Annual Report for the Privacy Commissioner for the year ended June 2008.

View [PDF, 1.1 MB] the full Annual Report (with navigation links) (PDF, 164 pages).

KEY POINTS

•- Nearly 50% of incoming complaints were about people wanting access to their own personal information. A further 25% of incoming complaints alleged that personal information was used or disclosed inappropriately.
•- Currently, 61% of the 662 complaints received are closed within six months, and 84% are closed within a year. This is a further improvement by the Investigations Team on last year’s performance.
•- During the year, 135 complaints were settled or mediated; sometimes by an apology, or an assurance that an action will not be repeated, a change in policy, or monetary compensation.
•- Six agencies together accounted for about one third of the complaints received.
•- Enquiries staff handled 5,417 enquiries during the year, through the 0800 line and, increasingly, through email.
•- Policy projects numbered 260 and covered a vast range of topics including biometrics, information sharing across government, anti-money laundering, and smartcards.
•- The Health Information Privacy Code was amended during the year, and a review of the Credit Reporting Privacy Code was initiated.
•- Currently 78 authorised government information matching programmes, of which 46 are active, allow departments to share information about New Zealanders. Numbers are expected to increase significantly in the coming year.
•- Information matching showed a clear growth in on-line transfers, with 16 approvals granted during the year. Over half of active information matching programmes can now be done by on-line transfers.
•- Asia-Pacific Economic Cooperation (APEC) continued its work to implement the APEC Privacy Framework, adopted in 2005. The Framework establishes regional standards for privacy protection, and is of increasing importance in today’s business climate, where personal data is transferred easily from country to country.
•- The Office continues to work with the Ministry of Justice in amending the Privacy Act to enable New Zealand to provide an “adequate standard of data protection” for processing European data. Trade benefits are expected to flow from gaining this recognition.
-• The Office received 128 media enquiries through the year on topics such as data breaches, employee monitoring, and use of CCTV cameras.
•- The Commissioner and senior staff gave numerous speeches and presentations on data protection issues to business, civil society and government organisations.
•- A successful first Privacy Awareness Week (PAW) for New Zealand was held in August 2007 and PAW is now a recognised international event, run in partnership with other Privacy Commissioners’ offices in Hong Kong, Victoria, New South Wales, Northern Territory, Australia (federal office) and Korea. The Canadian and British Columbian Commissioners joined the APPA network during the year and will be participating in forthcoming PAW events.
•- Following several high profile, vast, data breaches overseas in 2007/08 the Office reviewed the handling of files being physically transferred on floppy discs, CDs or tapes for use in New Zealand government information matching programmes. Of 46 matches, 19 were being transferred physically on unencrypted digital media. In February 2008, the Privacy Commissioner required that those files be encrypted to improve their security in case of loss. By the end of the reporting period, three data transfers remain unencrypted. In an associated move, data breach notification guidelines for business and government were launched in August 2007 during Privacy Awareness Week.
•- The Office of the Privacy Commissioner has ongoing participation in the Law Commission’s major review of privacy. Work in the coming year will focus on civil and criminal remedies (Part 3) and a review of the Privacy Act (Part 4). Discussion papers relating to the project are available at www.lawcom.govt.nz.

INTRODUCTION

Chasing shadows of ourselves

Our ‘digital shadows’ are now larger than the digital information we actively create about ourselves. In financial records, on mailing lists, through web surfing histories or images taken of us by security cameras in airports or by CCTV cameras, a digital shadow is being created around us. Estimates are that only about half of a person’s digital footprint is made by deliberate actions, such as taking pictures, sending emails, or making digital voice calls – the rest accumulates passively as we go about our daily activities.

With the billowing quantity of personal information created, comes an increasing chance of it ending up in the wrong hands – whether by design or accident.

Data leaks, breaches and theft

In January 2007, for instance, over 45 million credit and debit card numbers were stolen by hackers who infiltrated the systems of the US retail company TJX. It was cited at the time as the largest theft of personal data ever. But a matter of months later in the UK, two CDs were lost, containing all child benefit personal information about 25 million people and 7.25 million families. Details included name, address, date of birth, National Insurance and bank account numbers. The data was unencrypted. And despite the requesting department asking for sensitive details to be stripped from the files before sending, this had not been done – apparently for reasons of cost.

