Office of the Privacy Commissioner | Annual Report of the Privacy Commissioner 2010
View the full Annual Report.
1: KEY POINTS
Information and communications
- We received 7,151 enquiries from members of the public and organisations seeking advice on privacy matters. This number was more than 500 up on 2008/09. Enquiry topics that stood out during the year included Google's collection of WiFi and other data during its Street View activities and New Zealand Post's competition and survey activity.
- Media enquiries have more than doubled over the last two years. In 2007/08 we had 133 media enquiries, last year we had 217 and this year we had 323.
- This year's Privacy Awareness Week, run with our partners from the Asia Pacific Privacy Authorities (APPA) forum, featured a successful one-day conference in Wellington on 'The Future of Privacy'.
- We formed an advisory group of secondary school students to listen to what they had to say about privacy. Resulting from the students' discussions and work, the group developed material (a brochure, poster and DVD) to be part of an educational kit for secondary schools.
- Our public opinion survey showed high levels of concern about individual privacy and risks to personal information on the internet. The UMR survey also showed a dramatic rise in New Zealanders' use of social networking.
- The Office delivered 35 workshops and seminars to members of the public and stakeholder groups as well as over 30 presentations by the Commissioner and staff to a wide range of audiences, such as health and business groups, both in New Zealand and overseas.
Investigations
- We received 978 complaints, up from 806 last year. This continues an upward trend in complaints.
- 25 percent of complaints were closed by settlement or mediation - an increase from last year. We try to move parties towards settlement, helping them to avoid the expense and stress of court proceedings.
- 97 percent of complaints are under 12 months of age, with 80 percent closed within six months of receipt.
Policy and technology
- We monitor 49 active government information matching programmes, 29 of which use online data transfers.
- Policy work during the year involved a wide range of projects with central and local government, the private sector, industry bodies and voluntary organisations. Significant areas we have worked on include border control, search and surveillance, and new frameworks for information sharing between government agencies.
- There continue to be significant health information privacy issues around the new National Health IT Plan, shared electronic health records, and governance of national collections of health information and biological material.
- Our follow-up survey on the use of portable storage devices by government agencies showed generally improved security around their use but some key agencies still need to improve their practices.
- We released a proposed amendment to the Credit Reporting Privacy Code inviting submissions from the public. The amendments result from a two year review of the code, which included consulting a reference group of consumer and industry representatives.
- We began an inquiry into Google's collection of information from WiFi networks, to see whether Google's actions breached the Privacy Act and how we might prevent this situation from reoccurring.
International
- The Office played a key part in two new initiatives: the establishment of the APEC Cross-border Privacy Enforcement Arrangement (CPEA) and the Global Privacy Enforcement Network (GPEA).
- The Office contributed to several international forums including the OECD Working Party on Information Security and Privacy.
2: INTRODUCTION
Some headlines from our year
For a small office, we undertake an unusually wide range of work. The work is both fascinating and challenging.
Some examples are:
- we are handling an increasing number of complaints, enquiries and requests for assistance
- there are some additional challenges to privacy at the moment, with moves towards greater information sharing in government. This is taking up a lot of our time - we are trying to help public sector agencies find more efficient and cheaper ways of conducting their business while also maintaining privacy and the trust of people they deal with
- we are developing some simple tools for small and medium sized businesses to help them manage personal information well
- we are trying to keep track of developing technologies such as geolocation services
- we have an active and important role in international privacy forums.
Throughout this report, we give specific examples of our work. Here are some headlines from our year to illustrate the range of things that we have done.
A step towards greater business opportunities
The Privacy (Cross Border) Amendment Bill (since passed into law) came before the Select Committee at the beginning of July, with strong support from us.
