Credit Reporting Privacy Code Amendment No 5
Taxis recording passengers - new guidance
Getting it right when you've got it wrong
35th APPA Forum
Why do lawyers need to know about privacy law?
Privacy points for lawyers
New Chair of the Human Rights Review Tribunal
News around the world
The Privacy Commissioner is proposing substantial changes to credit reporting law that would introduce more comprehensive reporting of individual New Zealanders' credit history. The changes would also introduce suppression of credit reports for victims of identity fraud and include other privacy protections.
The amendment proposes to:
- permit the reporting of repayment history information
- enable victims of fraud to have credit reporters suppress their credit report
- permit credit reporters to pre-screen direct marketing lists in limited circumstances
- prohibit the listing of defaults under $100
- allow people to shop around for credit without being penalised on their credit score
- provide explicit procedural safeguards to be followed before listing guarantor defaults, and
- require credit providers to take certain steps before telling a credit reporter about an action that appears to indicate a person's intention not to comply with a credit obligation.
In May 2011 the Privacy Commissioner notified her intention to amend the Code and invited written submissions from businesses, agencies and the public. Over 60 submissions were received and public hearings for submitters were held in July. Read the submissions here. The Commissioner is currently considering the submissions. A final amendment is expected later in 2011.
Some taxi organisations recently suggested that they might use their new cameras to make audio recordings of conversations, as well as video recordings.
We were concerned about the privacy implications of the audio recording - audio recording is likely to breach the Privacy Act - and issued some guidance. The guidance aims to help taxi organisations to identify and manage the privacy risks of audio recording.
If you want to use audio recording in a taxi, you need to think about these questions:
- Why do you want to use audio recording in your taxis?
- Why do you think that audio recording is really necessary to achieve this purpose?
- How will you let passengers know that you are audio recording conversations?
- What will your passengers think? And what will your drivers think? Aren't they likely to find audio recording very intrusive (eg. capturing personal or business conversations)?
- How will you make sure that the audio recordings are securely protected, given that audio recordings are more sensitive than video recordings?
- How long will you keep the audio recordings?
- Who might be able to get access to the audio recordings and when?
We are advising taxis not to use audio recording unless they are sure that they have successfully managed the privacy issues.
Read the full guidance note.
Privacy breaches make brilliant headlines - unless your organisation is the one in the gun.
Getting hacked once is bad enough, but getting hacked multiple times is truly dire as Sony's ongoing (and very expensive) woes show. The vulnerabilities on the Labour Party's website are embarrassing for those who created and run the site as well as for the Party itself. And failures to think about privacy before launching a product end up with customer as well as regulator backlash - just ask Facebook, Google and Apple.
There's certainly a place for naming and shaming organisations that are careless or cavalier with personal information. However, careful organisations aren't immune. After all, there's no such thing as a fail-safe system. In particular, a system isn't just about the technology - it's also about people. The most secure technology in the world won't stop someone from leaving their dictation device or smart phone on the bus. Nor will it stop employees from browsing through information for personal reasons. Organisations need to develop practical ways of identifying and managing those risks as well as focusing on IT security. And precisely because there's no such thing as a fail-safe system, they need to plan for what they'll do if they have a privacy breach.
For the people whose information is lost or stolen, it doesn't matter whether the organisation has been super-careless or super-careful. The harm to those people may well be the same either way. This is why privacy breach notification focuses on preventing or minimising harm to the people involved.
Many developed economies have mandatory privacy breach notification laws. You lose personal information and there's a risk of harm to someone - you have to 'fess up.
At the moment, New Zealand is an exception. We've had voluntary guidelines to help organisations manage privacy breaches for several years. But until now we've managed without mandatory notification laws.
