logo-desktop.png

Print | Email this page

Private Word Issue 81, June 2012

The people have spoken: UMR survey results
Cyber Security Awareness Week - 11-15 June 2012  
OPC goes social!
Privacy Forum 2012: Privacy in the Age of Big Data - the highlights 
Trust is the "sweet spot" for government and business
Advice for secondary school students, parents and teachers  
Developing a new resource for primary schools
Inquiry into ACC and email leak  
Credit reporting system changes  
Human Rights Review Tribunal - Lochead-MacMillan v AMI Insurance [2012] NZHRRT 5  
News around the World  

The people have spoken: UMR survey results
by Privacy Commissioner, Marie Shroff

The New Zealand privacy landscape in the last couple of months has been dominated by data breaches, including the high-profile ACC incident. The findings of the ACC inquiry will, I hope, help other agencies too.

Government agencies need to get their act together - good personal information is part of core business. My impression is that, by comparison, many information-rich private businesses are more switched on to the value that personal information provides, and they protect it pretty vigilantly.

People now expect care to be taken. In a UMR survey in March[1], the New Zealand public gave a clear message that business and government need to be held to account for breaches of the Privacy Act. That doesn't just mean large data breaches, but could include a range of things like personal photos being posted online; wrongful withholding of personal information; and sub-standard security precautions.

Eighty-eight percent (88%) of respondents to the survey said they wanted businesses punished if they misuse people's personal information. The vast majority of respondents (a whopping 97%) also said the Privacy Commissioner should have power to stop a company breaching the Privacy Act.

Government agencies can't take comfort from the survey results. Eighty-two percent of survey respondents were worried about government silently sharing their personal information. Concern about health sector organisations sharing people's personal information without telling them nearly doubled from 32% to 60%.

But it's not all bad news for government and business. Around three-fifths of New Zealanders trust agencies to protect their personal information, with 65% trusting business and 68% trusting government to handle their personal information well.

What are people saying through this poll? They certainly want to hold organisations to account. They are also asking government and business to protect personal information properly, be up front about how it's used, and tell people immediately if their information is lost or stolen.

High level trends
In terms of big picture trends, overall concern about privacy in the last 10 years has risen to 67% (up from 47% in 2001). And not surprisingly, 84% of respondents were worried about information children put on the internet about themselves.

Social networking use has risen from 14% in 2007 to 54% in 2012. A massive 88% of people under 30 are now using Facebook. And the number of older users is also going up, with 20% of people over 60 years old now on Facebook.

The results show that people are increasingly conscious of privacy when they're online, so there are some lessons in here particularly for the internet corporate giants. Three-quarters of people have changed the privacy settings on their Facebook pages. Young people especially are making real efforts to control who sees their information.

For some of us, we have had our fingers burnt: 11% of people surveyed said that they regretted sharing some information on their Facebook page.

There's no such thing as a free lunch - our information is the tool the internet giants are using, and we don't necessarily like it. Three-fifths of respondents didn't like Facebook and Google tracking emails and internet use to target them with marketing and advertising.

But while people are saying they are concerned, there's still a certain level of naivety out there - a surprising 55% of New Zealanders still thought that Facebook was a "private space" - and that includes some people who had never changed their privacy settings.

See the survey results.

Article also published in Newsline.

[1]  The poll was a telephone survey by UMR of 750 New Zealanders 18 years of age and older, conducted from 22 to 27 March 2012.

Cyber Security Awareness Week - 11-15 June 2012

NetSafe will be running the country's first ever Cyber Security Awareness Week (CSAW) in June and will be promoting free advice and information to consumers and small businesses as part of the government's Cyber Security Strategy.

It's estimated that cyber crime cost New Zealand $625 million in 2011 (Norton Cyber Crime 2011 report) as more and more people make use of internet technologies and use computer systems as part of their everyday lives for work and play.

More than 2000 adult New Zealanders are affected by cyber crime every day in the form of computer viruses and malware, credit card fraud, online scams, phishing and identity theft:

  • The average loss reported to NetSafe's Orb website in 2011 was almost $4,300.
  • The average security incident cost reported by businesses to the 2010 NZ Computer Crime and Security Survey was $15,000.

The NetSafe Cyber Security Initiative (NCSI) - the membership group behind the programme comprised of government and industry leaders - is one part of the published Cyber Security Strategy that aims to equip consumers and small businesses with the skills and resources to reduce the number of cyber incidents and money lost each year.

The national awareness raising programme is taking place 11-15 June 2012. CSAW and a new dedicated online cyber security website will be launched by the Minister of Communications and Information Technology Amy Adams in Wellington.

