Office of the Privacy Commissioner | Annual Report of the Privacy Commissioner 2009
View the full Annual Report.
KEY POINTS
Information and communications
- Our nationwide public opinion survey showed that concern about personal information and privacy issues has grown or remained high, especially in relation to the internet and business.
- We received 6,632 enquiries from members of the public and organisations seeking our advice on personal information and privacy matters. This was more than 1,200 up on 2007/08.
- There has been a large growth in media interest with 216 media enquiries received. Our average number of media enquiries in recent years was around 150 per year.
- We published 'Privacy at Work' to provide straightforward guidance on privacy issues for employers and employees.
- Our survey on use of portable storage devices by government agencies identified a need for many agencies to improve their practices.
- We held two Privacy Awareness Weeks during this reporting year, working with our partners from the Asia Pacific Privacy Authorities (APPA) forum, and with strong support from business and government agencies in New Zealand.
- The Office delivered 60 privacy education workshops and seminars to members of the public and stakeholder groups as well as over 40 presentations by the Commissioner and staff to wide range of audiences (such as Chambers of Commerce, health or business groups).
Investigations
- 806 privacy complaints were received, up from 662 in the previous year.
- 24 percent of complaints were closed by settlement or mediation, which is a large increase.
- 95 percent of complaints are under 12 months of age, with 83 percent closed within six months of receipt.
Policy and Technology
- There are now 50 active government information matching programmes that we monitor, 27 of which use online data transfers.
- Policy work during the 2008/09 year involved a wide range of projects with central and local government, the private sector, industry bodies and voluntary organisations. Significant areas include border control issues, employee browsing, and research and consultation on information sharing in government.
- Health information privacy continues to raise significant issues, for instance electronic health records, newborn metabolic screening and expansion of the DNA database used for criminal investigations.
- The Law Commission's major review of privacy continued. By the end of the reporting period the Commission was beginning the review of the Privacy Act itself. Final reports are expected during 2010.
- The major review of the Credit Reporting Privacy Code involving industry and other stakeholders has commenced and will continue through 2009/10. Current Australian reforms in the area will be taken into account.
- We released the findings of an 'own initiative' inquiry into the practices of medical insurance companies in seeking full medical records.
International
- The OECD adopted its Recommendation on Cross-border Cooperation in the Enforcement of Laws Protecting Privacy, which the Office helped to develop.
- The Privacy (Cross-border Information) Amendment Bill will eliminate barriers to cross-border enforcement cooperation. It should enable New Zealand to obtain a finding from the European Union that our law is adequate', providing legal authority for European agencies to freely send data to New Zealand for processing.
- At our initiative, the International Conference of Data Protection and Privacy Commissioners established a process to seek observer status before APEC, the OECD, Council of Europe and the International Organization for Standardization (ISO) ensuring privacy input into international policy and standards development.
INTRODUCTION
Recessionary economic pressures have been pre-occupying most sectors of the economy in the past year. Demand for many products and services has taken a dive. Businesses are re-grouping to cope with the huge challenges they are facing. They are re-evaluating essential priorities and shaping future directions. This may involve re-thinking the way businesses collect, store and use personal data. Practices that were adequate to carry a business through the boom times may not stack up when competition for the next customer is fierce. A recent KPMG survey showed that eight out of 10 organisations were looking to IT-based solutions as a way to cut costs and manage through the difficult economy.[1] Good customer data handling can be designed in, and become a competitive advantage for businesses.
The public sector is affected differently by the recession - there may be no shortage of customers, but there are redundancies, budget cuts and the expectation to do more with less. Like business, the public sector needs to equip itself for surviving not only the gloom of today, but for brighter days in coming months. I question whether public sector leaders are grasping that opportunity to lift their ICT practices - certainly when it comes to the way citizens' data is handled. Recent events and reactions have given cause for real doubt - such as the data breaches reported to us. The power of information technology is one of the big stories of the 21st century. It poses an enormous risk - and any responsible public sector manager should be doing a risk analysis on how information is handled in their agency and making sure there are protections in place.
