Browse by subject... - Office of the Privacy Commissioner

Case Notes released June 2010

Fri, 22 Aug 2008 11:04:04 +1200

View the latest case notes released by the Privacy Commissioner.

Case Note 211183 :  Ministry of Social Development discloses information to the Official Assignee. Read more...

Case Note 212548:   Woman requests copy of responses she gave in a phone survey. Read more...

Case Note 208123 :  Woman wants to know names of Police Officers who accessed her record. Read more...

Case Note 209903:   Man complained that Trade Me required his firearms licence number. Read more...

Case Note 210106 :  Woman seeks access from former employer to content of verbal reference. Read more...

Case Note 209484 : Police disclose recognisable image of crime victim to media. Read more...

Case Note 211472 [2010] NZPrivCmr 2: Woman's health information released by District Health Board to Ministry of Health

Mon, 15 Mar 2010 14:23:09 +1300

A woman complained that a District Health Board had provided her anonymised health information to the Ministry of Health as part of statistical information concerning serious and sentinel events within the DHB.

The information was published by the Ministry of Health and resulted in the woman's anonymised health information being published in a local newspaper. The woman considered that the information released by the DHB enabled her to be identified.

Rule 11

Rule 11 of the Health Information Privacy Code places limits on the disclosure of information. A health agency may disclose health information where it believes on reasonable grounds that one of the exceptions set out in rule 11(1) applies. Disclosure is also allowed under rule 11(2) in a number of other circumstances, but only where it is not desirable or practicable to obtain authorisation from the individual.

The DHB advised us that as part of the annual reporting requirements placed on DHBs it released anonymised information to the Ministry of Health. This information concerned the serious and sentinel events that occurred within the DHB over a 12 month period.

As a result, the DHB sought to rely on rule 11(2)(c)(i) and (ii) of the Health Information Privacy Code.

Rule 11(2) provides:
(2) Compliance with paragraph (1)(b) is not necessary if the health agency believes on reasonable grounds that it is either not desirable or not practicable to obtain authorisation from the individual concerned and that:
(c) the information:

(i) is to be used in a form in which the
individual concerned is not identified; or
(ii) is to be used for statistical purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

Rule 11(1)(b) generally provides that information must not be disclosed unless the individual concerned authorises the disclosure.

The health information disclosed included a brief diagnosis and the reason why the case was included in the report. On the day the report was released the DHB contacted the woman's husband and advised him that the report was being released. This was the only communication with the woman or her husband with regard to the release of the woman's health information.

There was no evidence that it was not desirable or not practicable to obtain the woman's authorisation to release the information.

However, section 22H of the Health Act, which allows disclosure of health information but does not allow the identification of the person to whom it relates, provided the DHB with a statutory basis to release the information to the Ministry.

As the information did not identify the woman, section 22H of the Health Act overrode the provisions of the Health Information Privacy Code, by the effect of section 7(1) of the Privacy Act.

We conveyed our view to the DHB that it could not rely on rule 11(2)(c)(i) and (ii) as there was no evidence that it was not practicable or not desirable to obtain the woman's authorisation to the release of the information. However, we also acknowledged that section 22H of the Health Act applied.

The DHB acknowledged that more consultation with the woman would have been desirable in the circumstances, and apologised for any distress caused by the disclosure.

On this basis we closed our investigation.

March 2010

Health information - disclosure - District Health Board - Ministry of Health - identifiable individual - authorisation to disclose - consultation with the individual - Health Information Privacy Code, rule 11 - Privacy Act; section 7 - Health Act; section 22H

Data matching encryption

Thu, 04 Dec 2008 12:15:18 +1300

Security gap being closed

9 September 2008

Enhanced security is now being required when New Zealand government agencies transfer data to other agencies for authorised information matching programmes Privacy Commissioner, Marie Shroff said today.

In February this year, the Office of the Privacy Commissioner reviewed how data was being transferred. Many files were not encrypted for transfer by tape, CD or floppy disk. The Commissioner required the adoption of encryption “within a reasonable time frame”. Six months on, she said that most departments have now achieved this.

