Key Takeaways
- Two Pak’nSave stores in Auckland have been found to have breached the Privacy Act for failing to provide adequate oversight of their third-party security providers.
- The breach involved security guards sharing images of customers, accompanied by allegations of theft or criminal activity, which put the individuals at risk of harassment and reputational harm.
- The Privacy Commissioner has emphasized the importance of retailers having safeguards in place when allowing third-party providers access to sensitive information.
- Foodstuffs North Island Limited, the co-op lead for the two stores, is working with the Privacy Commissioner to implement remedial actions, including training for store personnel and security contractors on privacy obligations.
Introduction to the Breach
The Privacy Commissioner has slammed two Pak’nSave stores in Auckland, Pak’nSave Clendon and Pak’nSave Royal Oak, for breaching the Privacy Act. The breach occurred when third-party security guards, engaged to work in the stores, shared images of customers, accompanied by allegations of theft or criminal activity. This incident has raised concerns about the lack of oversight and safeguards in place when retailers allow third-party providers access to sensitive information. The Privacy Commissioner, Michael Webster, has emphasized that the decision to name the two individual stores is a significant step, taken due to the seriousness of the issues and their public interest.
Consequences of the Breach
The incident involved security guards sharing images of customers, which put the individuals at risk of harassment and reputational harm. The Privacy Commissioner has stated that the stores lacked important safeguards that retailers should have in place when allowing third-party providers access to sensitive information. This lack of oversight has resulted in a heightened risk of harm to the individuals whose images were shared. The Privacy Commissioner has also found similar issues of concern where both stores did not meet expectations set out in the Privacy Act relating to the storage and security of information.
Response from the Privacy Commissioner
The Privacy Commissioner has emphasized the importance of agencies engaging third-party agents who access or operate surveillance or loss-prevention technologies, such as CCTV, to ensure that privacy obligations are explicit, enforceable, and routinely monitored to prevent harm. Webster has stated that outsourcing functions does not outsource accountability and that contractors handling personal information must have clear, enforceable, and actively managed privacy expectations. The Privacy Commissioner is working with Foodstuffs North Island Limited, the co-op lead for the two stores, to implement remedial actions, including training for store personnel and security contractors on privacy obligations.
Response from Foodstuffs North Island Limited
Foodstuffs North Island Limited has acknowledged the Office of the Privacy Commissioner’s findings and has stated that it takes its responsibilities under the Privacy Act seriously. The company has emphasized that the two incidents involved separate and isolated actions taken by third-party security guards, whose behavior did not meet the standards set for anyone working in their stores. Foodstuffs North Island Limited has also stated that both stores have co-operated fully with the Privacy Commission throughout its inquiries and that additional training has been completed for all security team members and contractors who handle personal information. Updated written agreements are now in place with every security contractor, and the company’s expectations on them are clear.
Conclusion and Recommendations
The breach of the Privacy Act by the two Pak’nSave stores in Auckland highlights the importance of retailers having safeguards in place when allowing third-party providers access to sensitive information. The Privacy Commissioner’s response emphasizes the need for agencies to ensure that privacy obligations are explicit, enforceable, and routinely monitored to prevent harm. Foodstuffs North Island Limited’s response acknowledges the shortcomings and emphasizes the company’s commitment to protecting customer privacy. The incident serves as a reminder to businesses that outsourcing functions does not outsource accountability and that contractors handling personal information must have clear, enforceable, and actively managed privacy expectations.