logo-desktop.png

Print | Email this page

Private Word Issue 79, December 2011

title=

BEST WISHES FROM THE PRIVACY COMMISSIONER


Privacy Awareness Week 2012: Identity Conference 2012 and Privacy Forum
APPA Forum 2011, social networking survey results and privacy professionals' summit
ACC's Privacy Champions
Case Notes
Keeping safe online
Credit Reporting Privacy Code
Annual Report
Privacy Officers' Round Table - Auckland
Modernising the law: Law Commission review update
New advice for seniors
International Conference of Data Protection and Privacy Commissioners, Mexico
Michael Moore-Jones - a student with lots to say about online communication
Privacy debacle in social network site rollout leads to better things
News around the world

Privacy Awareness Week 2012: Identity Conference 2012 and Privacy Forum
Privacy Awareness Week (PAW) is 29 April-5 May 2012. There will be two major privacy-related conferences in Wellington during PAW. The Identity Conference 'Managing Digital Identity in a Networked World' is on 30 April and 1 May 2012 at Te Papa Tongarewa and our own Privacy Forum is on 2 May 2012 at the Intercontinental, Wellington.

 

title=

Registrations are now open for both - get in early to get the cheapest possible deals! Read more and register here.

APPA Forum 2011, social networking survey results and privacy professionals' summit
APPA commissioners and other delegates met recently in Melbourne to discuss privacy developments around the region. Read a summary of the meeting.

As part of the meeting, the participants released the results of a region-wide survey on social networking, conducted during May. There were around 10,000 responses, mostly from Mexico, Australia, New Zealand, Hong Kong and Korea. Read our media release and the survey results.

Summit for privacy professionals
The day before the APPA meeting, many of the APPA delegates also attended a summit for privacy professionals hosted by iappANZ (the Australia/NZ chapter of the International Association of Privacy Professionals). The summit featured presentations on topics such as law reform proposals in Australia and New Zealand, e-health records, a possible statutory privacy tort in Australia, civil society perspectives on global developments and social media. Speakers included Mike Flahive and Katrine Evans, Assistant Commissioners with our office.

The keynote speaker was Alessandro Acquisti from Carnegie Mellon University who has recently conducted empirical research on various issues with privacy implications. He demonstrated that we remember negative information about people, but tend to discount positive information - a finding that has real implications for current debates about the right to be forgotten. He showed that we share more information when we feel as if we're in control of who sees the information, a dangerous tendency if that control is illusory. Finally he showed what you can learn about someone simply from a photograph of them - facial recognition technologies are becoming powerful enough to positively identify people with increasing success, so that other information about them can then be sifted from their social networks, other online information and CCTV systems.

The Hon Michael Kirby gave a thought-provoking speech looking back over the 30 years since he chaired the OECD committee that developed the privacy principles that are the foundation for most of our privacy laws. He remains a very strong advocate of privacy, and was positive about the future, including our ability to develop complex systems such as e-health and to use new technologies in a privacy protective way.

iappANZ has recently produced its first survey of the functions and salaries of privacy officers in Australia and New Zealand. The survey produced some useful information about where privacy officers sit in their organisations (eg legal, HR, senior management) and what other work they have to perform, the tasks they spend most time on (eg responding to incidents, developing training, developing policy), their salary levels, the maturity of their privacy programmes, promotion paths and so on. The survey report is available to iappANZ members.

Further details of the summit and information about iappANZ is available at http://www.iappanz.org/.

ACC's Privacy Champions
The honour of Privacy Champion has been bestowed on staff in each of the Accident Compensation Corporation's 25 branches as part of its nationwide privacy training programme, which began in February this year.

"We wanted to recognise each person who had completed the training to acknowledge they are key in their branch in assisting with privacy issues. The Privacy Champion certificate is like having a privacy licence," said ACC's Miriama Henderson, Manager Government Services.

Business Manager, Jason Lardelli said their objective was to build privacy into day-to-day business, rather than it being an add-on or a reaction to an issue. "ACC has a lot of staff dealing with a lot of personal information, so it's vital that staff are aware of the privacy principles," said Jason.

ACC-Privacy-Champions-padlock-2011.JPG

As well as being a privacy champion, staff members can be recognised for their good privacy work with ACC's privacy award. ACC also produced a ready-reference set of privacy principles cards, linked together with a padlock. The final card in the set sums up ACC's privacy training: 'Privacy is everybody's responsibility.'