Technological functionality carries some inherent business risks. If the organisational culture is silent when it comes to information security and protection of personal information, some employees will fill in the gaps - not necessarily correctly - and with consequent reputational and business damage. We have responded proactively by trying to assess the level of risk that public sector agencies, in particular, may face. Our survey on the use of portable storage devices (PSDs) was one example; another was the study of data encryption in government data matching programmes.
PSD survey results - personal information at risk
The PSD survey was the first of its kind undertaken in New Zealand to find out what precautions government agencies are taking to secure New Zealanders' data.
PSDs include USB sticks, cell phones, BlackBerries, iPhones, iPods, MP3 players, PDAs (personal digital assistants) and netbooks. They are used for a variety of purposes, including: to take work home or information to meetings; as temporary file storage or backup; or to transfer sometimes sensitive bulk data between organisations. They are small, lightweight and can store vast amounts of information. PSDs are easy to use and easy to lose. Surveying PSD use provides an indicative snapshot of how agencies are protecting data.
We were particularly concerned about the use of personal PSDs in the workplace. It is so easy to mislay one, or to accidentally disclose sensitive information by, for example, lending a USB stick to a friend. People using personal PSDs for work are also more likely to accidentally take that corporate information with them when they change jobs.
Our survey of the 42 main government agencies showed PSDs were widely used but that there were real gaps in security procedures and practices.
Thirty-five out of the 37 agencies that responded to the survey (95 percent) made PSDs available to staff - most commonly USB sticks. Nearly two-thirds of agencies also allowed staff to use personal PSDs for work purposes.
Just nine of the agencies made PSD encryption mandatory, while 43 percent did not provide encryption solutions of any sort. Sixty-two percent kept a PSD register but only 22 percent said they would be able to track transfers of data to PSDs.
Although the survey found 75 percent of the government agencies had policies to restrict or control the use of PSDs, we are not yet confident that those policies are of a good standard, followed in practice or are well known by staff.
- Only half of the policies included details about how to delete content.
- Only 25 percent of agencies performed an audit to ensure PSD procedures were followed.
- Seventy percent had procedures to report the loss or theft of a corporate PSD, but only 27 percent for personal PSDs used for work.
- Availability and use of security tools - such as encryption, tracking of data transfers, or hardware and software controls - was patchy or lacking.
Agencies that held the most sensitive classified information had significantly tighter controls over the use of PSDs than those that held the largest amounts of personal information.
It was particularly concerning that some of the agencies with poorer practices were flagship departments that hold the personal details of millions of New Zealanders. I am forced to the conclusion that personal information about New Zealanders is not being treated with the same care and respect as other sorts of 'classified' or 'sensitive' information.
There have been many overseas incidents that demonstrate how easily PSDs containing large amounts of sensitive information are lost or mislaid, including:
- November 2008, loss of the unencrypted details about almost 900 customers - including accounts, phone numbers and addresses - by a Bank of Ireland employee.
- December 2008, loss of a USB stick containing details about more than 6,000 United Kingdom prisoners.
- A UK survey, carried out by a data security firm, found an estimated 9,000 USB sticks were left in people's pockets when they took their clothes to the dry cleaners.
To prevent similar events affecting New Zealanders, we need to 'get it right before we get it wrong'.
After our PSD survey, we provided tips to organisations on the safe use of PSDs including:
- having a formal policy on PSD use;
- making staff aware of the need and procedures to report the loss or theft of a PSD;
- using encryption for all PSDs that are likely to store personal information; and
- monitoring and auditing the use of PSDs; enforcing strict limits on the use of personal PSDs.
Data encryption in the public sector
In early 2008, we carried out a review of the way files used in government information matching programmes were being transferred.
At the time, my staff found that while all tapes, CDs and floppy disks were transferred within New Zealand by means that we considered to be reasonably secure - typically delivered by staff by hand or, where a courier was used, involving a 'track and trace' facility - there was a failure to encrypt that data.
