Unauthorised
information matching
between
Department for Courts
and motor vehicle
register
_______________________________
Report to the Ministers of Justice,
Courts and Transport in relation to
an inquiry into events surrounding
unauthorised information matching
programme operated in mid-1998
______________________________
25 August 2000
REPORT TO MINISTER IN RELATION TO AN INQUIRY INTO
AN UNAUTHORISED INFORMATION MATCHING PROGRAMME
Introduction by the Privacy Commissioner
In the New Zealand Herald of 30 July 1998 Aucklanders read of a major mail-out error whereby
cards warning people that they had “48 hours” to pay fines or face penalties had been wrongly
sent out to up to 4,000 people. The Department candidly admitted that a different form of data
matching had been used and while the Department had tried to be “a little clever” it hadn’t
worked.1
My staff took the matter up with the Department and ascertained that the list of fines defaulters
had been matched against personal details on the motor vehicle register. Data problems had
been encountered which were not discovered or resolved prior to the mail-out. My office had
been unaware that the Department was intending to undertake such data matching and it had
not been authorised in the normal way whereby statutory authority would have been obtained
with the programme listed as an “authorised information matching programme” subject to the
procedures and safeguards in Part X of the Privacy Act 1993.
The actions of the Department for Courts were of concern to me. The Department was well
aware of the processes for evaluating and authorising information matching programmes to be
brought under Part X as it had been involved in seeking and obtaining authorisation for matches
with both the social security and tax departments. It had been involved in inter-departmental
and Cabinet committee processes relating to other matching proposals. The unilateral action in
undertaking significant information matching without bringing the programme within Part X
represents a major risk to privacy. Had the programme been authorised under Part X it would
have been established in such a way that the significant data quality problems would have been
discovered and avoided. Nor would it have been possible for notices, which could be described
as threatening, to have been dispatched in the way that they were. The match illustrated two
typical risks of unconstrained data matching:
 technical problems leading to wrong individuals being identified; and
 individuals being presumed guilty without having a chance to explain themselves.
Much of this report deals with the roles of agencies other than the Department for Courts. This
is not to diminish the Department’s role or responsibility. The Department’s position was
established very early in the piece and it indicated that it had no intention of repeating the
match.2 However, the larger picture only became apparent following further and more involved
inquiries. In May 1999 I asked Robert Stevens, an Auckland barrister, to inquire into the matter
on my behalf.
In particular, I was interested to know of the role of the Land Transport Safety Authority which
maintains the motor vehicle register database on behalf of the Ministry of Transport. As the
result of Mr Stevens’ preliminary inquiries, he also looked at the role of EDS (New Zealand)
Limited which provided computer processing facilities in relation to both the motor vehicle
register and the Department for Courts.
1
2
The press clipping and the Department for Court’s explanations are appended to this report.
Letter from Department for Courts to Office of the Privacy Commissioner, 22 January 1999.
2
The balance of this report consists of Robert Stevens’ findings. A draft copy of his report was
sent to the Department for Courts, LTSA, Ministry of Transport and EDS in April 2000 with
final comments received in June. The comments received were shown to Mr Stevens and his
opinion was sought. Mr Stevens considered that his report could stand and I agree. Indeed, a
degree of disparity in the responses reinforces some of the concerns expressed in the report
about a contractor holding data for one customer which is also used by another customer. It
adds weight to the recommendation that the relevant contracts should contain a specific
prohibition against amended or enhanced use of an agency’s data by or for another agency
without the prior signed authorisation of the agency which provides the data to the contractor.
A copy of Mr Stevens’ more detailed comments on the responses has already been sent to the
four agencies.
From the information matching perspective, I am extremely concerned about departments
seeking to undertake data matching which has not been authorised through Part X of the Act.
It is quite at variance with the Government policy lying behind the establishment of Part X. It
makes little sense that Cabinet should authorise some public sector data matching subject to
strict controls while officials take it upon themselves to initiate other significant matching totally
unregulated by Part X. If public confidence is to be maintained in the fair handling of public
sector information and in the responsible use of data matching, it is critical that departments go
through the rigorous process of justification and assessment in establishing a programme and
that the practice be authorised at the highest level. Officials are sometimes too quick to
downplay the technical difficulties of the matching process, overstate the benefits and disregard
the effects on individuals. The processes involved in Part X authorised programmes ensure that
shortcuts are not taken and that significant public benefits are achieved in an entirely fair
manner. It is important that data matching is not seen as proof of anything. It merely establishes
information that needs to be followed up before any conclusions are drawn. People should not
be presumed guilty on the evidence of computer match.
