Office of the Privacy Commissioner | Annual Report of the Privacy Commissioner 2012
1: KEY POINTS
Information and communications
- We received over 8,000 (8,468) enquiries from members of the public and organisations seeking advice on privacy matters.
- This year we had 295 media enquiries. The ACC privacy breach accounted for a high number of calls - around 70. The other enquiries have most frequently focused on technology-related subjects. CCTV, cyberbullying and other social media topics, Google's new privacy policies, phone hacking, and automatic number plate recognition were among the topics raised.
- We released the results of our latest UMR public opinion survey in May. General concern about privacy has risen sharply in the last decade (up to 67%, from 47% in 2001). More specifically, the public expects businesses and government agencies to be held accountable for privacy breaches.
- This year's Privacy Awareness Week, run with our partners from the Asia Pacific Privacy Authorities (APPA), included a one-day privacy forum in Wellington on the theme of "Think Big? Privacy in the Age of Big Data", which attracted 250 participants including speakers from New Zealand and overseas. APPA produced a one-stop list of key resources with advice for young people, parents and teachers.
- We launched new advice cards for seniors on the five topics that they saw as most important: financial privacy, scams, health information, business use of information, and keeping safe online. The development, production and distribution of the cards were supported by Neighbourhood Support and the Office for Senior Citizens.
- The Office started a Facebook page (http://www.facebook.com/PrivacyNZ) and a Twitter account (https://twitter.com/NZPrivacy) in early May as a new way of providing information to people.
- The Office delivered 46 workshops and seminars to members of the public and stakeholder groups. The Commissioner and staff also gave 47 presentations, such as to health and business groups, both in New Zealand and overseas.
Investigations
- We received 1,142 complaints, an increase on last year's 968.
- 30% of complaints were closed by settlement or mediation, an increase from last year. We try to move parties towards settlement, helping them to avoid the expense and stress of Tribunal proceedings.
- 95% of complaints are under nine months of age, with 83% closed within six months of receipt.
Policy and technology
- We monitored 50 active government information matching programmes this year, 33 of which use online data transfers.
- The Office provided advice on 57 agency files. We also contributed to major legislative projects including the Electronic Identity Verification Bill, Social Security (Youth Support and Work Focus) Amendment Act 2012, Privacy (Information Sharing) Bill, Victims of Crime Reform Bill and Land Transport Management Amendment Bill.
- We continued to provide advice to the National Health IT Board on electronic health records.
- Cloud computing has been one focus of our technology work. We have supported industry efforts to develop a code of practice for cloud computing providers, and have created privacy guidelines for small and medium sized businesses that are considering using cloud computing services.
- The Privacy Commissioner amended the Credit Reporting Privacy Code to enable New Zealand to move to more positive credit reporting. The Code was amended in two stages, involving public submissions for both stages. Amendment No. 4 was issued in December 2010 and Amendment No. 5 was issued in September 2011, with both coming into force in April 2012.
- We publicly notified the proposed Civil Defence National Emergencies (Information Sharing) Code in April, and sought public submissions. After issuing the Christchurch Earthquake (Information Sharing) Code immediately after the 22 February 2011 earthquake, we decided it would be useful to have a similar code in place in case New Zealand was ever again faced with a national emergency. The submission process closed in late May and submissions were still being considered at the end of June 2012.
International
- The Office continued its expert contribution to the OECD review of the 1980 Privacy Guidelines, including a presentation to an OECD conference in November.
- We pursued our efforts to secure a finding from the EU that New Zealand offers an 'adequate standard of data protection', with MFAT assistance.
- We continued to help lead the Global Privacy Enforcement Network (GPEN) through participation on the GPEN Committee. We have taken a lead in encouraging GPEN to coordinate multilateral cross-border investigations.
2: INTRODUCTION
Some headlines from our year
ACC Inquiry
The Accident Compensation Corporation (ACC) data breach in March 2012, involving more than 6,500 clients, may prove to be a sort of watershed for the public sector. The effect has been to idnetify weaknesses at a systemic and governance level and there are salutary lessons to be learned. Recent comments by the State Services Commissioner, Iain Rennie, call the ACC inquiry report a 'dramatic reminder' and he goes on to suggest a state-sector wide stocktake.
The inquiry highlighted that data management needs to be thought of as an integral part of serving the public, and as a wider 'risk management' strategy. It is evident that the way personal information is handled can affect an organisation from top to bottom, and that is particularly so if its core business is holding and processing personal information.
The competitive driver in the private sector gives businesses a reality check: breaches of privacy lead to loss of customers. So there are some immediate - financial - incentives to get things right. The same driver does not exist in the public sector. Of course, the damage to public trust from privacy breaches is self-evident, and everyone is aware that public trust is essential for government agencies to be able to work effectively and efficiently. But 'trust' and 'efficiency' are relatively fuzzy concepts, that can be overlooked (albeit at the agency's peril) in the wider scheme of everyday government work. To get it right, the public sector needs to focus on privacy much more deliberately than it has yet done. As the ACC review shows, key areas for development include leadership, culture, personal information governance and risk management, and creating comprehensive privacy strategies to handle personal information throughout the agency.
New Zealanders are entitled to expect that our government agencies will handle their personal information safely and with respect.
