An Immigration New Zealand staff member who resigned after being caught looking at client files and passing on information without authority joined the Ministry of Justice, where she was investigated for the same thing.
After a lengthy inquiry that ended in May, the ministry said a staff member had accessed confidential client information in a way that it "cannot relate to a valid business reason", but was not able to establish who did it.
In a letter to the complainant, the ministry said the information was accessed from its Auckland call centre.
"The information could be accessed if a person requests their own information under the Privacy Act 1993 or if an authorised third party requests the information," the ministry said in the letter.
"However, we cannot relate the access to a valid business reason."
The ministry said the access occurred on October 18 last year, but investigations found it had been a problem with compliance rather than with the ministry's processes.
"We have not been able to establish who accessed the information ... because staff at the site concerned did not comply with the ministry's policy that they keep passwords completely confidential," the ministry said.
"This has made the investigation take longer than it otherwise would have. As a result, the failure to follow the ministry's policies has been taken up formally with all staff concerned."
The Herald understands several staff in the ministry shared passwords and had them written on post-it note sheets stuck by their work computers.
On Wednesday, the Herald reported that one immigration staff member resigned after the agency found nine staff had accessed client records without authorisation.
The woman who has been investigated by the Justice Ministry is not the same as the one in that report, whose case came up at a later date.
The complainant, who did not want to be named, said he believed the practice of "looking into confidential stuff" has been "going on for years" at government agencies.
He did not think the agencies were doing enough to prevent unauthorised access, and did not feel confident his personal information was being kept confidential.
The ministry's acting general manager of collections, Jacquelyn Shannon, said she could not comment, as the incident related to an individual.
"We are clear with all staff that access to personal information without a legitimate business purpose is unacceptable and grounds for disciplinary action, and we can track access to our systems," Ms Shannon said.
"At the point of hiring, we conduct criminal record and reference checks and all staff sign a code of conduct with clear expectations around privacy."
Ms Shannon said she was not aware of any other unauthorised personal file access by staff in the past 12 months.
The Privacy Act requires agencies to protect personal information from unauthorised access or disclosure.