There are other important findings in the report. I commend it for careful consideration by you,
all players in this particular episode, and other departments who might wish to undertake
matching in the future. There are lessons also to be learned about the multiple uses of
government databases. Confidence in Government is threatened whenever information is used
otherwise than in accordance with good information practices and respect for information
privacy.
Privacy is not concerned solely with security – although that was a significant issue in this case –
but also in such principles as checking information for accuracy or to see if it is relevant, up to
date and not misleading before using it.
As a final point, I should say that there may be a sensible case for matching the motor vehicle
register against the list of fines defaulters. If there is, the case ought to be assessed in the usual
way. Amongst other things, this will look at the cost benefit of doing so given that the
Department has had, for several years, authority to undertake matching with data of much
higher quality held by DWI and IRD. It would also ensure that all technical aspects are
thoroughly gone into to ensure that the resultant discrepancies are more reliable than appeared
to have been the case on this occasion.
Recommendations
Mr Stevens offered three recommendations with which I concur and comment as follows.
3

A contract between a public sector agency and data processing contractor contain a specific prohibition upon
any amended or enhanced use of that agency’s data by or for another agency, without the prior signed
authorisation of the agency which provides the data to the contractor. The Privacy Commissioner might
endorse that recommendation as a prudent step for an agency in complying with information privacy
principle 5(b) and write to privacy officers of public sector agencies accordingly.
Comment: I endorse the recommendations. I will bring the matters uncovered by this
inquiry, and the lessons to be learned, to a wider audience including privacy officers.
Furthermore I have drawn the report to the attention of the State Services Commission,
so that it may influence State agencies entering into outsourcing contracts.

The Privacy Commissioner encourage the Ministry of Transport to check its arrangements with LTSA for
the handling of personal data by LTSA as agent for the Ministry, and to establish a procedure whereby
LTSA must at least inform the Ministry of its plans prior to any change to the uses of the data.
Comment: The recommendation has already been put to the Ministry of Transport and
LTSA and this report is being presented to the Minister of Transport. The Secretary for
Transport has responded that the Ministry has been working with LTSA since 1998 to put
into place administrative procedures to improve privacy safeguards. I am told that this
has included more stringent controls in user contracts.

The Privacy Commissioner take steps, either directly or through the appropriate Ministers, to bring to the
attention of middle management in public sector agencies the understanding with Government that new
information matching programmes will not be commenced without specific statutory authority.
Comment: This reflects an aspect of these events that I view with particular concern. If
the Privacy Act’s information matching controls and safeguards are to work effectively for
the benefit of individuals and governments it is essential that officials seek authorisation in
the way anticipated by the legislation. It was clear in 1991 that information matching
programmes in existence were to be brought within the statutory framework of the
Privacy Act and that thereafter new programmes were to be authorised by primary
legislation. Most departments understand this and the processes for authorising new
matches, involving an information matching privacy impact assessment, Cabinet approval
and legislative authority, have been used on a number of occasions to authorise important
new programmes. Indeed the Department for Courts itself has been involved in having
matches authorised in the proper way. I have become concerned in recent years about
initiatives by some officials and others to short circuit information matching safeguards
and to establish matching programmes on some informal basis. It is deceptively attractive
to think that computers can infallibly sort out matters affecting real people. I will
disseminate this report to officials involved in the management of information in the
public sector. I have discussed with the Ministry of Justice plans to enhance my data
matching compliance activities in the coming year.
B H Slane
Privacy Commissioner
25 August 2000
4
Report by Robert Stevens as to Inquiries into Information Matching by
Department for Courts with the Motor Vehicle Register
in June/July 1998
1
Background
1.1
I was asked to carry out a brief inquiry into the events in June or July 1998 by which the
Department for Courts (“Courts”) used an information matching exercise with the
Motor Vehicle Register in an attempt to locate updated addresses for some of their
debtors. The Office of the Privacy Commissioner had already been in touch with
Courts about this matter from August 1998 to January 1999, and the aspect then being
explained by the Department was the action which it had taken upon receiving what
appeared to be useful data. It emerged that the data was not nearly as dependable as the
Department assumed, so that the confidently overbearing tone of its communications
with the people thus “matched” was inappropriate and resulted in what the press called
“red faces”.
