the way that they were. The match illustrated two typical risks of unconstrained data matching:

  • technical problems leading to wrong individuals being identified; and
  • individuals being presumed guilty without having a chance to explain themselves.

Much of this report deals with the roles of agencies other than the Department for Courts. This is not to diminish the Department’s role or responsibility. The Department’s position was established very early in the piece and it indicated that it had no intention of repeating the match.[2] However, the larger picture only became apparent following further and more involved inquiries. In May 1999 I asked Robert Stevens, an Auckland barrister, to inquire into the matter on my behalf.

In particular, I was interested to know of the role of the Land Transport Safety Authority which maintains the motor vehicle register database on behalf of the Ministry of Transport. As the result of Mr Stevens’ preliminary inquiries, he also looked at the role of EDS (New Zealand) Limited which provided computer processing facilities in relation to both the motor vehicle register and the Department for Courts.

The balance of this report consists of Robert Stevens’ findings. A draft copy of his report was sent to the Department for Courts, LTSA, Ministry of Transport and EDS in April 2000 with final comments received in June. The comments received were shown to Mr Stevens and his opinion was sought. Mr Stevens considered that his report could stand and I agree. Indeed, a degree of disparity in the responses reinforces some of the concerns expressed in the report about a contractor holding data for one customer which is also used by another customer. It adds weight to the recommendation that the relevant contracts should contain a specific prohibition against amended or enhanced use of an agency’s data by or for another agency without the prior signed authorisation of the agency which provides the data to the contractor. A copy of Mr Stevens’ more detailed comments on the responses has already been sent to the four agencies.

From the information matching perspective, I am extremely concerned about departments seeking to undertake data matching which has not been authorised through Part X of the Act. It is quite at variance with the Government policy lying behind the establishment of Part X. It makes little sense that Cabinet should authorise some public sector data matching subject to strict controls while officials take it upon themselves to initiate other significant matching totally unregulated by Part X. If public confidence is to be maintained in the fair handling of public sector information and in the responsible use of data matching, it is critical that departments go through the rigorous process of justification and assessment in establishing a programme and that the practice be authorised at the highest level. Officials are sometimes too quick to downplay the technical difficulties of the matching process, overstate the benefits and disregard the effects on individuals. The processes involved in Part X authorised programmes ensure that shortcuts are not taken and that significant public benefits are achieved in an entirely fair manner. It is important that data matching is not seen as proof of anything. It merely establishes information that needs to be followed up before any conclusions are drawn. People should not be presumed guilty on the evidence of computer match.

There are other important findings in the report. I commend it for careful consideration by you, all players in this particular episode, and other departments who might wish to undertake matching in the future. There are lessons also to be learned about the multiple uses of government databases. Confidence in Government is threatened whenever information is used otherwise than in accordance with good information practices and respect for information privacy.

Privacy is not concerned solely with security – although that was a significant issue in this case – but also in such principles as checking information for accuracy or to see if it is relevant, up to date and not misleading before using it.

As a final point, I should say that there may be a sensible case for matching the motor vehicle register against the list of fines defaulters. If there is, the case ought to be assessed in the usual way. Amongst other things, this will look at the cost benefit of doing so given that the Department has had, for several years, authority to undertake matching with data of much higher quality held by DWI and IRD. It would also ensure that all technical aspects are thoroughly gone into to ensure that the resultant discrepancies are more reliable than appeared to have been the case on this occasion.

Recommendations

Mr Stevens offered three recommendations with which I concur and comment as follows.

  • A contract between a public sector agency and data processing contractor contain a specific prohibition upon any amended or enhanced use of that agency’s data by or for another agency, without the prior signed authorisation of the agency which provides the data to the contractor. The Privacy Commissioner might endorse that recommendation as a prudent step for an agency in complying with information privacy principle 5(b) and write to privacy officers of public sector agencies accordingly.

Comment: I endorse the recommendations. I will bring the matters uncovered by this inquiry, and the lessons to be learned, to a wider audience including privacy officers. Furthermore I have drawn the report to the attention of the State Services Commission, so that it may influence State agencies entering into outsourcing contracts.

  • The Privacy Commissioner encourage the Ministry of Transport to check its arrangements with LTSA for the handling of personal data by LTSA as agent for the Ministry, and to establish a procedure whereby LTSA must at least inform the Ministry of its plans prior to any change to the uses of the data.

Comment: The recommendation has already been put to the Ministry of Transport and LTSA and this report is being presented to the Minister of Transport. The Secretary for Transport has responded that the Ministry has been working with LTSA since 1998 to put into place administrative procedures to improve privacy safeguards. I am told that this has included more stringent controls in user contracts.

  • The Privacy Commissioner take steps, either directly or through the appropriate Ministers, to bring to the attention of middle management in public sector agencies the understanding with Government that new information matchingprogrammes will not be commenced without specific statutory authority.

Comment: This reflects an aspect of these events that I view with particular concern. If the Privacy Act’s information matching controls and safeguards are to work effectively for the benefit of individuals and governments it is essential that officials seek authorisation in the way anticipated by the legislation. It was clear in 1991 that information matching programmes in existence were to be brought within the statutory framework of the Privacy Act and that thereafter new programmes were to be authorised by primary legislation. Most departments understand this and the processes for authorising new matches, involving an information matching privacy impact assessment, Cabinet approval and legislative authority, have been used on a number of occasions to authorise important new programmes. Indeed the Department for Courts itself has been involved in having matches authorised in the proper way. I have become concerned in recent years about initiatives by some officials and others to short circuit information matching safeguards and to establish matching programmes on some informal basis. It is deceptively attractive to think that computers can infallibly sort out matters affecting real people. I will disseminate this report to officials involved in the management of information in the public sector. I have discussed with the Ministry of Justice plans to enhance my data matching compliance activities in the coming year.

