Why isn’t this the biggest privacy scandal of the year?

I’m sure we all remember the “outrage” about the GSCB bill legalising the spying on a dozen or so kiwis during a year.

I’m sure we all remember how this tore at the fabric of society and it was the beginning of the end.

Well, you might be right.

A Whaleoil investigation shows

A man who was told after a knock at the door that he was $22 million richer initially thought his visitors were real estate agents.

He now says he is “really, really chuffed” that he was tracked down – after not bothering to check his ticket because a workmate said the prize had been claimed.

Lotto NZ officials had tracked the Christchurch man down after he had failed to realise he was sitting on the winning Big Wednesday ticket.

Aww, that’s nice.  How did they track him down?  

Lotto’s gaming system records every ticket bought, including the purchase day and time, and method of payment. If a bank card is used, Lotto can work with the bank to get information to the customer.

In this case, cash was used, so Lotto worked with staff at Pak’nSave Riccarton to track down instore video footage which eventually narrowed the search to one person.

Lotto would not reveal further details, citing privacy reasons

I don’t know about you, but I’m gobsmacked at this gross invasion of privacy and data matching.

I understand that Loto hold their own sales data, but under what circumstances does it think it is legal to get together with Pak ‘n Save Riccarton?   And it wasn’t used this time, but since when do banks allow access to data without a search warrant to a third party?

One of the Privacy Act Principles is that when a company captures data, it is never used for purposes other than it was captured for.  Sharing data between distinct non-government organisations has to be major breach of the law.

As I argued at the time of the GCSB hysteria – what the GCSB wants to do – legally – to take down some potential criminals is not even a percent of a percent of the daily invasions of privacy we allow ourselves through our electronic footprints, never mind the tsunami of information we share willingly online.

No matter the “good news story” of a Lotto winner getting to enjoy his prize.  This is a total abuse of the law.

Whaleoil contacted the Office of the Privacy Commissioner for comment, but they were not able to comment until they were in possession of all the details of this situation.


Source: Nicholas Jones @ NZ Herald with additional reporting by Whaleoil


THANK YOU for being a subscriber. Because of you Whaleoil is going from strength to strength. It is a little known fact that Whaleoil subscribers are better in bed, good looking and highly intelligent. Sometimes all at once! Please Click Here Now to subscribe to an ad-free Whaleoil.

  • OhopeBeachBugger

    But data matching is EVIL, I saw it in the Herald, it will lead to all kinds of abuses, like making poor down and out bennies pay their outstandings…

  • Toryboy

    There is another part of the privacy act dealing with financial arrangements – two people or businesses who both have a financial arrangement with a third party can exchange information about them quite legally.

    In this case buying a Lotto ticket and the same place he bought groceries.

    It still sounds a bit creepy though.

  • Con the Neo

    I suspect the using bank to contact would involve someone from the bank calling up the customer, and passing on the information, not handing over the information to Lotto. Just like when customers have left their eftpos card at stores, and the staff call the bank with the details and the bank lets them know.

    • rouppe

      Precisely. But since cash was used, how did they turn video footage into a name and address…?

    • When you leave your eftpos card somewhere, it is very clearly the bank’s business to be involved.

      What if I find a nice jacket? Will the banks help me track the owner based on the fact it was left at a cafe and the owner may have paid electronically?

      • Con the Neo

        It may not be the banks immediate business. But if they do it in a blind way, they shouldn’t be breaking anyones privacy. If they pass on the message and contact details without giving the caller any details, I wouldn’t have a huge issue with it.

        • Really? This reflects on you being a very nice person.

          Because someone evil like me would use it to track down a deadbeat client, or an ex or someone else I would like to know the whereabouts of.

  • SJ00

    I thought this was rather odd at the time as well. Why is it Lotto’s role to track down who won a prize? Do they only do this for first place or should I be expecting a knock on my door soon as I am sure I won $22 last year and didn’t collect it. If you lose your ticket, tough luck. If you don’t check it, tough luck.
    Video footage also doesn’t show a name, do the staff now know who won $22 million after being asked to identify that person? Maybe he didn’t want them to know.
    How about they use the same system to track down dead beat dads that don’t pay child support? ‘But sir, we saw you buying a lotto ticket so we know you have spare money, we have given IRD your details, expect a knock on the door from soon’.