Of the 46 authorised government data matching programmes operating in February, 19 transferred data in electronic form on digital media without encryption. Now, only three remain unencrypted.

“I have been advised that all files transferred on CD for authorised information matching programmes are now encrypted. One file transfer has been shifted to an on-line, encrypted transfer. However, Inland Revenue is involved in three transfers on tape which are not encrypted. The department advises that these three tapes require specialist computer equipment to read them and other security measures are also used to protect the data. Agencies involved in these tape transfers are still discussing options for enhancing security.”

Privacy Commissioner Marie Shroff initiated the review of data matching programme security after the major data breaches in the UK late last year involving tens of millions of records lost in transit between government departments. The data comprised the personal details of some 7 million British families.

"I am pleased that departments have made efforts to adopt more secure methods of data transfer. I look forward to further progress on all remaining programmes. Of course, transfers for the purposes of authorised information matching are merely one stream of intra-governmental data transfers. All agencies using and storing data about people – whether public or private sector – should carefully reflect upon the security of that data in each instance, for example by accepting the need for encryption for all portable data storage media,” said Ms Shroff.

The Privacy Commissioner‘s office has a special oversight role for government data matching programmes.

ENDS

For more information see www.privacy.org.nz or contact: Annabel Fordham tel 04 474 7590 or 021 509 735 or enquiries@privacy.org.nz

Background

For the previous media release see: http://www.privacy.org.nz/privacy-commissioner-requires-data-encryption/

For more information about the UK data breaches, see statements from the UK Information Commissioner: www.ico.gov.uk/upload/documents/pressreleases/2007/personal_details_lost_by_hmrc_201107003.pdf

Young children can be active in their own defence online

Wed, 02 Jun 2010 15:56:34 +1200

Media release from Hector's World Ltd.

The media is invited to attend the launch

A new animated interactive online resource and music video about computer security skills, produced by Hector's World, is being launched today by the Hon Nathan Guy, Minister of Internal Affairs.

Aimed at 5-9 year aged children, their parents and teachers, the resources offer a foundation of basic computer security skills by introducing young children to concepts like viruses and strong passwords.

Privacy Commissioner Marie Shroff is also enthusiastic about the new resources. "We know from a recent UMR survey that New Zealanders are worried about children's internet privacy. These are practical tools which will help to keep children safe online."

"The new resources enable children to play a positive role in keeping their and their family's information safe when using a computer online. Children can assist with the security of devices where important family information is stored, such as the family computer," says Ms Shroff.

Liz Butterfield, Hector's World Managing Director says, "We believe that young children can be active in their own defence online if we give them the skills and knowledge they need. We know that children even at early primary level are using terms like ‘password' and ‘downloading'. Yet, without a basic understanding of those concepts children cannot employ simple, proactive strategies to help keep their information secure and protect their computer. We've made this learning process fun - how many songs about computer security can you name with a dance beat like ours?"

Ms Butterfield says, "Some children will enjoy the fun of these new resources and be curious about this subject matter; others will get all of the concepts right away and want to know much more."

"In this era of online drop-down lists of hacking exploits and ready advice on building botnets, it's important to channel the capability and talent our children have in a positive direction that benefits themselves, their family and their community. There is an important link between computer security, privacy and digital citizenship and the best place to start laying this foundation is when children are young."

These new resources were created with a generous grant from the New Zealand Government's Digital Strategy Community Partnership Fund.

Ends

Go to
http://www.hectorsworld.com/island/main/episode_theatre_interior_01/index.html#EPISODETHEATREa to see the new resources.

The media is invited to attend the launch.