B H Slane

Privacy Commissioner

25 August 2000

Report by Robert Stevens as to Inquiries into Information Matching by Department for Courts with the Motor Vehicle Register

in June/July 1998

1Background

1.1I was asked to carry out a brief inquiry into the events in June or July 1998 by which the Department for Courts (“Courts”) used an information matching exercise with the Motor Vehicle Register in an attempt to locate updated addresses for some of their debtors. The Office of the Privacy Commissioner had already been in touch with Courts about this matter from August 1998 to January 1999, and the aspect then being explained by the Department was the action which it had taken upon receiving what appeared to be useful data. It emerged that the data was not nearly as dependable as the Department assumed, so that the confidently overbearing tone of its communications with the people thus “matched” was inappropriate and resulted in what the press called “red faces”.

1.2It seems that with all information matching “the devil is in the details”, and what looks like a useful and even obvious use of another body of data quite often turns out to be troublesome. Here the problem appears to have arisen in the “algorithm”, which is the set of rules embodied in the computer program by which the computer determines when two entities in the separate bodies of data will be regarded as a “match” and thus proceed as if the two separate records relate to the same individual. In the past, Courts had regularly made one-off checks on entries in the Motor Vehicle Register where Courts had a record of the individual’s motor vehicle registration number. In the June/July information matching exercise, the Department for Courts automated the matching process and looked for “matches” on name and date of birth even where Courts had no record of the individual’s motor vehicle registration number. The algorithm was set to regard the Courts record as matching that of the Motor Vehicle Register where the surname, first name and at least the initial of a middle name matched, and where the date of birth in each record was not clearly different. Not all Motor Vehicle Register records contained a date of birth. The programme produced 3,967 matches for Courts debtors for whom Courts had no current address. Of these, 2,166 were cases where neither the name nor the date of birth was an exact match, but Courts considered that the “matches” were useable and wrote out to all 3,967 presumed debtors. Further details of the process and the subsequent press report are given at paragraphs 3.5 to 3.8 below.

1.3The focus of my inquiry was not on the Department for Courts, but on the keeper of the Motor Vehicle Register. The register is kept by Land Transport Safety Authority (“LTSA”) as contracted agent of the Ministry of Transport. Because information matching almost always involves comparing a whole file with a list of individuals of interest, it seemed likely that the keeper of the Motor Vehicle Register would have had to make a copy of its entire register available to Courts; if that had occurred, it would raise questions about the security safeguards operated by LTSA or about the authority which it had or assumed itself to have in giving others access to the register on a more or less wholesale basis.

2Persons contacted

2.1The inquiry was commenced by a letter from the Privacy Commissioner to Reg Barrett, the Director of the LTSA.[3] This was followed by a letter from me to Mr Barrett, posing a list of questions and suggesting that the Director might nominate a member of staff to provide me with further information or clarification as required. The LTSA’s response came from Tony West, Manager Special Projects. I subsequently had correspondence and telephone conversations with Mr West. I then went back to Helen Duckworth, who is the manager of the Call Centre for the Department for Courts, to approach the matter by asking Courts what processes had been followed by Courts staff in arranging the matching exercise, and I followed through by talking first with Graham Robb and then with Nick Dixie, both of the Department for Courts.

2.2At the Department for Courts, I later had telephone discussions with Murray Short, General Manager Collections, and met with Mike Neilson, Business Improvement and Support Manager Collections.

2.3Towards the end of the inquiry I obtained copies of the service contracts between EDS and the Department for Courts, and EDS and the LTSA, and then met with Ray Upton, the Account Executive at EDS (New Zealand) Ltd with special responsibility for the company's work with Law Enforcement Systems in New Zealand.

3Conclusions as to what happened

3.1As far as I have been able to determine, the Department for Courts did not involve LTSA at all in the preparations for, or operation of, this matching exercise. The initiative for the match came from Courts, who were looking around for ways of improving their ability to trace debtors. A suggestion was made to the persons in Courts who manage their computer systems, and those persons worked with EDS to devise and implement the match on a “one off” basis, utilising the access which Courts already had through EDS to a copy of the Motor Vehicle Register.

3.2The Motor Vehicle Register exists in two or more forms. There is a simple form which has been going for many years (which is probably the one I have heard referred to as “the DOS version”) and Courts have routine access to what is apparently a full electronic copy of this version. A more modern and complex version of the Register also exists, incorporating additional data such as the vehicle history, but that does not seem to have been involved here. The copy of the register accessed by Courts is actually kept by EDS on contract to LTSA. EDS also maintains and operates the computer systems of Courts, and I understand that the systems of LTSA and of Courts are kept at the same location and on the same computer hardware.

3.3The copy of the Motor Vehicle Register made available to Courts is regularly updated with changes as new or replacement data is fed in. Courts have access to these incoming changes, but the files of changes given to Courts are destroyed once the copy Register has been successfully updated. The Register records against each entry the date of last change to that entry.

3.4The Motor Vehicle Register is arranged by a vehicle identifier. Apart from the several vehicle identifiers, it records the name and address and gender of the current owner. At some point in recent years the owner’s date of birth was added to the information collected upon registration or re-registration, and this item of information is shown on the simple version of the Register as well as upon the fuller version. Date of birth for the registered owner is being added to the register as changes in the ownership of a vehicle are registered.