The ACC breach - an interview with the Privacy Commissioner
Credit reporting changes proposed: Public submissions invited
Credit code workshops
News media, new media and privacy - more highlights from the Privacy Forum
Recent Human Rights Review Tribunal decisions
News around the world
What can we learn from the ACC breach?
Data breaches can happen easily - especially in today's digital environment. But, while the investigation showed that the ACC privacy breach was a genuine human error, it occurred due to systemic weaknesses within ACC's culture, systems and processes.
ACC and many other agencies that hold highly sensitive information on a large number of people need to have high standards of privacy protection and security.
For any organisation where personal information is essential to its core business, having the trust of its clients is vital. But an agency's attitude towards looking after personal information comes from the top. There needs to be strong leadership that emphasises respect for clients and their information.
Agencies need to have clear performance measures that include privacy. They also need to have a centralised reporting system for recording privacy complaints. There needs to be clear accountability for addressing privacy issues. For example, at ACC no records were being kept of complaints and nobody was reporting them to the Board or management.
Staff need to be aware of the value of data protection and of respecting the safeguarding of people's personal and private information.
Is the private sector better at safeguarding personal information that the public sector?
There are different drivers in both sectors - the private sector is motivated by competitive interest to ensure tight privacy protection. But, there is no room for complacency regarding privacy in either sector. There is a lot the private sector can learn from the ACC review too.
Are agencies and business getting the message?
The digital environment has crept up on all of us unawares - this sort of incident will happen when huge volumes of data are involved. Sometimes it takes a disaster to open people's eyes. Hopefully we won't see any more breaches on this scale but this incident shows that the risks are very real.
What advice can you give to agencies and business?
Any organisation that holds large amounts of personal information should be taking note of what has happened at ACC and learn from its mistakes.
To begin with, agencies should self-audit their information handling processes, and assess any weaknesses. Where necessary, make changes and put new processes in place. This could include staff training in privacy handling practices, implementing privacy audits, and knowing what to do if there is a data breach. We have guidance available on privacy breaches, which takes you through what to do when there's been a data breach.
Data breach notification isn't required by New Zealand law right now, but the Law Commission recently recommended that it should be made compulsory. That would bring New Zealand law into line with practice overseas.
What can the public learn from the breach?
There hasn't been a lot of attention given to what a person should do if they receive someone else's information - or many other people's information! If you or your organisation receives information sent by mistake, you have a legal responsibility to protect the privacy of the people involved.
My advice is pretty clear - don't hold onto information that isn't yours, and don't use that information as a sword. Treat the people to whom it belongs with respect and return the information to the rightful holder. If you can't figure out who or where that should be hand it in to Police or contact my office.
Where to from here - will you be checking in with ACC in the near future?
The review recommends that an independent audit of how ACC has implemented changes is undertaken every two years and provided to my office, which I welcome. I will closely monitor ACC's progress.
Credit reporting changes proposed: Public submissions invited
The Privacy Commissioner proposes to make changes to the Credit Reporting Privacy Code to permit lenders to use the credit reporting system to meet their identity verification requirements under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009.
From 30 June 2013, financial institutions such as banks, finance and credit card companies will be required to verify their customers' identities, to make sure they are trading with real people who have a known history.
Under the proposed changes, financial institutions will be able to run new customers through the credit reporting system to verify their identity.
Credit reporters will not be permitted to add these enquiries by lenders into the customer's credit score.
Submissions on the proposed amendment to the Credit Reporting Privacy Code are invited by 31 October 2012. View the proposed amendment and an information paper outlining all the changes.
Credit code workshops
During June to August, the Office ran workshops around the country aimed at CAB and budgeting advisers and community lawyers to publicise the changes made to the Credit Reporting Privacy Code this year.
"As positive reporting gains traction it's important that advisers and advocates understand what it means and the implications for their clients," said Assistant Commissioner Blair Stewart. "Talking directly to the people who give advice is an effective way to help make sure the messages about the code changes reach the people who need to know."
Other key areas highlighted in the workshops were access and correction rights and credit freezing.
During the process for making changes to the credit code, the Office met with credit reporters, lenders, consumer groups, and other organisations, and it was agreed that everyone was responsible for ensuring the public is made aware of the changes. The reference group developed key messages and from this the Office produced a set of materials for consumers.
The Code contains a summary of rights, translated into 11 different languages, which are on the website, along with other material about the code. Credit reporters are required to make the summary and translations available to consumers.
There are different drivers in both sectors - the private sector is motivated to ensure tight privacy data collection and protection by a competitive interest. But, there is no room for complacency regarding privacy in either sector.