Workshops were first held for managers, as the first stage in training, followed by training for the Privacy Champions. The branch staff members completed an online module focussing on the Privacy Act, the Health Information Privacy Code and the Official Information Act. New staff members will complete the online module as part of their induction, and staff will revisit it annually to refresh their knowledge.

Jason said, "Our aim is to build privacy capacity across the business. We want to spread the knowledge and ability across the branches, so that privacy queries or complaints are able to be dealt with at a local level, rather than relying on head office."

"Some staff deal with difficult clients in frustrating situations. Staff need to be able to stand back, remove some of the emotion and deal with the situation, thinking clearly about the privacy implications," said Jason.

"We've had really good feedback about the workshops - the branches have been really positive," said Miriama. "The challenge was to develop something that worked for everybody. We wanted to get across that 'privacy is commonsense in action'."

Case Notes

  • 228235 Man complains about nurse disclosing personal information about him to a mutual friend
  • 231747 Authority of all executors not necessary to release deceased person's health information
  • 229963 Man refused copies of complaints about his aggressive behaviour
  • 225274 Man complains about telecommunications company publishing his confidential telephone number.

Keeping safe online
We've recently revamped our privacy tips for keeping safe online. We've also added new information about protecting your children online. Our privacy tips aim to raise awareness about some of the risks and offer some practical tips to keep you and your family safe.

Read the tips.

Credit Reporting Privacy Code
In October, the Privacy Commissioner announced changes to credit reporting law, which mark the start of a new more comprehensive credit reporting regime for New Zealand. New rules affecting what can be reported about your credit history and repayments will apply from 1 April 2012.

The amendments will represent a fundamental shift in credit reporting in New Zealand. For the first time, the new system will let credit reporters collect information on the actual amounts of credit extended to individuals. Lenders will also be able to upload information to credit reporters, on a monthly basis, to show whether individuals have met their monthly credit repayments.

This new system will amass much larger collections of detailed and sensitive financial information on New Zealanders. There is therefore a strong need to make sure that individuals' interests are appropriately protected. We have introduced special provisions to try to ensure a high level of compliance, to make sure that individuals are fully informed about the process and that access to the information is strictly controlled. In addition, a new system of 'credit freezes' will be available for individuals who are at special risk of identity fraud.

The pay-off for New Zealand and individuals should be an enhanced ability to assess creditworthiness. International evidence suggests that this can bring economic benefits in terms of risk management for business and improved credit arrangements for individuals.

Read more ...

Annual Report
During the year, the Office issued the Christchurch Earthquake (Information Sharing) Code 2011 (Temporary) and Amendment No 4 to the Credit Reporting Privacy Code 2004. We produced guidance material aimed at seniors and the wider community, released our health information toolkit, and published on our website 'Getting Started' - to help agencies with privacy when developing policy projects. We made substantial progress in securing a finding from the EU that New Zealand offers an 'adequate standard of data protection', and kept in close contact with the Law Commission on its review of privacy. These are just some of the highlights of the 2010/11 year. View the key points and introduction and the full report.

Privacy Officers Round Table - Auckland
PORT is a voluntary, self-managing group of privacy officers (or people working in that field) in both public and private sector organisations.

Auckland PORT members are mostly from the banking and financial sector, insurance, health and education sectors, but people in privacy related roles from all sectors and organisations are encouraged and welcome to join. Auckland PORT meets quarterly. The meeting venue varies according to which member is hosting the meeting.

If you are interested in coming to an Auckland PORT meeting, or for further information, please contact Sarah Boardman at Westpac on 09 352 0922 or sarah.boardman@westpac.co.nz.

"Auckland PORT provides its members the opportunity to share information, learn and network while discussing privacy best practices, and own experiences within an informal and supportive environment", says Sarah Boardman.

Read more about PORT and Wellington PORT.

Modernising the law: Law Commission review update
The Law Commission's four and a half year review of privacy has been a major focus for the Office. The final report, looking at the Privacy Act, was released by the Commission in August.

The report endorses the principle-based and technology-neutral approach of the Privacy Act, while also making numerous recommendations for change to ensure New Zealand law is better equipped to deal with technological challenges.

The Law Commission has been careful to preserve the best features of the Act, such as its ability to resolve large numbers of disputes at low cost, while making it more effective in key areas - particularly by tackling the Act's key weaknesses in dealing with systemic (rather than complaint driven) issues and in relation to enforcement.