NetSafe's key themes for this year's programme are:

  • •Use strong passwords
  • •Update everything
  • •Back up your files
  • •Use a secure wireless network.

"These are basic computer security procedures," says Chris Hails, NetSafe's cyber security specialist who is overseeing the programme. Unfortunately, we know from the hundreds of calls, emails and Orb reports we get from the public every month that many people haven't yet implemented them and as a result are having their email and social networking accounts hacked, their computers infected with malware or losing important business records with no way to recover the data."

"Our research undertaken last year showed that many Kiwis just don't know where to begin when it comes to computers or how to find reliable information. We hope that the events we have planned for the week will get people talking about the issues and taking steps to improve their home and business security".

The programme is a joint partnership between government and industry with 10 agencies and eight corporate partners involved including Google, HP, McAfee, Microsoft, MSN, Sophos, Symantec and Trade Me.

"We have also signed up almost a fifth of the top 100 largest employers in the country to help get the message out to staff and customers. It's important that everyone in the country who uses a computer is doing the Net Basics," says Chris.

Read more computer security advice and follow the week's activities at www.securitycentral.org.nz and www.facebook.com/netsafe.

 

OPC goes social!   title=

Yes, we've joined the social media age, and now have a Facebook page and a Twitter feed. We're going to be doing things like posting regular tips for businesses, giving people quick advice about their rights and relaying interesting news stories.

You don't have to join Facebook or Twitter to follow what we're up to - simply click on the icons on our website and you can see what we've posted.

Of course, if you do already use Facebook or Twitter, you can get automatic updates by "liking" or "following" us.

We're still learning how to make these channels useful for you - which is the whole point of doing it. So let us know what you need and we'll do our best to deliver!

Privacy Forum 2012: Privacy in the Age of Big Data - the highlights

Over the coming months, we will be adding footage of the Forum to our Facebook page. You can read about and see the first of these highlights below.

Privacy Commissioner Marie Shroff
Big Data is a vital element of our future, said Privacy Commissioner Marie Shroff introducing the theme of the day: it's not necessarily going to mean the end of individual control over identity, but in the wrong hands, could damage an individual's control over their identity. Hear the Privacy Commissioner's introduction to the Forum. 

Managing Privacy in the Cloud - the misconceptions and risks
Three things stood out over the past year in cloud computing: a voluntary code on cloud computing led by the NZ Computer Society; the Christchurch earthquake, which got people thinking about big data - if your office is battered, what's happened to your data?; and the Megaupload case - what happens if your data is being stored with a third party?

Vikram Kumar, Chief Executive Internet NZ asked the panel about the greatest risks and biggest misconceptions regarding cloud computing, and what practical things can be done to mitigate the risks. Here's what the panel had to say about the cloud.

Ben Kepes, Diversity Limited
Ben believes that regulation is decades behind the technology and this has created some real risks, especially when the public isn't really aware of the issues. He thinks the misconceptions borne through the commercial market can be ameliorated through education.

Ben went on to ask what happens when a big corporation gets taken out by the KGB, for example, and data is taken. He said the risks aren't really about the technology; it's about education. He sees that a code of practice will give prospective customers the right questions to ask.

Waldo Kuipers, Microsoft
Waldo doesn't see cloud issues as new. Some of the privacy issues are not specific to the cloud but have been around for some time, for example outsourcing, off-shoring and infrastructure.

Waldo believes the first port of call on the internet is to read the privacy statements. Think about a company's incentives (will a company boost its profits by profiling me?), its leadership, discipline and track record. Hear more ...

Dave Lane, President, NZ Open Source Society
A lot of people will be using the cloud whether they know it or not, said Dave. Dave asked what the privacy implications will be if a government service, such as a tax, or medical agency, elects to use the cloud to store data. The individual hasn't made an explicit decision to use the cloud in these situations and therefore the misconception is that we choose to sacrifice our privacy; in some cases the choice is made for us.

Dave believes that unless you stay off 'the grid', there's no way to mitigate the privacy risks that the cloud presents, and suggested that we become much more active users of these technologies and exercise our right to choose. He reports there are already "private clouds" for organisations worried about privacy. Hear Dave's other suggestions for mitigating cloud risks.

Online tracking technologies - what's going on out there?

Bruce Schneier
Bruce began by saying that data is the by-product of the information silo and that everything that we do with a computer creates a transaction record. For example, your cell phone creates a record, your ISP knows where you're going, and that Google knows more about Bruce than his wife does.