1.2
It seems that with all information matching “the devil is in the details”, and what looks
like a useful and even obvious use of another body of data quite often turns out to be
troublesome. Here the problem appears to have arisen in the “algorithm”, which is the
set of rules embodied in the computer program by which the computer determines
when two entities in the separate bodies of data will be regarded as a “match” and thus
proceed as if the two separate records relate to the same individual. In the past, Courts
had regularly made one-off checks on entries in the Motor Vehicle Register where
Courts had a record of the individual’s motor vehicle registration number. In the
June/July information matching exercise, the Department for Courts automated the
matching process and looked for “matches” on name and date of birth even where
Courts had no record of the individual’s motor vehicle registration number. The
algorithm was set to regard the Courts record as matching that of the Motor Vehicle
Register where the surname, first name and at least the initial of a middle name matched,
and where the date of birth in each record was not clearly different. Not all Motor
Vehicle Register records contained a date of birth. The programme produced 3,967
matches for Courts debtors for whom Courts had no current address. Of these, 2,166
were cases where neither the name nor the date of birth was an exact match, but Courts
considered that the “matches” were useable and wrote out to all 3,967 presumed
debtors. Further details of the process and the subsequent press report are given at
paragraphs 3.5 to 3.8 below.
1.3
The focus of my inquiry was not on the Department for Courts, but on the keeper of
the Motor Vehicle Register. The register is kept by Land Transport Safety Authority
(“LTSA”) as contracted agent of the Ministry of Transport. Because information
matching almost always involves comparing a whole file with a list of individuals of
interest, it seemed likely that the keeper of the Motor Vehicle Register would have had
to make a copy of its entire register available to Courts; if that had occurred, it would
raise questions about the security safeguards operated by LTSA or about the authority
which it had or assumed itself to have in giving others access to the register on a more
or less wholesale basis.
2
Persons contacted
5
2.1
The inquiry was commenced by a letter from the Privacy Commissioner to Reg Barrett,
the Director of the LTSA.3 This was followed by a letter from me to Mr Barrett, posing
a list of questions and suggesting that the Director might nominate a member of staff to
provide me with further information or clarification as required. The LTSA’s response
came from Tony West, Manager Special Projects. I subsequently had correspondence
and telephone conversations with Mr West. I then went back to Helen Duckworth, who
is the manager of the Call Centre for the Department for Courts, to approach the matter
by asking Courts what processes had been followed by Courts staff in arranging the
matching exercise, and I followed through by talking first with Graham Robb and then
with Nick Dixie, both of the Department for Courts.
2.2
At the Department for Courts, I later had telephone discussions with Murray Short,
General Manager Collections, and met with Mike Neilson, Business Improvement and
Support Manager Collections.
2.3
Towards the end of the inquiry I obtained copies of the service contracts between EDS
and the Department for Courts, and EDS and the LTSA, and then met with Ray Upton,
the Account Executive at EDS (New Zealand) Ltd with special responsibility for the
company's work with Law Enforcement Systems in New Zealand.
3
Conclusions as to what happened
3.1
As far as I have been able to determine, the Department for Courts did not involve
LTSA at all in the preparations for, or operation of, this matching exercise. The
initiative for the match came from Courts, who were looking around for ways of
improving their ability to trace debtors. A suggestion was made to the persons in Courts
who manage their computer systems, and those persons worked with EDS to devise and
implement the match on a “one off” basis, utilising the access which Courts already had
through EDS to a copy of the Motor Vehicle Register.
3.2
The Motor Vehicle Register exists in two or more forms. There is a simple form which
has been going for many years (which is probably the one I have heard referred to as
“the DOS version”) and Courts have routine access to what is apparently a full
electronic copy of this version. A more modern and complex version of the Register
also exists, incorporating additional data such as the vehicle history, but that does not
seem to have been involved here. The copy of the register accessed by Courts is actually
kept by EDS on contract to LTSA. EDS also maintains and operates the computer
systems of Courts, and I understand that the systems of LTSA and of Courts are kept at
the same location and on the same computer hardware.
3.3
The copy of the Motor Vehicle Register made available to Courts is regularly updated
with changes as new or replacement data is fed in. Courts have access to these incoming
changes, but the files of changes given to Courts are destroyed once the copy Register
has been successfully updated. The Register records against each entry the date of last
change to that entry.
3.4
The Motor Vehicle Register is arranged by a vehicle identifier. Apart from the several
vehicle identifiers, it records the name and address and gender of the current owner. At
some point in recent years the owner’s date of birth was added to the information
collected upon registration or re-registration, and this item of information is shown on
3
Letter Privacy Commissioner to LTSA, 16 July 1999.
