Talent2 privacy breach: Schools sent wrong emails

Photo / Thinkstock

The company behind the flawed Novopay system has sent a number of schools the wrong emails about yet-to-be-processed actions regarding their payrolls.

The Acting Secretary for Education, Peter Hughes, blamed human error for the privacy breach, which the Ministry of Education has reported to the Privacy Commissioner.

Mr Hughes says a Talent2 employee made the mistake when doing a mail merge and about 1600 schools are involved. The emails were supposed to be a proactive way of advising schools of payroll changes that are being worked on.

"In simple terms, the pay administrators at these schools have received the names and Ministry of Education numbers for staff at another school, instead of their own, along with the transaction number for the outstanding issue," said Mr Hughes.

He said 5600 transactions were covered in the emails. Of these, 3400 identified an individual and about 40 of those had other limited personal information such as the dollar amount of an advance or underpayment, information about a relationship with another agency or circumstances such as parental leave.

"I treat this very seriously and sincerely apologise to those schools and staff."

Mr Hughes says although it was a case of human error, he is very disappointed it happened and has spoken to Talent2 who have also apologised.

"Privacy requirements are set out in our contract with Talent2, and in this case they have clearly failed to meet the terms of the contract and I have taken that up with their CEO.

"I have asked for a full review and report from him to make sure everything is done to help prevent any repeat of this sort of thing."

Mr Hughes said the pay administrators who received the incorrect emails are authorised users of the Novopay payroll system and have been asked to delete the incorrect email.

"They're a respected and professional group of people who deal with personal information daily and I expect they will do the right thing."

Labour education spokesman Chris Hipkins said breach was "outrageous".

"It's mind-boggling actually. What is it going to take before the Government finally start to take these privacy issues seriously and put in place preventative measures so that we are not continually confronted with more and more examples of people's private information being splashed all over the place because of inappropriate use of emails?

"I think people have had an absolute gutsful of the whole Novopay situation - this is yet another slap in the face."

Mr Hipkins said the dynamic between the Australian company Talent2 who supply Novopay and the Education Ministry is a "shambles".

It is the second privacy breach involving the Ministry of Education in a week.

On Friday the wrong letter was attached to an email about a child being accepted into a residential school.

Green Party co-leader Metiria Turei called on Education Minister Hekia Parata to front up over the latest error with Minister Responsible for Novopay Steven Joyce in China.

"It's always been clear Talent2 are not competent to handle this kind of information because they've had such difficulty managing it up to this point.

"It's no surprise that given the Government's IT systems are so slack anyway that the protection of personal information is clearly not a priority for the ministry when they were negotiating a contract.''