Bruce said we're seeing a sea change in the world of personal data - all of 'this stuff' is increasingly stored and increasingly searchable. Data storage and data processing becomes free and stuff that you would have thrown away five years ago, you save, resulting in everyone leaving digital footprints throughout their lives. 'Big Data' knows exactly where we are, what we're doing and exactly who we're doing it with. Bruce doesn't think this is an issue of malice, but a by-product of pure technology.

Hear more from Bruce about:

  • Legal systems - are they keeping pace with technology?
  • Business trends - what's the value of the data?
  • Law enforcement trends - living in a world where nobody forgets anything.
  • People's attitudes to privacy online, the death of privacy and the pollution of the information age.

Rick Shera, Lowndes Jordan
Rick's two Big Data issues were anonymity and "the filter bubble". He said anonymity does away with 'isms' such as ageism, racism, or sexism and allows people to converse with fellow citizens or government. It enhances people's ability to protest, and is particularly important for public officials' ability to comment anonymously. It also gives us the "right to be forgotten".

The "filter bubble", by virtue of the technologies and profiling, means our profile is being created for us and delivered to us in a way in which we have no influence over. This effectively means we start to live in an 'echo chamber', where our views are simply reinforced over and over again. Hear more on how Rick sees this happening and the consequences on privacy. 

Trust is the "sweet spot" for government and business
Privacy Commissioner Marie Shroff's keynote address to the Managing Digital Identity conference 2012 "Locating the 'Sweet Spot': Controlling personal identity and privacy online" outlined the fact of the comodification of personal identity information and the way the information about us has value associated with it over and above its inherent, functional value. Commercial value accrued in a variety of settings from extracting that data, and from automating the processes that combine and refine it. Administrative value now accrued from storing and sharing that data.

Alongside that, there were governmental and corporate efforts to control identity information online. Marie Shroff noted the commercial pressure being exerted upon people to develop and maintain a singular and enduring "authentic" online presence. The effect of this pressure was to push the onus of awareness onto individuals and to underline the need for individual control. The behaviour of nation-state sized corporates has a bench-marking effect that underscores the need for ethical and perhaps even democratic practices. Trust is the "sweet spot" for government and corporate business models. It is an ongoing process, a relationship, which requires thinking and talking through.

See Marie Shroff's and other speakers' presentations at Managing Digital Identity in a Networked World Identity Conference 2012.

Advice for secondary school students, parents and teachers
There's lots of advice available for young people, parents and teachers, but sometimes it's hard to find what you need, when you need it. So to help, APPA (Asia Pacific Privacy Authorities) pulled together a list of useful links and tips from around our region.

Developing a new resource for primary schools
 title=
A group of primary and intermediate teachers, from Wellington and the Wairarapa, met with Netsafe and the Office of the Privacy Commissioner during Privacy Awareness Week to begin developing a new privacy resource aimed at primary schools. We are pleased that UNESCO is supporting this project.

"With teachers from a range of schools, including those from Porirua, Tawa and Greytown, we were able to hear a huge variety of views and ideas about where schools are at with privacy in today's digital world. We wanted to find out what type of resource would be most helpful to pupils and teachers," said Assistant Commissioner, Katrine Evans.

"By the end of the day, it was clear that the teachers want a resource geared towards being a responsible digital citizen; an online resource that can be used by both students and teachers working towards targets to becoming accomplished digital citizens," said Katrine.

The next steps in developing the resource will see further collaboration with Netsafe and the teachers, and to bring in some students to make sure the new ideas are going to be the right ones for them.

Inquiry into ACC and email leak
The ACC Board and the Privacy Commissioner have jointly commissioned independent investigators to review the circumstances surrounding the privacy breach at ACC involving a spreadsheet of information about 6,700 claimants that was emailed to another claimant, Bronwyn Pullar, last year.

The investigators will also look more widely at whether systemic or organisational weaknesses exist in the way that ACC handles personal information.

See the terms of reference for the review.

The Commissioner is also investigating how information about Ms Pullar in an email may have been leaked to the media.

As well, the Office is dealing with about 80 individual complaints related to alleged ACC breaches. These are being treated within the office's complaints system, which involves strict terms of confidentiality for all parties.

The Commissioner is unable to comment further while the investigations are continuing.

See also our media statement: ACC inquiry - Privacy Act complaints.