The Law Commission has not suggested change for change's sake. Some of the recommendations are for the development of guidance, rather than changing the law, where legal rules would impose unnecessary costs on business, or be too inflexible.

The Government response to the review is expected in early 2012. Any proposed law change would then go through the usual Parliamentary process.

See the Law Commission privacy reports and media releases at www.lawcom.govt.nz.

New advice for seniors
With support from Neighbourhood Support and the Office for Senior Citizens, the Office produced advice cards aimed at seniors and the wider community. The cards were launched by Dame Catherine Tizard and Wellington Mayor Celia Wade-Brown hosted the event.

The cards offer advice on financial privacy, scams, health information business use of information and keeping safe online.

Earlier in 2011, we met with a focus group of people who work with and for senior citizens. The group told us that these five topics were the things that most concerned older people, and what tips might best help those people. They also told us what forms of guidance material would be most useful. The result is this set of cards, which we hope will be helpful for people of all ages in our communities.

The cards have been distributed nationwide through community and key organisations for older people and can also be ordered or downloaded from our website.

Launch-of-advice-cards-2011.jpg

Dame Catherine Tizard, Neighbourhood Support Roger Eynon, Privacy Commissioner Marie Shroff, and Positive Ageing Ambassador Marlene Mulholland QSM

International Conference of Data Protection and Privacy Commissioners, Mexico
Mexico's Federal Institute for Access to Information and Data Protection (IFAI) hosted the 33rd International Conference of Data Protection and Privacy Commissioners 'Privacy: The Global Age' on 2 and 3 November 2011.

Privacy Commissioner Marie Shroff said, "There were three big issues that came out of the conference. The first was Facebook. We're still concerned about the ways Facebook is continuing to gather and use people's information. Second, ‘Big Data' - there is literally more and more data being held everywhere, by businesses and governments, and with this goes the greater ability for ‘big analytics'. Where there's data, there are people who want to do something with it. And third, there has been tremendous growth in data collection and with that needs to come international regulation. The multinationals are watching us - and we, the international regulators, need to get our global act together."

Read more about the conference and the 2011 resolutions.

Michael Moore-Jones - a student with lots to say about online communication
Year 12 student Michael Moore-Jones isn't worried about privacy. He thinks that's the wrong word. "Privacy is the same as it's always been. What the current problem is is openness. People aren't sure how to react to new tools like Facebook and Twitter and so are being more open than is perhaps sensible," says Michael.

Passionate about the tech industry, Michael was handpicked to be part of a global think tank of young people called 'The Digital Life Academy', which is interested in areas such as online privacy, data and content ownership, and content monetization. The group met for six weeks in Singapore in July this year.

MyCube is the company associated with the Academy. "It's a new social 'exchange' that aims to let people charge from and have full ownership of their content. They [MyCube] believe that the Facebook monopoly is disastrous and want to tear it down through offering an alternative," explains Michael.

While in Singapore, Michael co-founded the social networking site Duo with Swedish developer, Michael Bergman. "Ten years or more ago, people used to send letters to each other. They wrote about the details of their lives. They kept these letters because they were inherently valuable, and later they can look back through their communication history," says Michael. "We built Duo on the premise that unless people have a place on the Internet to communicate privately with the people who are most important to them, they risk losing the details of these relationships forever. We want to keep relationships personal and memorable. A lot of users on Duo are young couples in long distance relationships."

The Duo founders see their job as monitoring usage and changing the product to reflect what people want and how they're using it. They can't see anything written by users; they can only access the generic information provided on a user's account page. And they promise never to sell or provide users' personally identifiable data or information to third-parties without users' consent. Duo has a short, sweet and easy-to-understand privacy policy.

Michael doesn't think the fundamental types of communication - which he sees as private and broadcast - will change; only the medium will. "The problem with Facebook is that we are encouraged to broadcast, even when wanting to communicate privately with friends. We post personal messages on a friend's wall because Facebook says we should - even when a private message would be more suitable."

"I think people will realise that there is more value in private communication, and we may see a decrease in the number of public broadcast messages in a few years," says Michael.

To read more of what Michael has to say, see his blog.

For more on youth and privacy, see our youth privacy kit - Your information - but is it really yours?

