Key Takeaways:
- The Royal Oak Pak’nSave store in Auckland has been named and shamed by the Privacy Commissioner for breaching customer privacy.
- The store, along with another Pak’nSave store in Clendon, failed to have adequate oversight of third-party security providers, leading to the sharing of customer images and allegations of theft or criminal activity.
- The incidents resulted in reputational and emotional harm to two individuals, including former Green MP Golriz Ghahraman.
- The Privacy Commissioner has called for businesses to ensure that privacy obligations are explicit, enforceable, and routinely monitored when engaging third-party agents.
- Foodstuffs North Island, the owner of the Pak’nSave stores, has apologized and taken remedial action, including training for store workers and security contractors.
Introduction to the Incident
The Royal Oak Pak’nSave store in Auckland has been formally named and shamed by the Privacy Commissioner for breaching customer privacy. The store, along with another Pak’nSave store in Clendon, failed to have adequate oversight of third-party security providers, leading to the sharing of customer images and allegations of theft or criminal activity. This incident has raised concerns about the handling of personal information and the importance of ensuring that businesses have adequate safeguards in place to protect customer privacy.
The Incidents at Pak’nSave Stores
At the Pak’nSave Royal Oak store, a security guard took a photo of someone in October 2024 for surveillance, which was then published online accusing the individual of shoplifting. This led to the individual facing harassment and threats. Similarly, at the Pak’nSave Clendon store, a store employee instructed a security contractor to record CCTV footage of an alleged theft on their personal phone, which was then shared on social media alongside allegations of theft. These incidents resulted in reputational and emotional harm to two individuals, including former Green MP Golriz Ghahraman.
Privacy Commissioner’s Findings
The Privacy Commissioner, Michael Webster, found that both stores lacked important safeguards that retailers should have in place when allowing third-party providers access to sensitive information such as surveillance information. The commissioner noted that Pak’nSave Royal Oak had no written contract with its security provider, which meant that the store had no way to make the provider comply with privacy obligations. At the Clendon supermarket, the commissioner found that there was a written contract, but it had only a generic confidentiality clause and no enforceable privacy obligations.
Response from Foodstuffs North Island
Foodstuffs North Island, the owner of the Pak’nSave stores, has apologized and taken remedial action, including training for store workers and security contractors. The company acknowledged that the incidents involved separate and isolated actions taken by third-party security guards, and that their behavior did not meet the standards set for anyone working in their stores. Foodstuffs North Island has also clarified and enforced responsibilities for workers handling security footage and has committed to ensuring that its systems and oversight remain strong to prevent similar incidents from occurring in the future.
Importance of Privacy Safeguards
The incident highlights the importance of ensuring that businesses have adequate safeguards in place to protect customer privacy. The Privacy Commissioner has called for businesses to ensure that privacy obligations are explicit, enforceable, and routinely monitored when engaging third-party agents. This includes having written contracts with clear privacy obligations, providing training to security workers, and having procedures in place for escalating and investigating privacy breaches. By taking these steps, businesses can help to prevent similar incidents from occurring and maintain public confidence in how personal information is handled.
Conclusion
The naming and shaming of the Royal Oak Pak’nSave store by the Privacy Commissioner serves as a reminder to businesses that outsourcing does not outsource accountability. Businesses must ensure that they have adequate safeguards in place to protect customer privacy, including having written contracts with clear privacy obligations, providing training to security workers, and having procedures in place for escalating and investigating privacy breaches. By taking these steps, businesses can help to prevent similar incidents from occurring and maintain public confidence in how personal information is handled.