In another UK-based incident, unencrypted records of more than 600,000 people interested in joining the armed forces were on a UK Ministry of Defence laptop recently stolen from a Royal Navy recruiter. The computer held the personal details of more than 14,223 Northern Ireland residents, 60,000 Scots, 37,546 Welsh, 459,778 English and 34,667 other people.

New Zealanders are not immune. As a nation we are enthusiastic technology users – our banking and health systems are reflections of that. Recent data breaches in New Zealand include changes to computer systems in a major agency resulting in accidental release of personal information; unauthorised employee browsing of Police databases; employee browsing of Inland Revenue (IR) databases; employee browsing of patient records in a District Health Board (DHB); major bank systems “invaded” by so-called “research software”; sensitive lab results repeatedly sent to an incorrect fax number; and numerous others.

Data breach notification law

A fundamental and necessary step is to have adequate security safeguards to protect the information. Those systems need to be robust and responsive – and to protect against both malicious attacks and human error.

And agencies need to be ready to act if something goes wrong. In February 2008, I released privacy breach notification guidelines for New Zealand. The guidelines are designed to assist organisations faced with managing the privacy aspects of a data security breach. Privacy and data protection authorities in countries such as Australia, UK and the United States have already introduced similar measures. The guidelines reflect international best practice and are voluntary rather than being a compulsory code.

But above all, the individuals whose data has been inadvertently released need to be ‘front and centre’. It is their best interests – and not just those of the organisation – that need to be properly addressed. We will watch local practice and international developments before deciding whether anything further is needed.

Corporate ethics and individual responsibility

Employee browsing


In late 2007, I commended the actions of Auckland DHB in identifying and following up instances where staff had browsed celebrity medical records. In that case, footprinting technology helped to trace the individuals involved. Technology in such instances can be both the cause and the solution to the problem. But what must come first is ensuring that the information is treated with care and respect.

In a similar vein, I have been disappointed to note several incidents in recent months involving bank employees browsing customer records. Typically, it has arisen when a personal relationship has soured; perhaps between former partners, or other family members. There is a real cost to the organisation – both in dollar terms and in loss of customer trust. The banks involved have responded swiftly to put things rights and to take steps to restore the customer trust that is so central to that sector.

Finding information -– I’'ve got it, what do I do with it?

Large corporates and government departments are becoming attuned to the message that personal information is a resource that brings associated responsibilities. But what about individuals – do we have obligations too? The short answer is ‘yes’. Individuals can be just as responsible – and just as liable – as the largest government department or business.

So what should you do if you find information about someone else on the street, at the dump, or sent in the mail to you? Most of us would quite reasonably hope, even expect, that anyone coming across such information will treat it with respect. This includes doing what they can to secure it; if possible, returning the information to the source, or otherwise giving it to the Police. In some instances, it might make sense to notify my Office. Taking a cavalier attitude to someone else’s personal information may make the finder legally liable for the harm that follows.

Sometimes people do get it right. A good example is the 25 year old student who was mistakenly sent tax details showing the salary of another woman, a health professional. As The Press reported at the time, the student contacted the medical professional and told her she had received the woman’s IR statement, along with those of two other people. They had been put in the same envelope as the student’s own summary of earnings document. The health professional’s reaction was telling: “I had a feeling of shock, then relief that someone with integrity had received it and had made the effort to pursue it rather than dump the document in the bin, or didn’t seek to abuse the information in any way”.

Knowledge, control and power

More and more, having access to personal information means having not just knowledge, but power. We are in the information-rich, data-loaded world. Information about you is a saleable commodity. And in the health system, for instance, health information is a critical tool, but it carries many responsibilities. Comprehensive collection and sharing of individual patients’ information can help deliver better health services, but personal information is both an asset and a risk. The hot button is trust.

For instance, the very core of the health system – the doctor-patient relationship – is built upon openness, confidentiality and trust. But it goes even further than that. The doctor must trust the system and how the system will manage that health information. They must relay that understanding to the patient, who in turn needs clear guidance about what’s going on and what they can expect. I’ve heard too many doctors raise genuine concerns about current and proposed information developments to feel sanguine. And I don’t think we have an adequate answer to those concerns at present.


Personal information is both an asset and a risk.
The hot button is trust.



I hope that security standards and protocols, footprinting technologies and break-glass systems are now becoming accepted as basic, modern essentials. But we must question and better examine the information flows that are being structured into the health system. Those systems, whether at the level of the Ministry, DHB or individual GP practice, must be strong, secure and transparent. And patients must be given the opportunity to be informed.

