Privacy Commissioner notified following ‘technical issue’ with police incident management tool

By Sam Sherwood of RNZ

A “technical issue” with police’s incident management tool may have led to sensitive information that was supposed to be redacted during disclosure being made visible.

An investigation is underway into the extent of the issue and the Police Minister and Office of the Privacy Commissioner have been notified.

RNZ understands police have recently contacted lawyers of defendants advising them of the issue.

An email seen by RNZ says a technical issue with police’s Incident Management Tool (IMT) had been discovered that resulted in some redacted documents produced since December 4 not being correctly processed by the system.

This meant that information that was supposed to be redacted could become visible.

The lawyers were advised to retrieve the disclosure packages from their clients or request deletion of the email.

They were also told to advise them that they must comply with the Lawyers and Conveyancers Act which included not disclosing information that would be likely to place a person’s health or safety at risk.

In response to questions from RNZ, Acting Assistant Commissioner Investigations, Serious and Organised Crime Keith Borrell said that on December 15 the disclosure functionality of Police’s IMT was placed on hold after a “technical issue” was identified.

“Information that had been redacted could potentially be made visible to justice sector partners.

“Police’s ICT department tested and applied a fix, enabling functionality to resume yesterday.

“Emails are being sent directly to officers and file managers in charge of cases affected by the issue, with clear instructions on action that needs to be taken.”

Police had notified the Office of the Privacy Commissioner and continued to investigate the extent of the issue, Borrell said.

Police Minister Mark Mitchell said it was “disappointing and concerning this error has occurred”.

“I expect Police to take all necessary steps to understand what happened, and to ensure it cannot happen again.”

Chief Victims Advisor Ruth Money told RNZ she had contacted police asking for information on what had happened and what actions police were taking regarding both at-risk victims and victims and witnesses in general who have been affected.

A spokesperson for the Office of the Privacy Commissioner confirmed to RNZ police notified them of a privacy breach on December 16, 2025.

“The Privacy Act sets out that agencies are required to notify the Office of the Privacy Commissioner as soon as they are aware of breaches that they have assessed as ‘serious harm’.

“As with any breach, Police will need to investigate so they can fully understand the size and scope of the breach and its impact on New Zealanders. It’s possible that further investigation of a breach could result in an initial assessment of serious harm being downgraded.”

The commissioner’s initial focus was to “support agencies who have experienced a breach with advice on how to minimise the harm to any people affected”.

-RNZ