This is an HTML version of an attachment to the Official Information request 'Recent Data Breach'.

 
10 November 2022 
 
 
By Email Only: [FYI request #20902 email] 
 
 
To whom it may concern 
OFFICIAL INFORMATION REQUEST IN RELATION TO RECENT DATA BREACH  
I refer to your official information request 18 October 2022 in relation to the recent privacy 
breach, which took place at University of Otago during the period 23 August to 5 October 
2022.  
Deletion of Personal Information 
You have asked how the University has confirmed that the students who accessed personal 
information have deleted it.   
Our IT team has been able to identify all of the documents that were accessed, who 
accessed them and when. Since shut ing down access, IT have completed an audit of the 
files to ensure they were deleted in the few cases they were downloaded, and that access 
has been provided only to those who should have it.  
Non-Disclosure Agreement 
The students who accessed personal information as a result of this breach are aware that 
they have signed a non-disclosure agreement.  
Support for Students 
The University has offered the following support to students affected by the breach: 
•  OUSA Student Support, which can provide confidential information and advice.  
•  The Student Health Mental Health and Well-being team, which can provide wellbeing 
support. 
•  Student Services can also be contacted for information about further support.  
 
We do acknowledge that some of the information that has been accessed is sensitive. 
However, we have concluded as a result of our investigation that this data breach is unlikely 
to cause harm to the affected students:  
•  Only 23 students accessed personal information as a result of this breach.  
•  We have interviewed each of the students concerned and are satisfied that they have 
not accessed this information with malicious intent. Rather, most of the students who 
located this information did so accidentally, often searching for their own name in 
their own files, but having this data served to them as a result of the error. A couple 


of students associated with Critic Magazine did intentionally look at some additional 
files at the beginning of October, but this was solely for the purpose of reporting on 
the breach.  
•  These students have all agreed, both verbally and in writing, to delete the information 
(if applicable) and that they wil  not divulge any of this personal information. 
•  Most of the personal information in question was contained in Excel spreadsheets 
containing thousands of other students’ data. In these instances, there is a very low 
likelihood that any one individual’s personal information has been specifically 
identified by any of the recipients.  
•  The individuals who accessed this information on behalf of Critic did so in order to 
report on the breach; informed us of the error promptly; and have signed non-
disclosure agreements.  
•  Further, we are working with the vendor of the new system to ensure that this does 
not happen again.  
Students are also welcome to contact me in my capacity as the University’s Privacy Officer if 
they have any additional questions or concerns, or need further support 
([email address]).   
Student can also contact the Privacy Commissioner if they have remaining concerns. 
 
Ngā mihi 
 
Mayhaka Mendis 
Acting Registrar 
 
Of ice of the Registrar