A man who had his criminal information passed on to his former partner by a Corrections Department employee has had his complaint upheld by the Privacy Commissioner.
The information was illegally accessed on two separate occasions by two employees, one of whom knew the man's ex-partner.
Corrections said it was unaware what had happened until the man laid a complaint.
An investigation by the Chief Privacy Officer found the man's information had been accessed once in 2013 and again in 2017.
The staff member did not have a valid reason to access the information.
An employment investigation commenced and the person was stood down but resigned before the investigation concluded.
The investigation also identified a second staff member as having accessed the offender's file on the same day in 2017. An employment investigation commenced into this person's conduct, which resulted in a disciplinary sanction
Corrections told the Privacy Commissioner it usually did audits to see what information its staff were accessing, but no audits were done during the time the breach occurred.
The Commissioner's Office said it was not enough just to have policies regarding the safeguarding of information - there must also be processes to ensure the policies were followed.
It found the man had consequently suffered stress and anxiety.
In a statement, Corrections said it had apologised to the man and it had reached an undisclosed settlement with him.
"Whether it's through policy, training and processes or IT systems management, we work hard to ensure the privacy, security and confidentiality of all information we hold.
"It's an area of constant improvement, and we work closely with the Privacy Commissioner, Government Chief Digital Officer and Government Chief Privacy Officer to ensure we follow best practice."