Credit reporting system changes
We've seen some major changes to the Credit Reporting Privacy Code this year. Here's a summary of those changes:

  • The major changes to credit reporting system in New Zealand came into force on 1 April 2012 as a result of two amendments to the code (Amendments No 4 and No 5).
  • More comprehensive credit reporting is now permitted. Credit reports are now allowed to include a list of current credit accounts and information about whether consumers have made their repayments on those accounts on time (though, in practice, this may not happen immediately).
  • Consumers can now ask credit reporters to "freeze" their reports if they think they're at risk of identity fraud.
  • Credit reporters are now prohibited from listing small defaults of less than $100.
  • Credit providers such as banks may use credit reporters to "pre-screen" direct marketing lists, to help ensure that marketing for new credit is responsible and not sent to those who cannot afford more debt.
  • Credit reporters must now provide the Privacy Commissioner with annual compliance reports.


Read more about the changes and see the new consolidated code. See also our media release.

Human Rights Review Tribunal - Lochead-MacMillan v AMI Insurance [2012] NZHRRT 5 

The Tribunal found that AMI had failed to respond properly to Mr and Mrs Lochead-MacMillan's requests for access to their personal information. It also found that the couple had suffered significant emotional distress, and awarded them $10,000 in compensation.

The Lochead-MacMillans had home and contents insurance with AMI. On 9 January 2010 there was a fire in their sleepout, and they made a claim the following day. AMI engaged a firm to investigate the circumstances of the fire. The investigation including inspecting the scene of the fire and interviewing the couple twice. The interviews were audio-recorded with the intention that the couple should see and sign transcripts.

From early February, the Lochead-Macmillans made requests for information, which they repeated at various stages. They became increasingly worried, as AMI had told them that there were "serious areas of concern" about the claim.

On 5 March, AMI told the couple that the investigation was complete and the claim had been accepted. It took some further time to finalise the amount of the payment. In the meantime the information requests were not addressed as AMI believed that the requests had been overtaken by the acceptance of the claim. This was not the case - the couple still wanted the information that they had asked for. This culminated in a request for the full investigation file on 8 July. AMI provided the requested information on 29 July, except for the investigation report which was withheld under litigation privilege. The report was eventually provided on 3 November after the Privacy Commissioner had investigated the couple's complaint and found that litigation privilege did not apply.

The Tribunal decided that the couple's request for a copy of the audio files was never acknowledged or complied with. At some point the audio files were destroyed. Their request for a copy of the interview transcripts was not properly answered - they received an incomplete transcript of the second interview within the appropriate time, but they did not get a copy of the first transcript until five months later. AMI had therefore failed to comply with the statutory time limits for making decisions on the requests. It had also failed to let the couple know of their right to complain to the Privacy Commissioner - they had only discovered from the internet that they had a right to make a complaint.

There was no basis for refusing to provide the investigation report, as it was not covered by litigation privilege - no proceedings were in contemplation when the investigators were engaged, or when the report was provided. Although the report was provided once the Privacy Commissioner had told AMI that it could not claim litigation privilege, it should not have been withheld in the first place.

The Tribunal commented:

"The information privacy principles are not abstract concepts of little relevance to daily commercial life. They are in fact fundamentals of good administration and designed to reconcile the interests of the agency collecting the personal information (an often valuable commercial asset) with those of the individual about whom the information is collected or held. ... [R]equests for access to personal information cannot be ignored by an agency or dismissed as being part of an unimportant, if not bothersome process ... [S]elf-interest alone, if not principles of good administration, demand full "good faith" compliance with the Act. The benefit of such compliance ... include ... the individual will be in a better position to understand the case he or she must meet and to more effectively present his or her case. ... The benefit to the agency is that it, in turn, is better informed as to the facts and therefore more likely to arrive at a sound decision. ... The bottom line is that the Privacy Act is a two way street."

News around the World
Changes to the Australian Privacy Act that better protect people's personal information, simplify credit reporting arrangements and give new enforcement powers to the Privacy Commissioner have been introduced into the Australian Parliament. Read more ...

A recent Office of the Privacy Commissioner of Canada survey of over 1000 companies shows that many businesses are not using recommended technological tools or practices to protect the digitally-stored personal information of their customers. Read more ...

The US Illinois Senate has passed a bill that would make it illegal for employers to ask employees or potential employees for their Facebook or Twitter passwords. Read more ...

The CIA wants to spy on you through your TV: The Director of the Central Intelligence Agency says new apps and connected devices means people will be bugging their own homes with others being able to "read" these gadgets via the internet. Read more ...

How can 1.2 billion people be identified quickly? With millions of people in India living in poverty, the government hopes that new technology behind the Aadhaar scheme will make it easier to help identify all those without official ID cards and struggling to receive assistance. Read more ...

Who sees what you share on Facebook. 10 ways to protect your personal information from social networks. Read more ...
 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

News & Publications

Back to top