Of those files that were not encrypted, some were password protected, but others did not even have that level of protection. Of 46 information matching programmes, we found data for 19 was being transferred physically on unencrypted digital media.
I made my expectation clear then that files being transferred for use in these government programmes - often involving thousands of individual records - should be encrypted.
Some departments indicated they were already in negotiations to move to more secure methods and I was encouraged by the serious attention to security displayed by all departments participating in data matching.
However, we pointed out then that transfers for the purposes of authorised information matching were merely one stream of intra-governmental data transfers. I called on those involved in security practices in other areas as well to carefully reflect on the need for encryption for all portable data storage media. Those comments still do not appear to have been heeded by some of the core departments.
I strongly urge middle and senior public sector managers to become more focused on data protection. This is a huge area - and it does not appear that government agencies have grasped that. This is the information century; data and its protection are part of our critical infrastructure. Generally New Zealanders trust the public sector to handle their information well. That trust can easily be lost. Our survey showed public unease about government personal data sharing has grown sharply. People should start seeing information handling as part of a business risk analysis - in just the same way they have policies and practices about health and safety, they need policies and practices about information handling. These are not new messages for the public sector.
Government agencies need to recognise that the information they hold about people is also one of their major assets, and one they must protect as carefully as they would a physical asset. While some government leaders are making a significant effort to do this, overall the public sector is slow in becoming aware that their information databases are assets that have to be protected.
I might be inspired to have more confidence if I were not also hearing repeatedly of instances where things have gone wrong. Government agencies are losing data - sometimes in hardcopy and sometimes in digital form. It concerns me when I am not advised of these incidents at the time, but instead discover them through alternative channels. It also concerns me when the departments involved fail to see the signals that their practices need sharpening up. In today's climate, departments can and must do better.
Growth in demand
The Office is facing increasing external demand across its areas of work. Complaint numbers have risen significantly in the past year - more than 800 complaints were received during the 2008/09 year, which is an increase on the average of around 650 for each of the past four years. Similarly, the number of enquiries received from members of the public and businesses seeking our advice on privacy matters has grown to over 6,600. This is about 1,200 more public enquiries than in 2007/08 and is the highest number of enquiries received since 2002.
Media and privacy
The number of enquiries from media has almost doubled in the past year to 216. Numbers alone are just part of the picture; the range and nature of the enquiries has also shifted.
Many media enquiries were related to developments in information or communication technology. Subjects that generated multiple enquiries included: Google products and platforms, such as Street View; the increase and sophistication of closed-circuit television (CCTV); social networking, particularly Facebook; developments in the use of DNA-based science; genetic privacy, including the Guthrie blood-spot cards; and data security issues, including various data breaches.
The evidently multi-national character to personal data collection forms the background landscape. The person in Whangarei or Waimate is engaging with international giants when they upload their Facebook page or store their health records online. New Zealand children travelling through the United States relinquish their biometric information for permanent retention and exchange under the US Patriot Act. New Zealanders applying online for a job may find their CV and application is stored in a US-based server. Companies are increasingly storing and processing personal records remotely, 'in the cloud'. New Zealand laws and regulation will be of limited help in such instances, and whatever protections can be arrived at need to have an international dimension.
One consequence of the shifting nature of media calls towards the wider, technology based, threats to privacy is that we deal with fewer enquiries where some restrictive notion of 'privacy' is put forward as a block to common sense. Journalists, like the rest of us, are increasingly technologically savvy. Moreover, there is wider recognition that personal information has been commodified and can be treated in the same way as any other asset; it may be traded, sold or even stolen. Protection of personal information is a modern necessity. This development is particularly apparent online, where new industries are springing up to cater for the burgeoning market in personal data.