Credit reporting code
Amendments 4 and 5 to the Credit Reporting Privacy Code, permitting more comprehensive credit reporting, came into effect in April 2012. Credit reporting is an area where there are strong interests both in ensuring the supply of sufficient information for the credit industry to operate and make sound decisions, while also ensuring adequate protection of each person's financial information. Accuracy of information is critical. There are multiple interests and commercial drivers to balance.
The decision to allow "positive" (or more comprehensive) credit reporting was not an easy decision for us. Arguments that positive credit reporting would help to provide a framework for a more responsible lending environment were ultimately persuasive.
Strong privacy protections have been built in to the new regime, and a code of consumer rights has been issued in 12 languages.
Credit reporting is an area that requires active and ongoing management to ensure that privacy and public interests are being served, because of its complexity, and because of the high stakes involved for individuals.
Businesses moving forward
Globally, regulators are taking a stronger line with companies. This trend is most evident in recent enforcement measures in the United States for instance with the Federal Trade Commission's settlements with Facebook and Google. There are also European Union proposals to tighten privacy regulation in the EU, including increasing fines for errant companies.
The move to greater cross-border enforcement and co-ordination is also gaining impetus, and our office has continued to play a significant role. The importance of this for economic growth is obvious. For instance, the World Economic Forum refers to the evidence of an emerging asset class of personal data, but also goes on to note the lack of rules, norms and frameworks that, by contrast, exist for other types of assets[1]. We may have the valued goods in the form of personal data - and the means of distribution through online networks - but we have sometimes lacked cross- border enforcement mechanisms and regulatory solutions for when things go wrong.
Many New Zealand companies are able and willing to handle personal information well, and we assist them to do so where we can. However, overall, the customer is still too often placed in the unfavourable position of having to bear the risk of transacting. Customers are becoming more resentful of bearing those risks and are demanding that companies be properly accountable for their actions. It is clear that people believe regulators should have - and use - the ability to call agencies to heel. For instance in our public opinion survey earlier this year, 97% of respondents said that the Privacy Commissioner should have the power to order an agency to comply with the law, and 88% said they wanted businesses punished if they misuse people's personal information. The survey also illustrated a strong sense of disquiet about what personal information is used for and how it is handled.
There is a growing recognition that personal information can take on a life of its own in the wrong hands. Consumers' confidence in how their information is managed has a direct impact on profits, and on the opportunities for New Zealand Inc. There are real risks that customers will disengage unless they are sure that there are sufficient checks and balances to make sure that their information is properly protected.
Competition has a major part to play - businesses that are found to abuse privacy will lose customers to more responsible players. However, the law also has a role to play and we are actively participating in moves to ensure customers can be better protected both at home and abroad.
Cloud computing guidance
A common theme for us for several years has been the focus on technology developments that provide both opportunities for and challenges to business and government. Handling personal information correctly is a key to unlocking the potential that new technologies have to offer, as well as to getting new and better uses from old technologies.
A major focus of this year for us and many others has been cloud computing. We have provided advice and support to the Institute of IT Professionals (formerly the Computer Society) while it has been working to draft a code of practice for cloud computing. The New Zealand Cloud Computing Code of Practice was released in draft at the Cloud Summit in May 2012[2].
We have also been working on targeted cloud computing guidance for SMEs and expect to be able to make this guide freely available online shortly.
Privacy law reforms
The Privacy (Information Sharing) Bill received its first reading in February 2012, and the select committee reported back in June 2012. The Bill proposes to allow information sharing agreements within the public sector and also between public and private sectors. Expansion of information sharing raises potential privacy concerns and we have voiced our support of the safeguards that have been placed in the bill[3].
The Information Sharing Bill forms only one part of the Law Commission's recommendations for privacy law change detailed in its comprehensive Review of Privacy[4]. The Commission's final report was released in August 2011.
In March 2012, the Government provided a short response to the other privacy law recommendations made by the Law Commission[5]. The principles-based approach of the Privacy Act will be retained, and the recommendation that there be a new Privacy Act has been accepted. A more detailed Government response is still to come that will provide details of which Law Commission's recommendations have been accepted.
There is an undoubted need for the law to be updated to enable it to respond to modern problems. For example, because personal details can so easily be misused when data ends up in the wrong hands, people need to be told if there is a major data breach that could cause them harm. They should be provided with ability to protect themselves, such as cancelling a credit card before they, or the bank, incur financial loss. At the moment, however, there is no law requiring that affected individuals should be told about breaches.
In our view, the Law Commission's recommendations form a sensible, balanced and practical package of reforms that will facilitate good business and good government, and give New Zealanders greater confidence that their personal information will be adequately protected. We look forward to the government's more detailed response to those reform proposals.
View the full 2012 Annual Report (pdf).
View the Privacy Commissioner's media release.
[1] World Economic Forum "Rethinking Personal Data: Strengthening Trust", May 2012, p7.
[2] http://www.nzcloudcode.org.nz/2012/05/cloud-computing-code-of-practice-released-at-cloud-summit/
[3] http://privacy.org.nz/privacy-commissioner-supports-safeguards-in-information-sharing-bill-media-release/
[4] http://www.lawcom.govt.nz/project/review-privacy
[5] http://www.justice.govt.nz/publications/global-publications/g/government-response-privacy