6
the simple version of the Register as well as upon the fuller version. Date of birth for
the registered owner is being added to the register as changes in the ownership of a
vehicle are registered.
3.5
Realising that there would be difficulties in effecting a satisfactory match of debtors'
names with the details of owners shown in the Motor Vehicle Register, Courts arranged
for a matching programme to be drawn up incorporating an algorithm which would seek
out matches for three names (i.e. forename, middle name and surname, but not
necessarily in the same sequence) and for date of birth. The match was also to look for
a car registration number where this was known by Courts.
3.6
The next step was for Courts (or its computer contractor, EDS) to prepare a file of
Motor Vehicle Register data against which the list of debtors could be matched, using
the matching algorithm which had been thus developed. This appears to have been
done by combing through the copy of the Motor Vehicle Register to extract all entries
which had been updated since a certain cut-off date, which showed a date of birth
against the registered owner, and which showed at least three names for that owner. At
this point I should note that I may be wrong in some of these details, as certain things I
have been told seem inconsistent with my understanding of the events gleaned from
other sources, but the precise operational steps do not appear to be crucial for the
purpose of this inquiry. However they were compiled, these extracts were collated into
an offspring file against which the match was then operated. This preparation of a file
for matching, and development of an algorithm for the match process, are steps where I
would normally expect to see the two agencies who hold the respective data files cooperating to ensure that the match operates successfully; unusually, that does not seem
to have occurred in this case. I might add that it is also unusual for one agency to have
sufficient access to another agency’s computer records to be able to prepare a file for
matching without the assistance of the “holding” agency, but again that seems to be
what happened in this case.
3.7
The information matching operation produced five “levels” of results, according to the
number and degree of matched attributes as between the details shown in the Courts list
of debtors and the details shown in the Motor Vehicle Registry. The outcome of the
matching operation, in terms of these five levels, was set out in the letter of 7 September
1998 from Helen Duckworth to the office of the Privacy Commissioner. Courts did
carry out a manual and individual check of the match results, and the total matches
across all five levels was reduced from an initial 26,852 “raw hits” down to just 3,967
cases in which cards were sent out to the individuals concerned. Of the 3,967, more
than half (2,166) were in the lowest level of matching, where the surname and forename
matched and there was at least a matching initial letter of the middle name, there was
also “a near or null match” in the date of birth, but there was no match of vehicle
registration number. It is noteworthy that the communication sent out by Courts to the
3,967 individuals does not appear to have contemplated that the match result may have
been incorrect, and was instead a blunt and threatening notice that “48 hours is all the
time you have left to arrange payment of your outstanding fine. Your fine won’t go
away and you could face penalties for not paying. Call us 0800 … .”
3.8
An article in the New Zealand Herald on 30 July 1998 reported these events under the
headline “Red faces as namesakes sinbinned” and quoted a Courts spokesperson as
saying “This is a glitch. We were trying to do something a little clever but it hasn’t
worked. I guess there are some red faces as well as red cards. To people who are
wrongly sent a card, we do apologise.”
7
3.9
I understand that this matching exercise has not been repeated. I am not aware of any
final analysis of the number of mismatches among the 3,967 cases to which notices were
sent.
3.10
Despite the publication of press reports at the time, LTSA maintains that it was unaware
of this event until approached by the Privacy Commissioner and asked for an
explanation. The responses to me from Tony West have suggested that no possible fault
could lie with LTSA in relation to this matter, as “LTSA allows Courts access to the
Motor Vehicle Register as required by the Fifth Schedule of the Privacy Act”.
4
My observations
4.1
“Access to law enforcement information” under s.111 of the Privacy Act and the Fifth
Schedule does not mean that the accessing agency is entitled to have a copy of an entire
file put at its disposal. The Privacy Commissioner might consider it appropriate to seek
to have the terms of the Fifth Schedule made more precise through amendment to the
statute, or merely through direct contact with the limited number of agencies which
appear in the Fifth Schedule.
4.2
The Motor Vehicle Register is the responsibility of the Ministry of Transport. The
Ministry appears to have known nothing at all about this information matching exercise.
The arrangement between the Ministry and LTSA for the custody and operation of the
Register might warrant re-examination by the Ministry in this regard.