Passing the Bill is a vital step to enable the European Union to white-list New Zealand as a place to which businesses can confidently send personal information, knowing that we have top-class privacy protection. White-list status will give New Zealand businesses a competitive edge internationally and open up new trading opportunities, for example in data processing, cloud computing, and financial or call centre activity.
http://www.privacy.org.nz/report-by-the-privacy-commissioner-to-the-minister-of-justice-on-the-privacy-cross-border-information-amendment-bill/
Balancing privacy with needs of search and surveillance
The Select Committee hearings on the Search and Surveillance Bill were held in September. The Bill, by its nature, covers activities that are intrinsically privacy-invasive such as the power to search people and property, and using new technologies for surveillance.
We took the view that while the Bill was generally sound, it did not always strike the right balance between privacy and other interests. For example, we considered whether subjects of surveillance could be notified of the surveillance (even if only after the event); the need for warrants to be specific when information is collected from remote facilities (like internet storage sites); and the importance of having some processes to safeguard the privacy interests of innocent third parties (such as family members) caught up in surveillance.
The Law Commission did further work on the Bill during the year, including consulting with us and other submitters. We have recently concluded that the revised Bill provides better safeguards for privacy.
http://www.privacy.org.nz/search-and-surveillance-bill-2009-submission-by-the-privacy-commissioner/
http://www.privacy.org.nz/assets/Files/Reports-to-ParlGovt/Second-submission-to-Select-Committee-23-September-2010.doc
Complaints and our role in settlement put to the test
Our complaint investigation and settlement processes received some publicity during the year, following a high profile disclosure of personal information about two beneficiaries by Social Development Minister, Hon Paula Bennett. The disclosure resulted in a complaint to us by one of the beneficiaries, and we investigated this complaint.
As usual with complaints, we encouraged the parties to see whether they could resolve the complaint in a mutually satisfactory way. However, they were unable to do so.
Since we found that the complaint had substance, we followed our normal process of referring it to the Director of Human Rights Proceedings for his consideration. The Director will decide whether to take proceedings in the Human Rights Review Tribunal.
http://www.privacy.org.nz/minister-s-disclosure-of-personal-information-media-release/
http://www.privacy.org.nz/privacy-commissioner-closes-investigation-about-hon-paula-bennett-refers-matter-to-director-of-proceedings/
Providing guidance for some key groups
In October, we released guidance material for businesses looking to install CCTV security systems. CCTV is a common technology, but small businesses in particular do not always know how to manage the privacy issues correctly or have the right CCTV system for their needs. The guidance includes an easy checklist to help businesses get it right.
The guidance has already come into its own, with some local authorities using it to adopt or modify their CCTV systems, and taxi companies considering it when installing security cameras in taxis operating in major centres.
We also published a booklet, Privacy in Schools, to help principals, teachers and boards of trustees deal with the privacy issues that schools commonly face.
Our youth advisory group also produced material to help secondary school students to better manage their own privacy.
Finally, we published guidance material for health practitioners dealing with mental health information.
http://www.privacy.org.nz/privacy-and-cctv-a-guide-to-the-privacy-act-for-businesses-agencies-and-organisations/
http://www.privacy.org.nz/media-release-new-privacy-guidance-for-schools/
http://www.privacy.org.nz/youth/
An enormous task for the Law Commission - and for us
During the summer, the Law Commission published two major volumes on privacy. The first was the report on Invasion of Privacy: Penalties and Remedies (on reform of such matters as offences and the development of tort law). The second was the issues paper on the Privacy Act itself (Review of the Privacy Act 1993).
We have kept in close contact with the Law Commission during its privacy project, and have made submissions on each area. Our submission on the Privacy Act discussion paper attempted to answer every question that the Law Commission had posed. We also provided the Law Commission with an options paper on possible enforcement models that a revised Privacy Act could implement.
http://www.privacy.org.nz/privacy-commissioner-welcomes-law-commission-review-media-release/
Privacy by design takes a great step forwards
After suggestions from us, the New Zealand Computer Society has introduced requirements in its new professional standards that IT professionals should build in privacy right at the start of their projects. The standards also mean that IT professionals should have a general understanding of the privacy principles. This should result in a far greater focus on 'privacy by design' - not purely as a matter of legal compliance, but because good privacy results in more effective IT systems.