Privacy debacle in social network site rollout leads to better things
The global rollout of Google Buzz in February 2010 led to an outcry from Google Gmail users and privacy regulators. You'll know the story but, in essence, Google mail, a private, one-to-one web based email service, was converted into a social networking service raising concerns amongst users that their personal information was being disclosed.

Google had automatically assigned users a network of 'followers' from the people with whom they had corresponded on Gmail. And this happened without adequately informing users about how the new service would work, or providing them with enough information to enable an informed decision.

Users instantly recognised the threat to the privacy and security of their personal information and were understandably outraged. To its credit, Google apologised and moved quickly to stem the damage.

The serious privacy problems associated with the initial launch of Google's Buzz stand both as a cautionary tale and a pointer to better practice from Google in the future.

Google's actions had global ripples. Privacy commissioners from 10 countries, including New Zealand, representing over 375 million people, spoke with a common voice to remind Google that it must comply with the privacy laws of each country when it rolls out products and services.

The commissioners' letter to Google was signed by the heads of data protection authorities in Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the UK.

And in the US the Federal Trade Commission began an investigation into a complaint of alleged deceptive privacy practices. As an outcome of that investigation, a consent order was agreed to by Google that obliges it to implement a comprehensive privacy programme to protect consumer data.

The FTC consent order seeks to prevent Google from engaging in similar practices to those alleged in the complaint with respect to all other Google products and services, not just Gmail and Buzz. Apart from the far reaching obligations to put a comprehensive privacy programme in place, the order requires clear notice, affirmative consents and imposes reporting and compliance obligations.

I wrote to the Chair of the FTC and filed public comments with the Commission. I said that NZ consumers were affected by the Google Buzz rollout and they will be affected by the proposed consent order. I also gave my support to the consent order - it represents a very promising move on behalf of consumers, whether based in the USA or elsewhere.

The consent order with Google has now been finalised and made enforceable. The Secretary of the FTC wrote to me agreeing that the consent order as a whole, and the provision requiring a comprehensive privacy programme in particular, will benefit consumers in New Zealand who use Google's products and services. The FTC acknowledges the usefulness of cross-border collaboration in privacy enforcement.

Coincidentally, Google's Global Privacy Counsel wrote to update the 10 privacy commissioners who expressed concern about the Google Buzz rollout, acknowledging the privacy mistakes made by Google and to indicate that lessons have been learned.

Google has launched replacement services that have avoided the problems associated with ill-fated Google Buzz.

Google Buzz has been a catalyst that has enhanced cross-border cooperation among the world's privacy commissioners. It also has forced Google to look carefully at its privacy practices and, as a result of FTC enforcement action, there is now a comprehensive privacy programme in place across the diverse operations of that company.

This article was written for New Zealand Computer Society Newsline, 9 December 2011.

See the following world news about Facebook and its privacy compliance problems.

News around the world
Facebook has agreed to settle the US Federal Trade Commission charges that it deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public. The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including giving consumers clear and prominent notice and obtaining consumers' express consent before their information is shared beyond the privacy settings they have established. Read more ...

In the UK, an ambitious multibillion pound programme to create a computerised patient record system across the entire National Health System is being scrapped, ministers have decided. The £12.7bn National Programme for IT is being ended after years of delays, technical difficulties, contractual disputes and rising costs. Read more ...

The Australian Privacy Commissioner found that Sony Australia did not breach the Privacy Act 1998 after investigating an incident where third parties accessed users' private information without their consent. Read more ...

In September, the US Federal Trade Commission proposed changes to regulations covering online privacy for children. The Commission said revisions to the law (COPPA - the Children's Online Privacy Protection Act) were required in the light of "an explosion in children's use of mobile devices, the proliferation of online social networking and interactive gaming." Read more ...

World Wide Web Consortium (W3C) released the first draft of two standards intended to protect the privacy of Web users and allow them to opt out of Web tracking systems. The standards aim to encourage websites to tell users whether their activity on that site is being tracked. They also include a proposal to let individuals stipulate that they do not want their activity across the various sites they visit tracked. Read more ...

The Biometrics Institute launched its Biometrics Privacy Charter on 30 November 2011. The charter is intended to be a guide across many different countries and jurisdictions. It is based on the principle that citizens, when providing their biometric, have a right to expect that those who design, implement and manage that biometric understand its unique value and are committed to a Charter that ensures best privacy practice in biometric design, policy and management. Read more ...

News & Publications

Back to top