4.3
Either LTSA knew in advance and authorised the Courts use of the information in the
Motor Vehicle Register for information matching to identify addresses of Courts’
debtors, or this use was “unauthorised” by LTSA. LTSA maintains through Tony West
that it had no prior knowledge of the information matching and gave no authorisation
for it. The fact that EDS assisted Courts in the information matching suggests that EDS
did not feel that such activity, although not authorised by LTSA, was prohibited. EDS
was able to believe that there was no prohibition upon this new use of information in
the Motor Vehicle Register because LTSA had not made clear in its contract and other
communications with EDS that such new uses were not to be allowed without express
authorisation from LTSA. EDS told me that they considered the enhanced use of the
Motor Vehicle Register information by Courts as falling within the use permitted by the
Fifth Schedule of the Privacy Act. In my view this should not have been a matter for
EDS to decide, and it should have been made clear in LTSA’s contract and operational
instructions that any such change required specific authorisation. This looks to me like a
prima facie breach of information privacy principle 5(b)4 on the part of LTSA.
Information privacy principle 5 provides:
“An agency that holds personal information shall ensure(a) That the information is protected, by such security safeguards as it is reasonable in the circumstances to take,
against(i) Loss; and
(ii) Access, use, modification, or disclosure, except with the authority of the agency that holds the information;
and
(iii) Other misuse; and
(b) That if it necessary for the information to be given to a person in connection with the provision of service to
the agency, everything reasonably within the power of the agency is done to prevent unauthorised use or
authorised disclosure of the information.”
4
8
4.4
It might also be argued that, simply in providing the information of the Motor Vehicle
Register in the form of an entire electronic copy (with consequent ease of use for other
purposes and in new ways), the LTSA is similarly failing to take reasonable security
safeguards against misuse of the information, in breach of information privacy principle
5(a)(iii).
4.5
Unless s.111 of the Privacy Act, or any provision of the statute under which the Motor
Vehicle Register is maintained, is understood to require transmission of the Register’s
personal information to Courts by electronic means, the LTSA practice of giving access
by means of an entire computer file made available to Courts would seem to be a breach
of public register privacy principle 3.
4.6
Increased contracting out to the private sector can be expected to produce more
instances of one contractor handling the personal information held by two or more
separate public sector agencies, where there is temptation and opportunity for either the
contractor or one of its customers to make unexpected use of the information. Whilst
there is no suggestion that EDS would jeopardise its business by improper exploitation
of its position, the natural inclination to be helpful to existing and potential customers
means that there is more need for both the contracts and the practical arrangements for
data handling to be tight and precise so as to prohibit any new uses of information
without formal notification to and agreement by the agency which “owns” the
information.
4.7
The dangers and practical difficulties associated with information matching are of course
well known to the Office of the Privacy Commissioner and to a few individuals who
have had reason to look into actual information matching operations. The difficulties
seem not to be obvious to others, and unfortunately the awareness that information
matching is both possible and useful is spreading ahead of the knowledge of problems
associated with it. It is for this reason that embarrassing errors like this incident can and
do occur. As a risk management measure, the government may be amenable to
formalising the existing understanding that public sector agencies will not conduct
information matching without specific statutory authority to do so; by that means
ss.13(1)(f) and 98 of the Privacy Act would allow and require input by the Privacy
Commissioner before any public sector information matching is carried out.
5.0
Recommendations
5.1
I recommend that every contract between a public sector agency and EDS (or any other
data processing contractor) contains a specific prohibition upon any amended or
enhanced use of that agency’s data by or for another agency, without the prior signed
authorisation of the agency which provides the data to the contractor. The Privacy
Commissioner might endorse that recommendation as a prudent step for an agency to
take in complying with information privacy principle 5(b), and write to Privacy Officers
of public sector agencies accordingly.
5.2
I recommend that the Privacy Commissioner encourages the Ministry of Transport to
check its arrangements with LTSA for the handling of personal data by LTSA as agent
for the Ministry, and to establish a procedure whereby LTSA must at least inform the
Ministry of its plans prior to any change in the uses of the data.
5.3
I recommend that the Privacy Commissioner takes steps, either directly or through the
appropriate Ministers, to bring to the attention of middle management in public sector
9
agencies the understanding with government that new information matching
programmes will not be commenced without specific statutory authority.
Robert Stevens
Auckland
21 March 2000
10
ATTACHMENTS
1.
“Red Faces As Namesakes Sinbinned”, New Zealand Herald, 30 July 1998.
2.
Letter from Call Centre Manager, Department for Courts, to Office of the Privacy
Commissioner, 7 September 1998.
3.
Letters from agencies concerned in response to draft report:
 Ministry of Transport, 8 May 2000;
 EDS (New Zealand) Limited, 8 May 2000;
 Land Transport Safety Authority, 9 May 2000;
 Department for Courts, 5 and 29 May 2000.