Launch details:
Date: Thursday, 3 June,
Time: 9:15am for 9:30am start. Finish 10.30am
Venue: Northland School, 14 Harbour View Road, Northland, Wellington
http://maps.google.co.nz/maps?f=q&source=s_q&hl=en&geocode=&q=Northland+School,+Northland,+Wellington&sll=-41.278839,174.7598&sspn=0.007498,0.013754&ie=UTF8&hq=Northland+School,&hnear=Northland&ll=-41.28058,174.7598&spn=0.007901,0.013754&z=16

To RSVP and for further details about the new resources, please contact:
Liz Butterfield
Managing Director, Hector's World Ltd.
021 72 5864 or LizB@hectorsworld.co.nz

What is Hector's World®?

Hector's World® is an effective and engaging digital citizenship education programme for children aged 2-9 years, and their parents and teachers. Hector's World Ltd. (HWL) is a New Zealand charity and a social entrepreneurship venture. www.hectorsworld.com is divided into two sections: the magical underwater world of Silicon Deep and the comprehensive section for parents and teachers, Info Island.

Computer Security Resources

The new Hector's World online resources on basic computer security go live today on www.hectorsworld.com and the music video can also be enjoyed on the HW YouTube brand channel.

The new resources include:
• computer security episode
• music video
• MP3 file of the song & songsheet
• lesson plans for teachers to use with 3 different primary school age groups.

These engaging resources are being launched in New Zealand today and will soon launch with Hector's World government partners in the United Kingdom, Australia, and Bermuda.

The resources were created with a generous grant from the New Zealand Government's Digital Strategy Community Partnership Fund.

Enjoy Hector's World content:

Website (www.hectorsworld.com)
YouTube Channel (http://www.youtube.com/user/HectorsWorldNZ)

Blog (http://hectorsworldltd.blogspot.com/?zx=e7b391cb15c17d8c)

Twitter (http://twitter.com/hectorsworld)

Case Note 205558 [2010] NZPrivCmr 1: Debt collector fails to follow procedure and loads disputed debt with credit reporter

Mon, 15 Mar 2010 14:09:29 +1300

A woman incurred a small debt which was transferred to a debt collector due to her failure to pay it by a certain time. The woman contacted the debt collector and advised it that she disputed the debt. Ten days later, the debt collector transferred the debt to a credit reporter, who then loaded it as a default on the woman's credit report.

The woman ultimately paid the debt but she was not happy that her disputed debt had been transferred to a credit reporter.

Principle 8 of the Privacy Act

Principle 8 of the Privacy Act provides that an agency must not use personal information without taking reasonable steps to ensure that it is accurate, up-to-date, complete and not misleading.

In this case, the debt collector was clearly put on notice that the woman had disputed the debt but transferred it to the credit reporter anyway.

During our investigation we learned that the transfer process between the debt collector and the credit reporter is an automated process. To comply with the accuracy aspect of principle 8, a manual notation has to be added to the record.

Debt collectors and credit reporters rely on express contractual obligations to ensure that information exchanges relating to unpaid debts are accurate.

In this case, although the woman disputed the debt this fact was not recorded by the debt collector. As a result, the debt was automatically transferred to the credit reporter, without reference to it being under dispute. In our view this was a breach of principle 8.

However, the woman was unable to show that the presence of the default on her credit report - and, therefore, the breach of principle 8 by the debt collector - caused her any harm in this case.

The debt collector agreed to review and improve its processes in terms of principle 8 and provide training to its staff to ensure that this type of situation did not recur. This was a very positive outcome and we closed the file.

March 2010

Accuracy of personal information - debt collector - transfer of debt to credit reporter - failure to follow standard procedure - Privacy Act 1993, principle 8

Criminal use of social networking information on the rise: Media release

Mon, 01 Mar 2010 12:15:31 +1300

1 March 2010

Recent reports show that there has been a huge increase in social networking sites being used for identity theft, says Privacy Commissioner Marie Shroff at the beginning of Fraud Awareness Week 2010.

"With the wealth of personal information on sites such as Facebook and Twitter, criminals can have a field day. If someone gets enough personal information about you - like your name, address, date of birth, bank account number or employment details - they could apply for a credit card or loan in your name and ultimately steal from you. Also, your details could be sold to someone else," says Ms Shroff.