Given the complexities of our digital environment, and the increasing chances of harm to people when their information is compromised, I don't think that's good enough any longer. If people don't know about information losses, they can't protect themselves from harms like identity crime. And, as the head of InternetNZ Vikram Kumar recently said (16 May 2011 at nbr.co.nz), organisations need some real incentives to protect personal information:
'The fact is that the perceived benefit to an agency from protecting people's personal information is very low. This is the core reason why agencies put in so little money and effort to protect it. The answer is to increase the perceived benefits by imposing an external cost, i.e. mandatory notification when the personal information of people they hold is lost, stolen or inappropriately accessed. That's why I favour mandatory notifications over voluntary. '
Many agree with him. Obviously, nobody wants a law that requires reporting of every tiny breach, or that imposes unjustified compliance costs on businesses. But there are many responsible organisations that already notify the people concerned (and my Office) when they have a privacy breach that could harm people. Those organisations take steps to fix their systems and processes so the same breach won't happen again. And they know their brand is best protected if they spend time getting privacy right in the first place, as well as by being honest when things go wrong. However, they also know that their competitors may be less scrupulous. So those organisations often see mandatory breach notification as creating a level playing field - they want their competitors to have to take as much care as they do.
The Law Commission is due to report soon on its review of our privacy laws. It'll be interesting to see what it says about breach notification and how we might make this work in New Zealand.
This article was written for New Zealand Computer Society Newsline, 8 July 2011.
- 218236 Man objects to pre-employment screening
- 215508 Debt collection agency discloses information about a woman to a workmate
- 225347 Credit agency mistakes another man for debtor.
Privacy delegates from Australia, Canada, Hong Kong, Japan, Korea, Macau, Mexico, New Zealand and United States attended the recent Asia Pacific Privacy Authorities (APPA) Forum, hosted by the Korea Internet and Security Agency (KISA) in Jeju, South Korea.
New Zealand's Assistant Privacy Commissioner Mike Flahive attended the Forum. Mike said, 'There is a lot to learn from our neighbours. The meetings are a very useful way of looking at privacy issues that face us all. They give us very positive insights into how privacy is being tackled by the different jurisdictions.'
'The collaborations between the APPA offices have led to the successful Privacy Awareness Weeks and international initiatives, such as the recent survey on social media. Because of the positive relationships that have been fostered, APPA has continued to grow and attract new members.'
As part of the Forum, KISA took the delegates on two tours. The first was the Smart Grid project, managed out of Jeju Island. Smart Grid is a system linking power usage and real time communication technology to assist power suppliers to route power to areas of most need. The technology allows both the power provider and power user to observe through smart meters' where power is being consumed and what patterns emerge.
Mike said, 'At your home, for example, you could potentially organise your electric appliances to operate only during the times when power is not in high demand and therefore cheaper. The system is predicated on the power supply setting up a communications network alongside the power grid. This is happening in Korea now.'
'To make the best use of the system, a user might need appliances that can be programmed to operate only during certain power-price range times. The whole project is designed to make more efficient use of available power.'
'The privacy issues focus on the information collected and how it is stored, used or disclosed. For example, if you were able to gain access to the information, you might at the very least be able to tell when the home was empty. And knowing what particular products are being used might be of benefit for marketing purposes.'
The second visit was to Daum, the biggest internet provider in Korea with a modern work environment and about 1000 employees.
Mike said, 'The company has done a great deal to build in privacy by design. It was refreshing to hear about a company placing privacy at the front of its operations.'
APPA discussed the following topics:
- international privacy developments
- privacy issues arising from smart technologies
- Privacy Awareness Week 2011
- implications of web 2.0 technologies for privacy regulation and
- credit reporting.
Read more about the APPA forum ...
At a recent Public Law Remedies seminar, Assistant Commissioner Katrine Evans said that when she has spoken to lawyers about why they don't deal with privacy, she usually gets responses like 'it's too complicated', 'it's too arcane' and 'it's irrelevant to my area of practice'.
Katrine's experience has shown that good privacy management nearly always comes down to asking yourself the right questions. Once you ask those questions, applying privacy law will usually be easy - a matter of common sense.
Like any area of law, privacy is complicated and challenging at the margins, but usually that's not because the law is hard to understand. Instead, in practice, the difficulties arise because you need to figure out exactly how information is or will be used in a transaction before you can see how to apply the principles. You can't skip that thought process. Also, a lot of good privacy practice relies on applying good judgment rather than being told exactly what to do. Good judgment is something you can't legislate for. So there are some natural uncertainties.