News media, new media and privacy - more highlights from the Privacy Forum
At the May 2012 Privacy Forum, Trade Me's Mike O'Donnell introduced Professor John Burrows from the Law Commission and "Kiwiblog" David Farrar, who both spoke about the news media, new media and privacy. You can listen to their presentations on our YouTube page. Following is a summary of the session.
How is news media defined?
In December 2011 the Law Commission released an issues paper (27), The News Media Meets New Media. Referring to the paper, Professor John Burrows looked at how the news media is currently held to account - through the Press Council and the Broadcasting Standards Authority (BSA). The BSA, though, can only deal with broadcasters as defined in the Broadcasting Act, which doesn't include many websites. And the Press Council doesn't extend its jurisdiction to news websites such as 'Scoop'. This means there are big gaps where certain types of news media are not regulated at all.
Professor Burrows looked at how to define the news media, with it being exempt from the Privacy Act? Does it include new media, for example, websites and blogs?
The Law Commission is proposing that communicators of news should only be exempt from the Privacy Act if they are regulated in some way, and that the regulation has privacy principles in its codes and laws of practice. The Commission is leaning towards having a single media regulator that can regulate all types of media speech, websites, newspapers, broadcasters, and even blogs, provided they come within the broad definition of news media.
Online 'speech harms'
The second part of the Law Commission's issues paper is about speech harms made online. Professor Burrows explained that there's no doubt that online communications can be used to harm people in a serious way - such as websites set up for exactly that purpose, and sometimes comment threads on blogs, and Facebook and Twitter comments. Other examples included cyberbullying involving kids, impersonations such as false Facebook pages, offensive publications, and online threats to kill, injure or damage property.
The Law Commission suggests that the law needs updating and in the digital age there are gaps that need to be plugged such as the domestic affairs exemption in the Privacy Act. Professor Burrows explained that currently, if you put photos of family on the internet, you are exempt from the Privacy Act, so if you take a naked picture of your partner and put it on a website it's arguable that the Act doesn't cover it. If information is already publicly available, you don't break the Privacy Act by publishing it further - once something is up there, you can spread it. The Law Commission would like to see limits placed on these situations, so that if you use information offensively, it's a breach of the Privacy Act.
Professor Burrows then asked that while it's all very well to bring the law up to date, how do you enforce it? At the moment, you can make a complaint to the Privacy Commissioner, and Netsafe can mediate and direct people to the Police - but Netsafe has no power. The Police can help if there's an offence, but they can be busy, their processes are sometimes drawn out and they say they can't help with all enquiries. Many websites have excellent moderation policies and deal with complaints well. Sometimes Court action is possible, but it's expensive, public and there can be delays.
So the Law Commission has suggested there might be some body set up to give fast, expedient and efficient justice without the necessity of going to a court of law. One possibility is a type of Commissioner who has the official authority to request material to be taken down, or able to approach Facebook or Google, or another possibility, a Tribunal with court-like powers, that could act quickly and informally. Hear more from Professor Burrows.
David Farrar, Kiwiblog
When David Farrar started Kiwiblog in 2003, he didn't imagine he'd be thinking about privacy or talking about it at conferences - he was motivated by being able to talk about issues. But, since Kiwiblog's inception, David has had to consider how he protects the email addresses of 8,000 registered commenters and the anonymous speech on his blog.
One of the David's really big challenges is respecting his commenters' privacy. Comments leave behind IP addresses, which can often effectively reveal who those people are. And of the 22,000 posts, many mention people and sometimes privacy issues. David receives a lot of email offering interesting leads and he goes to great lengths to protect his sources. If he didn't, people would stop contacting him.
David believes under current law, Kiwiblog is news media and therefore exempt from the Privacy Act. What is less clear, though, is the whole site exempt, or just parts of it, for instance, is the comments section news? David thinks that a common, harmonised definition of news media would be a good thing. He hopes there will be a combined media code on the appropriate use of personal information, including that sourced from social media.
- 235915 A hospital employee disclosed health information about a woman to a mutual friend
- 228129 Sensitive health information disclosed
- 232613 Man seeks access to loan documents completed by former wife
Holmes v Ministry of Social Development  NZHRRT 19 (Note: This case has been appealed to the High Court)
The Tribunal found that MSD had failed to adequately deal with two separate requests Mr Holmes made for his personal information. It made two awards of $10,000 and $7,000 respectively to reflect the humiliation, loss of dignity and injury to feelings he had suffered.