The borderless, digital ‘cloud’

We live in a fluid information environment. We no longer sit and type contentedly at our stand-alone computer. Most of us use the internet daily in our professional lives, and regularly in our personal lives to find out information, to email others and to participate in social networking. Beyond that, an increasing number of us will bank on-line, may choose to store our medical records with Google (although I think I won’t!) and may use a website, rather than a hard drive, to store our digital photos. Perhaps we keep our CV on another website and store our personal contacts and address details using another on-line application. More and more, businesses are also choosing to process and store their data in massive data centres in the ‘cloud’. Cloud computing might loosely be defined as software, storage or processing centres networked via the internet across multiple locations. And clients may, increasingly, specify a particular geographical location for stored data, or choose a data centre that is optimised for their particular industry.

The wider community -– international developments

So how are we tackling the borderless, digital cloud? In this climate, international links are becoming vital. We often think of privacy as being about individual action and repercussion – and of course that is true. But more and more, data protection and privacy are forged across organisations, regions, nations, – even continents. There is a very good reason for that – we are charging our way into the digital century and international cooperation has become essential to address the emerging challenges we face.

Some of the recent co-operative developments that affect New Zealand include global initiatives involving both APEC and the OECD. In Korea in June 2008, the OECD held a Ministerial Meeting on the Future of the Internet Economy, where participants agreed on the need for government to work closely with business, civil society and technical experts.1

And in the Asia-Pacific region, APEC is running a number of practical pathfinder projects on privacy.

We are likely to see much change in the coming few years that might include: modernising of existing national laws and the likelihood of many new privacy laws throughout the region. We might also expect to see greater cooperation amongst regulators, and a re-examination of the privacy principles to see if they deal adequately with the information revolution and the digital cloud.

Technology, connectedness and social impacts

Technology enables details about individuals to be collected, used and disclosed on an unprecedented scale, both in New Zealand and overseas. The New Zealand World Internet Project found that 78% of New Zealanders use the internet, and about a third of us participate in social networking sites each week. Clearly it’s an area of huge opportunity for growth and development – both to facilitate existing, and to generate new business opportunities; but it’s also an area where there are huge risks:2

Our digital footprints and shadows are being gathered together, bit by bit, megabyte by megabyte, terabyte by terabyte, into personas and profiles and avatars – virtual representations of us, in a hundred thousand simultaneous locations. These are used to provide us with extraordinary new services, new conveniences, new efficiencies, and benefits undreamt of by our parents and grandparents. At the same time, novel risks and threats are emerging from this digital cornucopia. Identity fraud and theft are the diseases of the Information Age, along with new forms of discrimination and social engineering made possible by the surfeit of data.

And in this context, data protection and privacy have become a business issue – as a facilitator, an enhancer, and enabler – and as a way to mitigate loss of trust, branding damage and loss of profits.

Our digital footprints and shadows are being gathered together, bit by bit, megabyte by megabyte, terabyte by terabyte, into personas and profiles and avatars – virtual representations of us, in a hundred thousand simultaneous locations.

Our understanding of privacy is fast developing in response to these wider societal changes. And our expectations of privacy are evolving as well. We are no longer tolerant of a business unexpectedly sharing our contact details, or of poor handling of medical records. In today’s world, what you do with a person’s information does matter and we expect government and business to treat our information with care. We want to have the choice to ‘opt out’ of telemarketing calls, or to have a say in the information that is released about us.

And yet, we are surveilled, tracked and monitored. We are watched and recorded like never before. How many of our grandparents would have believed that an employer could require a urine test or a finger-scan; or that a baby born today would have its DNA held for decades – maybe centuries – in a database?

Genes, medicine and technology

We are grappling with some of those very issues in New Zealand now. The Ministry of Health has been reviewing the retention and storage of the newborn bloodspot, or “Guthrie cards”. These cards contain genetic samples of almost the entire population aged under 40 years. They are currently stored indefinitely, and that storage has been without incident or mishap. They have been retained through the last forty years or so less as a deliberate act than simply because they were never discarded. Their future use is, at present, undefined. I, and many others, see that is no longer a sustainable position. If we decide to store this potent information about all of us, we must first address the reasons for doing so, the proper limits upon its use and the protections it deserves. Recommendations on the future storage and use of the cards will be put to the Minister of Health in the coming months.