As for being irrelevant or arcane, privacy law is applied every day in most areas of New Zealand legal practice. The Office of the Privacy Commissioner provides policy advice and handles complaints about a huge area of human activity. Commercial, government advice, trusts, family, technology, employment... anywhere there is information about people, there are privacy considerations. Usually people get them right by default. But a lawyer who understands the area for what it is, and who focuses on solutions, can make a huge difference.
Katrine presented a set of tools for lawyers to use. These tools will take them through some of the basics of the Privacy Act and the practicalities of dealing with privacy complaints. They aim to let lawyers provide solutions for their client, by helping them:
- spot when privacy may be an issue for a client
- give appropriate advice to prevent problems from occurring and
- deal quickly and clearly with complaints if they arise (whether you're acting for a complainant or a respondent).
For more information, you can purchase a copy of the seminar booklet from the New Zealand Law Society.
- Lawyers cannot refuse to provide personal information because the individual has not paid for legal services. Lawyers may assert a lien over files until fees due for work are paid in full, but this does not override the right to access personal information under principle 6 of the Privacy Act. The only reasons that a lawyer may refuse access to personal information are contained in sections 27-29 of the Privacy Act (and not paying a bill is not one of them). See Case Notes 7837 and 16579.
- As private sector agencies, lawyers are able to charge individuals for access to, and correction of, personal information under section 35 of the Privacy Act. They can charge for making information available but they cannot charge for deciding whether to grant a request or providing assistance. Any charge fixed by an agency must be reasonable and we recommend following the Charging Guidelines for the Official Information Act. See Case Note 204595.
Simon Rae has recently joined the Office of the Privacy Commissioner as the new Team Leader (Policy and Technology). Simon comes to us from the Ministry of Foreign Affairs and Trade, where he had a range of policy roles, most recently in planning and performance.
We'd like to welcome the new Chair of the Human Rights Review Tribunal, Rodger Haines QC. Mr Haines is the former Deputy Chair of the Refugee Status Appeal Authority and has been an academic with Auckland University's Law Faculty teaching immigration and refugee law.
The role of Tribunal Chair is particularly challenging as the Tribunal has three separate human rights jurisdictions: cases under the Privacy Act, the Health and Disability Commissioner Act, and the Human Rights Act.
Mr Haines has taken over the role from Royden Hindle, who has been a very successful Chair of the Tribunal for the past 10 years. Mr Hindle has overseen some of New Zealand's most significant human rights cases during that time, including the recent discrimination claim brought by parents acting as unpaid caregivers to their disabled children. Our own field has benefited a great deal from the Tribunal's carefully considered privacy judgments.
We wish Mr Hindle all the very best for his new mediation and arbitration practice in Auckland.
A recent UK study shows that while British citizens are resistant to ID cards but largely unconcerned about CCTV, German citizens worry about CCTV but have been carrying machine-readable ID cards for decades without problems. The study looked at policies in the UK, US, Germany and Sweden and showed the regulation of personal data varies hugely across countries and sectors. Read more ...
The US Supreme Court has agreed to hear a case about when the government can put GPS devices on people's cars. This could produce one of the court's biggest privacy rulings in years. Read more ...
A US District Court issued a significant ruling that Google can be held liable for damages under the Wiretap Act because of its 'Wi-Spy' program that collected usernames, passwords, whole emails, and other private data. Read more ...
The European Commission is examining whether additional rules are needed on personal data breach notification in the European Union. The current ePrivacy Directive requires organisations to keep data secure and notify individuals if such sensitive information is lost or stolen. Data breaches must also be reported to the relevant national authority. Read more ...
Police in the US may soon be getting an iPhone add-on that will equip them with a facial recognition technology called MORIS (Mobile Offender Recognition and Information System). The device attaches to an iPhone and allows the police to take a photo of a person to determine if they are a suspect or have a criminal history. Read more ...
Google Plus. Do you want to know more? Read more ...
Mobile phone security expert David Rogers shares excellent easy-to-understand tips and advice as he explains how 'phone hacking' takes place and what can be done to make sure your mobile phone communications stay private. Read more ...