Imagine walking into your local grocery store, only to have your image shared by security guards alongside false accusations of theft. This is exactly what happened to unsuspecting customers at two Pak'nSave stores in Auckland, sparking a major privacy scandal. But here's where it gets controversial: the stores themselves were held accountable, even though the actions were carried out by third-party security personnel. The Privacy Commissioner didn't hold back, ruling that both Pak'nSave Clendon (operated by C Park Traders Limited) and Pak'nSave Royal Oak (run by Hutchinson Bros Limited) had breached the Privacy Act. Their crime? Failing to properly oversee the third-party security providers they hired, which led to customers' images being shared alongside baseless allegations of criminal activity—one incident even involved a store employee.
The fallout was severe. Privacy Commissioner Michael Webster highlighted the real-world consequences: 'As a result, both individuals whose images were shared faced a heightened risk of harassment and reputational harm.' And this is the part most people miss: the issue wasn't just about the security guards' actions but the stores' lack of safeguards to protect customer privacy. Webster emphasized, 'Both stores lacked important safeguards that retailers should have in place when allowing third-party providers access to sensitive information like surveillance footage.'
The decision to publicly name the stores was unprecedented, reflecting the gravity of the situation. Webster noted, 'It’s rare for me to name agencies, but this serves as a stark reminder to businesses: outsourcing functions does not outsource accountability.' This raises a thought-provoking question: Should companies be held equally responsible for the actions of their third-party contractors, even if they weren’t directly involved?
To prevent such incidents, Webster stressed the need for clear, enforceable privacy obligations and routine monitoring of third-party providers. 'Agencies must ensure that privacy expectations are explicit and actively managed,' he said. Meanwhile, Foodstuffs North Island Limited, the co-op lead for the stores, has taken steps to address the issue. These include comprehensive privacy training for all staff and contractors, updated written agreements with security providers, and stronger oversight mechanisms.
In their response, Foodstuffs acknowledged the shortcomings: 'We regret there were shortcomings in how our contractors handled the situations. Protecting customer privacy is essential, and we are committed to ensuring this doesn’t happen again.' Both stores have fully cooperated with the Privacy Commission, with Pak'nSave Clendon now under new ownership.
But here’s the lingering question: Is it enough to simply react after a breach, or should companies proactively audit their third-party providers to prevent such incidents? Share your thoughts in the comments—this is a debate worth having.