The Commissioner also stressed the need for privacy by design in her keynote speech to the Biometrics Institute conference. Having privacy as a forethought rather than an afterthought avoids the need for costly add-ons, last-minute design changes or consumer backlash from launching a product that does not meet privacy expectations.
http://www.itcp.co.nz/files/PKCv1.pdf
http://www.privacy.org.nz/protecting-biometric-data-privacy-by-design/
Owning up to mistakes
One of the privacy breaches notified to us this year was ACC's mistaken mail-out of claimant information to the wrong employers.
Every month, around 15,000 businesses get a report from ACC about injuries that have occurred in their workplaces. In February, ACC's external mail-house did not collate all the information correctly. This resulted in approximately 2000 employers receiving information about claimants who were not their employees.
ACC followed our breach notification guidelines, including taking steps to retrieve the reports and get them to the correct businesses, letting the claimants know, checking procedures to prevent recurrence of the incident, and contacting us to let us know about the breach.
http://www.privacy.org.nz/privacy-breach-guidelines-2/
International commissioners band together
In 2010, international privacy commissioners started to join forces on breaches of privacy by corporations whose activities affect people in different jurisdictions. Collective action is particularly important for small countries such as New Zealand, whose citizens can only be properly protected if global solutions are found.
In the first example of its type, in April we joined nine other privacy commissioners to write an open letter to Google in response to its faulty launch of the Google Buzz product. Google Buzz was a new social networking service that Google set up for G-Mail users. It identified people's frequent correspondents and automatically assigned users a public network of 'followers' from among those correspondents. Google did not properly tell people how the new service would work or that their followers would be visible for anyone to see. There was a significant backlash from the public, and, as a result, Google changed how Buzz worked.
The commissioners urged Google to make sure that fundamental privacy safeguards are incorporated into the design of new services rather than having to address problems after launch. The commissioners used the example of Buzz to remind Google and other international organisations of the need to comply with the local laws of the countries in which they operate.
International collaboration of this type is likely to increase as new cross-border enforcement initiatives under APEC and the global privacy enforcement network get under way.
http://www.privacy.org.nz/media-release-privacy-guardians-warn-multinationals-to-respect-laws/
http://www.privacy.org.nz/launch-of-new-apec-cross-border-privacy-enforcement-arrangement/
http://www.privacy.org.nz/global-privacy-enforcement-network-launches-website/
Getting electronic health records right
The draft National Health IT Plan, released this year, is an important step in New Zealand's movement towards devising an effective electronic health records system. As in other countries, New Zealand's health agencies are considering ways in which technology can enhance how health information is managed.
An electronic health records system can give both consumers and health providers better access to and control over health information. But such a system needs to be carefully constructed with privacy at the forefront of both the policy and technology decisions. We will continue to be involved as the proposals for the system take greater shape.
http://www.privacy.org.nz/comments-on-national-health-it-draft-plan/
Moving to more comprehensive credit reporting?
In June, we released a proposed amendment to the Credit Reporting Privacy Code for public consultation. If the amendment proceeds, among other things it would allow more comprehensive credit reporting in New Zealand, including reporting 'positive' information about people.
For some time, we have been considering whether the Credit Reporting Privacy Code still adequately deals with the realities of the credit reporting environment. In particular, it makes sense both for the public and for business for Australia and New Zealand to align the way our laws operate, since our major credit reporters operate both in Australia and New Zealand. Australia is considering making changes to its own credit reporting regulation, including permitting more comprehensive credit reporting.
http://www.privacy.org.nz/major-changes-to-nz-credit-reporting-regulation-credit-reporting-privacy-code-2004-proposed-amendment-open-for-public-submission/