Oranga Tamariki Privacy Breaches Put Children and Families at Risk
Oranga Tamariki (OT) is facing criticism for serious privacy failures that have harmed children and families. A recent review revealed that OT staff wrongly shared sensitive personal information, leading to dangerous situations.
In one case, a staff member took a screenshot of a mother’s file and sent it to the child’s father. The father, who had a history of violence, used the information to find the mother and hurt her again. In another case, a family meeting was secretly recorded, and a video of a child speaking was posted online.
The review found more troubling incidents. In one, a social worker gave the address of a child and their mother to the child’s father, even though he was out on bail for allegedly raping someone. In another case, someone mistakenly sent interview notes with abuse claims against a child’s mother to the child’s grandmother. Staff members accessed children’s personal information and shared it with their own families. A psychologist improperly disposed of client files, which a road worker later found dumped. In another case, a charity received a locked cabinet full of client and staff files, but it was later thrown into a skip.
The review described OT’s privacy practices as careless. Staff often ignored privacy rules, seeing them as a hassle. Some admitted they disliked the rules and failed to understand that protecting privacy also protects children. The review found that employees often used personal phones to record private information without any security. Trainees and other unauthorized people could easily access sensitive files. In some cases, staff carelessly added children’s private information to unrelated requests and shared it with a wide group.
The report also revealed that OT’s main database, CYRAS, had weak security. Although the agency could have added extra protections, it chose not to. The agency gave staff access to the database before they completed their training, making the system vulnerable.
Between 2022 and 2023, OT reported 35 serious privacy breaches to the Privacy Commissioner. However, the review warned that many more breaches likely went unreported. Staff admitted that privacy failures often slipped through the cracks due to poor monitoring.
Despite these serious issues, OT failed to act quickly. The review stated that the agency reacted too slowly, stepping in only after people were already harmed.
After the review, OT promoted Philip Grady to Chief Privacy Officer to fix these problems. OT claims it has not had any major privacy breaches in the past year.
To improve, OT has created a privacy plan and formed a group to monitor it. The agency has promised to review its privacy practices again next year.
However, the report warned that unless OT makes big changes, children and families will continue to be at risk.ach to privacy, children and families will remain at risk.