It is fitting that New Zealand is reconsidering its approach to this most precious treasure because scientific advances in this area develop daily. As genetic information becomes more and more accessible, we will be faced with tough ethical, social and legal questions. How much do you want to know about your genetic makeup?
How much do you want your family, employer or health insurer to know?

Your DNA may well prove to be the ultimate definition of your human physicality, but how far do you want it to define you as a person? Is your identity any different from your sequence of DNA? Our identity – how we define it, and manage it – is already of pressing concern, but will only become more so in coming years as genetic information proliferates and is read more easily and cheaply.

Identity management: a code of ethics for the 21st century

People need to feel they can control their identity; to change it for legitimate reasons; and have the ability to know what other people may be doing with that identity. Through complaints to my office, I am all too familiar with the sense of loss, grievance and even despair people feel when their personal information or their identity is lost, stolen or misused. We ignore these feelings at our peril.

‘Context is everything’ is a truism, but in the realm of identity and identity management it is fundamental. Context affects both the range of information you might reasonably be asked to provide and the selection you make about what you willingly reveal. We do not tell the same story to each person. We do not tell the same story on every occasion. And we do not tell today the same story that we told 10 years ago. As Mel Brooks said: “Every human being has hundreds of separate people living under his skin.”

Identity is about defining ourselves and being defined by others. When it comes to identity, getting things almost right just doesn’t work. We care too much about it for that. Identity is linked to our place in the world. It is both personal and public.

It can be both a means of control and a means of self-definition. We shape, reinvent and colour our own identity; and it is shaped by social, cultural and political influences. Control of identity brings with it power – and control over the person. But every day in every way government and business are becoming more adept at “managing” our identity.

The challenge is, to give more attention to the integrity of the systems we are designing and the people at the centre of them; to reconsider the ethical (and perhaps even moral) framework for our key information handling systems, and to give individuals options, flexibility and control.

Law Commission review

The New Zealand Law Commission has embarked on a significant and extensive review of privacy. This major project has wide-ranging terms of reference and will continue through until at least mid 2009. Among other things, the Law Commission will be reviewing the Privacy Act and the developing tort of privacy.

In the modern and highly technological environment in which New Zealanders operate, watchdog offices like the Privacy Commissioner need to be equipped with the right tools to do the job. For instance, because of the diffuse and varied nature of privacy concerns, we rely upon having the power to inquire widely and freely. One area I have noted to the Law Commission as a gap currently is an ability to audit government and business processes.

Our Office is actively contributing to the Law Commission’s review, which will directly or indirectly impact upon how we manage personal information and identity – New Zealand-style. It is a timely undertaking that I hope helps New Zealanders keep pace with their digital shadows, and have some say in how their identity is managed in the ‘information century’.


Marie Shroff
Privacy Commissioner


1 The Seoul Declaration is available at www.oecd.org
2 A. Cavoukian, Information and Privacy Commissioner of Ontario Privacy in the Clouds: A White Paper on Privacy and Digital Identity: Implications for the Internet.
(Office of the Information and Privacy Commissioner, Ontario, May 2008) 3. See: www.ipc.on.ca/index.asp?navid=46&fid1=748


Please note:

Matters Relating to the Electronic Presentation of the Audited Financial Statements and Statement of Service Performance

This audit report relates to the financial statements and statement of service performance of the Office of the Privacy Commissioner for the year ended 30 June 2008 included on the Office of the Privacy Commissioner’s website. The Privacy Commissioner is responsible for the maintenance and integrity of the Office of the Privacy Commissioner’s website. We have not been engaged to report on the integrity of the Office of the Privacy Commissioner’s website. We accept no responsibility for any changes that may have occurred to the financial statements and statement of service performance since they were initially presented on the website.

The audit report refers only to the financial statements and statement of service performance named above. It does not provide an opinion on any other information which may have been hyperlinked to or from the financial statements and statement of service performance. If readers of this report are concerned with the inherent risks arising from electronic data communication they should refer to the published hard copy of the audited financial statements and statement of service performance and related audit report dated 31 October 2008 to confirm the information included in the audited financial statements and statement of service performance presented on this website.

Legislation in New Zealand governing the preparation and dissemination of financial information may differ from legislation in other jurisdictions.