"People need to think about what personal information they are putting onto social networking sites and check their privacy settings," advises Ms Shroff.

The Privacy Commissioner also reminds people not to email information like bank account or password details to anyone. An email can appear to be from a friend when in fact it is from someone with criminal intentions. Check carefully who you are replying to and always check links in emails. If they look suspicious they may be taking you taken to an unsafe website, and it's best to delete the email.

"Your personal information has value - don't let someone else profit from it," says Ms Shroff.

Fraud Awareness Week is part of an international campaign to raise awareness about scams.

ENDS

For more information contact Cathy Henry on 021 509 735 or enquiries@privacy.org.nz

For more information about Fraud Awareness Week go to: www.scamwatch.govt.nz
See also Netsafe's Scam Machine at www.scammachine.org.nz

NZ Doctor Series - Privacy Matters (# 18)

Wed, 03 Mar 2010 09:25:41 +1300

November 2009

Freedom of the press is one of the planks our democracy stands on. In the abstract this is an undeniable positive. As the saying goes, "sunlight is the best disinfectant". Dealing with press freedom directly, though, can be a little harrowing. What should you say to a reporter on the other end of the phone at 5.00 pm on a Friday?

One answer, of course, is ‘nothing' - but things are rarely that simple. What if you want to get your side of the story across, or to defend a colleague? What if you're being asked for information about a patient you genuinely feel poses a threat to others or who has been mistreated? How about Official Information Act requests - do you have to respond?

In fact, the law will only rarely require you to speak or remain silent when faced with enquiries from the media. Instead, you will generally have a space in which to exercise your discretion, in line with your own ethical obligation of confidentiality. Protecting the confidence of your patients must weigh heavily.

But, as always, there are exceptions. For instance the Health Information Privacy Code allows you to talk about a hospital patient's presence, location, condition and progress unless the patient or their representative has vetoed disclosure.

The answers to the other questions posed above are more equivocal.

Disclosing information about a patient to back up a colleague, or to defend yourself against allegations you think are unfair, will always present problems Unless you have the patient's permission, a polite ‘no comment' may be the best option. Naturally if the information is solely about you rather than your patient you can do as you like with it, and information that cannot identify a person can always be disclosed.

Also, while you can disclose information about a patient to prevent a serious and imminent threat to someone's safety, you need to be talking to someone who can do something about that threat. It's unlikely the media would fit that bill.

The situation is slightly different if you work for a public sector agency like a hospital or District Health Board, though you're also more likely to have a communications officer to help deal with difficult dilemmas. The Official Information Act means that anyone, including a reporter, can ask for access to publicly held information, including patient records. Requests can be refused where disclosure would breach someone's privacy and there is no significant public interest in disclosure. Nearly all the time, this will lead to a refusal of an OIA request for health information, but not always.

The bottom line is ‘don't be hasty', even when faced with a tight news deadline. When talking to the media, first find out who they are, what exactly they're looking for and who else they've spoken to. Then you'll be better placed to respond in a way that respects both the public's right to know and your patients' right to confidentiality.

Comparison Paper on Health Privacy Laws

Wed, 30 Apr 2008 10:43:12 +1200

"Overseas Privacy Regimes : Internal research paper comparing New Zealand's Health Information Privacy Code 1994 with the health privacy laws of Victoria, Ontario and the United States".

This is an internal research paper prepared to assist in the 2007 amendment of the Health Information Privacy Code 1994. It considers the health privacy laws of three foreign national (US) and regional (Ontario, Victoria) jurisdictions and compares them to the New Zealand regime.

Download the file below to read the full text.

Private Word 52 - October 2004

Mon, 15 May 2006 11:37:09 +1200

In this issue:
Covert filming
Health implant
Leak consequences
New appointment
Thief’s complaint

Private Word 51 - June 2004

Mon, 15 May 2006 11:38:32 +1200

Drug test ruling
Technology challenge
Big brother awards
Complaints list
Act interpretation
Secret filming
APEC planning
Privacy tort
Mail opening
RFID tags
Educational role
Dog registers