In a report for the Broadcasting Standards Authority, journalist Colin Peacock points out that the media and the public tend to hold different views of privacy.[2]
Journalists aren't necessarily unsympathetic about 'maintaining standards consistent with the privacy of the individual' as the standard says, but their instinct is obviously to reveal as much as possible about any given story. There is also a gulf between the media's attitudes to privacy and those of the public ...
A survey in 2005[3] found that many people think broadcasters should always explain to people participating in broadcasts precisely how their contributions will be used on air, and when. More than half those surveyed said people should be given an advance screening of the part in which they feature. These expectations are clearly unrealistic - even unfeasible - as far as the media are concerned.
The news media of course has dual functions - acting both as a channel for information to the wider community and as a voice for public concerns. A shift in approach by the media is significant on at least those two fronts. Not only does it mean that the public is being offered, and is digesting, a more balanced diet - it perhaps also reflects changing public preoccupations and attitudes.
Public attitudes - UMR survey results
Public opinion surveys act as useful gauges for the Office, both to tell us what the public is concerned about and to measure changing attitudes. They also help us determine our strategic direction and priorities for future work.
The results of the most recent survey were released in August 2008.[4] The survey showed that many New Zealanders have a strong and growing awareness of privacy and information technology issues. For example, almost a third (32 percent) of people surveyed in 2008 reported that they had become more concerned about issues of individual privacy and personal information in the past few years.
The results from the survey for business were clear: there were very high levels of concern about potential breaches of individual privacy by business. Ninety percent of people said they would be concerned (including 74 percent 'very concerned') if a business they did not know got hold of their personal information. Eighty-six percent were concerned if information supplied to a business for one purpose was used for another purpose.
Trust is a signal element - for business and for government. We asked people about the level of trust they had in the way different organisations protected or used personal information. Results varied widely. Health service providers, including doctors, hospitals and pharmacies rated highly, with 92 percent of respondents saying they were trustworthy. Trust in Police handling of personal information was also high (84 percent). Approximately two-thirds of respondents said they trusted the way government departments (65 percent) and ACC (69 percent) handled personal information. Businesses selling over the internet recorded the lowest levels of trust (25 percent) for their personal information handling.
These trust indicators are particularly important for government because so much of what government does depends on public acceptance and cooperation. Government cannot afford to spoil public trust in its processes through avoidable events. Overseas, data losses across the UK public service led the British Prime Minister to announce a review of data handling in government in November 2007.[5] The report noted the challenges:
... [T]he public have a right to expect the information that they provide to Government will be held securely and used appropriately. The Government's ability to deliver and improve public services relies on high levels of public trust. Government has always regarded personal data of citizens as a critical asset akin to the most sensitive financial and other information handled within Departments. This should continue to be Government's underlying principle. The challenge is to ensure that information is collected, used, and, where appropriate, shared, effectively and securely.
New Zealand government agencies face equivalent challenges. We asked people how they felt about government departments sharing personal information. Concern rose from 37 percent to 62 percent between the 2006 and 2008 surveys. Perhaps this was partly due to making the question clearer - but it certainly shows underlying unease.
The results also underline the need for caution by government in assuming public knowledge of key technology infrastructure or systems. For instance, we asked respondents if they were aware that everyone in New Zealand has their own national health index number, which identifies them in the health system. Half of respondents (50 percent) were unaware.
We are in the middle of an information revolution. Technology enables details about individuals to be collected, used and disclosed on an unprecedented scale, both in New Zealand and overseas. These survey results give clear messages to both business and government about the need to protect information in order to retain customer trust.
Law Commission's review of privacy
I noted last year that the Law Commission's review of New Zealand privacy laws had begun. It is a very extensive and thorough project with four main parts. Part 1, a policy overview, has been completed and a study paper issued. Part 2 was devoted to public registers and a report with recommendations has been released, but will not be implemented until a comprehensive review of the Privacy Act 1993 has been completed. Part 3 looked at the adequacy of New Zealand's civil and criminal law to deal with invasions of privacy, and an issues paper was published in March 2009 and submissions were received. The final report for Part 3 is expected near the end of 2009.