Mr Holmes, a WINZ beneficiary, made two separate requests for his personal information from WINZ. Although WINZ responded within 20 working days to the first request, they failed to do so with the second request. Neither of WINZ's responses adequately addressed Mr Holmes' requests and accordingly, there was a deemed refusal by WINZ to make the information available. The Tribunal held there was no proper basis for the refusal, despite WINZ's claims that Mr Holmes' requests were unclear.
The Tribunal found the withholding of information was not only unjustified but left Mr Holmes without the means of knowing whether, had the information been provided, it would have been possible to have used the information to obtain a benefit such as a review of his rate deductions.
In making the award of damages, the Tribunal pointed to a substantial imbalance of power between an agency such as WINZ and its clients and held the two failures to provide information to Mr Holmes to be sustained and systemic. It held that while each breach took a separate toll on Mr Holmes, their impact was also cumulative and enhanced Mr Holmes' feelings of insignificance. It referred to the case of Lochead-MacMillan  NZHRRT 18 which it said was a similar case to this in terms of the harm suffered.
Fehling v South Westland Area School  NZHRRT 15
The Tribunal found that South Westland Area School (SWAS) had withheld information from Mr Fehling, pursuant to his request for personal information, without a proper basis to do so. It awarded $10,000 in damages to Mr Fehling to reflect the humiliation, loss of dignity and injury to feelings he had suffered.
While he was lawfully staying on a part of school grounds which had been leased by SWAS to one of its senior teachers, Mr Fehling was served with a trespass notice by Police requiring him to stay off the entire school grounds. When Mr Fehling asked SWAS for the reasons for the issue of the trespass notice, SWAS declined to provide them. After intervention by the Ombudsman, Mr Fehling was told that complaints had been made to the school caretaker that Mr Fehling had been using the pool, showers and toilets at the school. Mr Fehling denied these allegations and under the Privacy Act, sought the names of the individuals who had made the complaints. SWAS declined to provide the names under section 27(1)(d) (disclosure would likely endanger the safety of an individual) and section 29(1)(a) (disclosure would involve unwarranted disclosure of the affairs of another). The issue for the Tribunal was whether the information had been properly withheld.
The Tribunal heard evidence from the school principal, the school caretaker and Mr Fehling. The Tribunal heard how the school caretaker had reported to Police the concerns of the relief caretaker (her daughter) and members of the community which resulted in the trespass notice being served. The school principal also gave an account of complaints received against Mr Fehling from members of the community.
The Tribunal found Mr Fehling to be a credible and compelling witness who "cares passionately about his deeply held convictions". It found "it would appear that some mistake his passion and intensity for anger or intimidation". Whilst finding the school principal and caretaker also to be credible witnesses, the Tribunal noted that the principal "largely reported the untested but nevertheless prejudicial views of others" and the caretaker's views of Mr Fehling were "not based on rational grounds".
The Tribunal held there was no evidence that Mr Fehling acted unlawfully or improperly at any time whilst on SWAS grounds and that he had been made the victim of a substantial injustice. It found there was a complete absence of evidence to establish that the disclosure of the names of complainants would be likely to endanger the safety of any individual. It therefore followed that SWAS was not entitled to refuse disclosure under section 27(1)(d). In respect of section 29(1)(a), the Tribunal found that disclosure of the identity of complainants was necessary for Mr Fehling to defend himself against the allegations made against him and that there was a complete absence of credible evidence that the informants would suffer in any way should their identity be disclosed. It therefore followed that SWAS was not entitled to refuse disclosure under this section either.
In making the award of damages, the Tribunal referred to the case of Lochead-MacMillan  NZHRRT 18 in which the same sum was awarded and noted that although the award was substantially higher than that sought by Mr Fehling, "it is important that awards by the Tribunal have consistency".
The US Senate Foreign Relations Committee unanimously approved a resolution opposing international efforts to give a United Nations agency more control over the Internet. Read more ...
In Victoria, Australia, the public transport authority is increasingly handing over information about 'myki' users' movements to police, raising concerns that the smartcard is being used as a tracking device. Read more ...
US undercover law enforcement officers used smartphones and tablets as surveillance tools to watch and identify individuals at a recent political protest. Read more ...
A US federal initiative called the "National Strategy for Trusted Identities in Cyberspace" has been encouraging the high-tech industry to work with government to find alternatives to simple passwords in order to foster more secure online transactions. Read more ...
Social media expert Ananda Mitra coined the word "narbs" to describe the small pieces of information floating in the digital sphere. His research shows that using social media to spread hate messages is a trend, not a fad, and that narb patterns may have predicted the recent violence in Libya. Read more ...