Also, there's no way now even to suggest name suppression. He outed himself on video. It's public.

PolicyGuy:

quickymart:

https://www.stuff.co.nz/national/wellington/133391285/former-te-whatu-ora-worker-in-court-accused-of-illegally-accessing-databases

Looks like it was him! Hope they throw the book at this clown.

The Stuff article says "He faces one charge of dishonestly accessing Te Whatu Ora databases".
IANAL, but think this might be a precedent setting case as I'm not aware that an employee who has legitimate access to the system has been charged with this offence before. I'd love to hear to the contrary.

In my former existence, I had discussions with actual lawyers who said that the chances of successful prosecution might depend on exactly how well the organisation's Acceptable Use Policy (AUP) was worded, and what if any legally admissible evidence there was that the employee had actually been properly made aware of the AUP and its contents, and had signed up to / formally assented to the AUP.
They were at the time advising me on drafting such an AUP, so they did have an axe to grind.

Might be popcorn time

Ge0rge:

I can't remember names or even the victim or why they were in hospital, but I feel like a couple of nurses / health care workers got in trouble for accessing the file of a famous sports person who was in hospital, without any reason that they should have - not involved or treating patient etc - a few years ago? Not sure if it was a court case, or just a public outcry and workplace disciplinary action.

Sorry, not much use, but maybe it will trigger someone else's memory?

My wife is a practice manager, ALL of their staff are required to sign a confidentiality agreement, get police background checks, etc etc etc.
Even the doctors who are the owners of the practice had to sign one.

freitasm:

 

Also, there's no way now even to suggest name suppression. He outed himself on video. It's public.

 

Oh, that would have all been done in the name of "freedom" 🙄 I'd love to see what his defence in court is going to be.

quickymart:

 

freitasm:

 

Also, there's no way now even to suggest name suppression. He outed himself on video. It's public.

 

 

Oh, that would have all been done in the name of "freedom" 🙄 I'd love to see what his defence in court is going to be.

 

Enter..."Sovereign citizen"...

Wasn't he a DBA on the system? If so it seems he was authorised on the system and therefore had legal access to the system. Presumably he had a contract that stipulated how he was allowed to access it and non disclosure/privacy - but that sounds like a civil matter not criminal.

I could understand there being a case against him for privacy issues if there was one - but the data released was anonymous and didn't contain private details.

Jessie Ryder

https://www.stuff.co.nz/the-press/news/8870143/Nosy-Jesse-Ryder-clinicians-disciplined

johno1234:

 

the data released was anonymous and didn't contain private details.

 

That doesn't excuse what he did. If you go down that road then you can't trust anyone with any data, anytime, anywhere. He needs to be held accountable, I imagine he knew what he was doing was wrong.

This needs to be tested in court.

I think there is a great difference between having work access and releasing data in anyway/form.

He needs to be smacked down hard with severe punishment. If needed the legislation needs to be changed for future cases. Otherwise ppl will stop supplying information

Background: I could probably access a significant percentage of ppl medicaL records for most of the south island.

afe66:

 

This needs to be tested in court.

 

I think there is a great difference between having work access and releasing data in anyway/form.

(my bold above)

It does indeed.
As I posted above, it may depend on: exactly what words are used in policy that's written down; the legal verbiage in his employment contract / agreement; and what if anything it can be proved he signed up to.

Depending on how good a job Te Whatu Ora's policy & procedure and HR folks did, it may be very difficult to get a conviction, if he says that he honestly believed that he was acting within his legal rights and there's nothing to prove beyond reasonable doubt that he's lying.

IANAL, but it seems to me that unless the wording is tight and the evidence trail unquestionable, it may be that the best they can hope for is a penalty under the Health Act 1956 Section 136 (a fine not exceeding $500) for an offence contrary to the Health Act 1956 Section 22C (4) 

Health Act 1956 Section 22C (4) https://legislation.govt.nz/act/public/1956/0065/latest/whole.html?search=sw_096be8ed81dc2048_disclos_25_se&p=1#DLM306636

Health Act 1956 Section 136 https://legislation.govt.nz/act/public/1956/0065/latest/whole.html?search=sw_096be8ed81dc2048_disclos_25_se&p=1#DLM308720

quickymart:

 

johno1234:

 

the data released was anonymous and didn't contain private details.

 

 

That doesn't excuse what he did. If you go down that road then you can't trust anyone with any data, anytime, anywhere. He needs to be held accountable, I imagine he knew what he was doing was wrong.

 

I agree. I was just pointing out that I was mystified as to how the criminal case could succeed. 

Wow, that seems like an incredibly-small penalty for an employee to face for them to take a huge amount of customer data and steal it and provide it to people who they knew did not have permission to access it.  Health data is incredibly sensitive, and despite them taking efforts to anonymise things, this should be seen as a massive issue.

I work in IT and I understand administrators need access to systems in order to support them, but this seems like a slap on the wrist (and likely a big impact to their future potential career) for what could have been the greatest health privacy breach in NZ history...and it was done intentionally because they were an anti-vax nutter and were hoping it could validate their views.

PolicyGuy:

 

IANAL, but it seems to me that unless the wording is tight and the evidence trail unquestionable, it may be that the best they can hope for is a penalty under the Health Act 1956 Section 136 (a fine not exceeding $500) for an offence contrary to the Health Act 1956 Section 22C (4) 

 

Wait a minute, you get fined $500 for spraying people's private health information all over the Internet but you get fined $2000 for not filling in the census form? What next? Are they going to start paying bonuses to ram-raiders?

(I am aware that all census prosecutions were cancelled due to bureaucratic incompetence, but the $2000 threat was still used to strong-arm people.)

Considering his career involves a position of 'trust'.

Future employment outside the Sov Cit and axe grinders might be difficult.
Sov Cits don't have a good history of not paying their bills, and conspiracy nuts may be nutty in other ways as employers.

johno1234:

 

Wasn't he a DBA on the system? If so it seems he was authorised on the system and therefore had legal access to the system. Presumably he had a contract that stipulated how he was allowed to access it and non disclosure/privacy - but that sounds like a civil matter not criminal.

 

I could understand there being a case against him for privacy issues if there was one - but the data released was anonymous and didn't contain private details.

 

I'm guessing they will argue that the data was used to Damage the reputation of the Ministry of Health/Health NZ,

if they then claim this reputational damage was a "loss" to them, they are attempting to satisfy the second leg of S249 of the Crimes act, 

"249 Accessing computer system for dishonest purpose

(1)Every one is liable to imprisonment for a term not exceeding 7 years who, directly or indirectly, accesses any computer system and thereby, dishonestly or by deception, and without claim of right,—
(a) obtains any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) causes loss to any other person.

(2) Every one is liable to imprisonment for a term not exceeding 5 years who, directly or indirectly, accesses any computer system with intent, dishonestly or by deception, and without claim of right,—
(a) to obtain any property, privilege, service, pecuniary advantage, benefit, or valuable consideration; or
(b) to cause loss to any other person