As of June 2009, the Law Commission had begun its review of the Privacy Act, which represents Part 4 of the review. This will be a particularly compelling stage of the review process because the Commission is now in the midst of exploring new options, both for this Office and for the Act. The Commission has been working hard to get to grips with privacy and all its permutations. It has consulted widely and considered the very modern challenges to data protection, especially arising from technology and science.
There is still quite a lot of ground to cover before the Law Commission puts forward its final report and recommendations to the Government. While we expect many of the Privacy Act's fundamental features, based on international norms, will remain, there is much wiggle-room and opportunity for improvement.
The review is an opportunity to equip the Office with tools for the future. There may be a role for new approaches, whether by auditing government and business processes, or through the ability to enforce decisions. There have been many changes to the legal landscape since the Office was established in the early 1990s - not the least of which is the growth in complaint agencies - and we are very willing to look at new ways to resolve privacy disputes. It has become apparent over time that the nature of the complaints the Office receives reflects only a certain portion of privacy-related incidents. Of course some people will choose not to complain but, more importantly, many of the very concerning and systemic issues do not come to light by way of a complaint. The media highlights some of those concerns, while others come to our attention through the policy work we are engaged in. Different types of problems require a different tool set and the Law Commission's review will help to ensure we have kitted ourselves out to deal with those new challenges.
Tools for the future
New Zealand business is operating in a global data processing economy and our data protection law needs to be recognised as stacking up internationally. Our privacy law must keep pace so that New Zealand businesses can take advantage of opportunities in the digital age. Beyond that broad aim, there are a variety of mechanisms that would help ensure that the sort of data protection New Zealanders can expect is up to speed with the demands of a modern information-driven society.
One of those tools would be a finding from the European Union that New Zealand's Privacy Act provides an 'adequate' level of protection for any European personal data that might be transferred to, or through, New Zealand. This might on the face of it sound pretty obscure - and in some ways that is correct - but it should have a practical effect and help to open up trading opportunities with Europe. The largely technical changes that are necessary to our law to help achieve this were introduced to Parliament in April 2009, through the Privacy (Cross-border Information) Amendment Bill. This sort of development is especially important in the current global economic climate.
The Bill will have two main impacts: first, it will help ensure New Zealand law meets the expectations of our trading partners, and second, it will remove an anomaly so that people living overseas can access their personal information held in New Zealand. The Bill will also give the Privacy Commissioner the ability to cooperate with overseas privacy authorities when dealing with, or transferring, privacy complaints. This reflects a priority area in the privacy work of both the Asia-Pacific Economic Cooperation (APEC) forum and the Organisation for Economic Co-operation and Development (OECD).
These measures are important and necessary steps to update the Privacy Act, protect our international trading position and improve access to personal information. We have been waiting for this change for a long time. I expect this Bill to be the first part of a more extensive modernisation of the Privacy Act. It is complementary to the thorough privacy review currently being carried out by the Law Commission.
Marie Shroff
Privacy Commissioner
[1] KPMG, Technology Industry Executive Survey Points to Economic Recovery: A Survey of Industry Executives, August 2009.
[2] Colin Peacock, Principles and Pragmatism: An Assessment of Broadcasting Standards Authority Decisions from a Journalist's Perspective / Nga Matapono Me Te Mahi Whai Kiko: He Arotakenga I Nga Whakatau a Te Mana Whanonga Kaipaho, Ki Ta Te Kaikawe Korero Titiro (Broadcasting Standards Authority, 2009).
[3] Real Media Real People - Privacy and information consent in broadcasting, Broadcasting Standards Authority, 2004.
[4] UMR Research surveys - see www.privacy.org.nz. The previous survey was commissioned in 2006.
[5] UK Cabinet Office, Data Handling Procedures in Government: Interim Progress Report, December 2007. The final report was released in June 2008. Both are available at www.cabinetoffice.gov.uk