    If Lotto made everyone register and link a bank account to your Lotto ID, this problem is solved. They will know who has won, no money is ever not claimed. Basically a real life version of MyLotto, which I use. Make it for everyone buying a ticket.

    • Bunswalla

      Good idea but wouldn’t work. What about when I buy a ticket for someone else, as a gift for example? i don’t know their lotto ID or bank account so I buy it using mine. Then they find out they’ve won but the money’s in my account.

      And that’s when the trouble started…

    • AnonWgtn

      Probably a normal supermarket security video with it timed to the sale of the ticket.
      Mountain out of a molehill.
      Call in the Privacy Commissioner, SIS and GSCB, and Len Drowned.

  • john

    len wchled on coming to the school . booh len .booh len , quit while you are a head boo len ,boo boo

    • Sidey

      You might be on the wrong post?

      • GazzW

        ….or the wrong planet.

      • GazzW

        ….or the wrong planet.

  • Gaynor

    This doesn’t explain how they got his name or address. Unless he used a credit card to buy groceries at Pak n save.

  • Sidey

    With $22 mil tucked away, I’d be prepared to overlook any privacy issues just this once!

  • jaundiced

    Don’t be a killjoy

  • Gobe1

    A lot might think this is just no big deal especially because it has a happy outcome (no this isnt about Len..) and i also wouldnt care a less if it was me who go the 22mill. BUT WO is right… this is exactly why these things shouldnt be possible unless you are the GCSB. This is a huge deal and should be the biggest story of the year. Heads will be a rolling.

    • Bunswalla

      Couldn’t disagree more. The date and time I bought a Lotto ticket is not private data held about me, and nor is CCTV footage of when I entered a shop or walked down the street. There’s a big difference between personal or private data captured and used about a person, and general surveillance data such as CCTV images. By entering the store you consent to recordings being made of you – that data is not private data belonging to you.

      This kind of thing happens all the time in 100 different ways, and is in no way a breach of privacy. Let’s ask the guy that won the $22 mil what he thinks.

      • Dr Stoat

        Agree entirely. I would also argue that even if the combination of data collected here amounts to personal data, then consent to use for the purposes of contacting to deliver a prize of this magnitude may be inferred.

  • Kizzy MCD

    Well personally I would be rapt with this “breach of privacy” especially if I threw the ticket away thinking it wasn’t a winner. I suppose in some cases it works for the good and some it works for bad…in this case it just worked…so happy for the guy and would LOVED to have been a fly on the wall for that visit

    • Callum

      How about if they invaded your privacy to tell you had won on a ticket you had subsequently thrown out? Personally I would be very pissed off and looking for compensation for breaching my privacy around the $22m mark…

  • peterwn

    It is possible that a staff member knew who the person was from video footage. It is possible too that retailer credit card systems capture the name on the card so the retailer can pass this to Lotto.

    There was a similar case in UK but with a nasty twist. A woman purchased a lottery ticket from Tesco (a major supermarket chain) and swiped her loyalty card. She took it into a newsagent to check and the young assistant realising the ticket had won big told the woman that it was not a winning ticket and offered to dispose of it. His claim attempt fell over because he said he had purchased it at his employer’s shop. The lotteries people did a similar investigation and the woman was traced via her loyalty card and confirmed by security video. She too had a visit from lottery agents and was paid out despite not actually having the ticket.

    The newsagent had its lottery agency suspended and presumably the young assistant was down the road.

  • Jman

    Source: Nicholas Jones @ NZ Herald with additional reporting by Whaleoil

    Does this mean Whaleoil and the Herald are starting to co-operate more?

    Update: I get it now. Good stuff. Will be interesting to see if they reciprocate.

  • Jonathan Pull

    This is where things get tricky, some people will say “leave me alone, I want my privacy” but when someone tracks them down to give them a prize everything is hunky dory. Bank details in my opinion( right or wrong) are to be held between the bank, the account holder and any government agency that attain the appropriate warrant to attain such details

    • Gobe1

      Exactly. The line is there for a reason. you can go over it just because it is a rosy story