The Herald reports:
Newly appointed Health Minister Chris Hipkins said a leak of confidential patient details off all active Covid-19 cases in New Zealand was “totally unacceptable” and potentially criminal.
The information included the patients names and dates of birth.
The massive breach of privacy contains the details of 18 confirmed cases, ranging from a 30-year-old woman in Auckland to a 70-year-old man in Canterbury.
It includes the personal details of the man in his 30s receiving care in Auckland City Hospital.
The leaked spreadsheet, seen by the Weekend Herald, also shows which border facility the Covid-positive people were staying in when they tested positive and where they were moved for quarantine.
This is a major breach of privacy, revealing which people have Covid-19. It should never have happened.
The best practice for sensitive data is to not have it in a spreadsheet at all. You should have it in a database where only authorised people can login to it. That also allows you to audit access.
If for some reason you do need to export it into a spreadsheet or other document, then the least you should do is stick a password on the file.