Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

Guest post: Taking personal information seriously Russell Burnard - Government Chief Privacy Officer
20 April 2015

I trust organisations that share safely small

Every day New Zealanders hand over their personal information to government departments in exchange for a range of services, from benefits to drivers’ licences. From the citizen’s perspective, these transactions are based on trust that their information will be handled safely and securely.

When that doesn’t happen, often because a public servant is genuinely trying to be helpful and makes a mistake, the responsible department comes under intense media and public scrutiny. 

And every time a government department makes this sort of mistake, public trust is eroded in all departments’ ability to manage personal information well.

On 1 August last year, I issued expectations of good privacy practice and governance for the state sector and a self-assessment framework (you’ll find these online here).

Over the past nine months, I’ve been talking to government privacy officers and their executive teams to understand what support they need to meet these expectations. I’ve seen a wide range of privacy investment, capability and expertise across departments, depending on the size and complexity of the organisation and how much personal information it holds, as well as the mistakes they’ve made and the lessons learned.

In this time I’ve observed that executive oversight of privacy is the most powerful lever an agency can use to improve its overall privacy performance. Leaders’ understanding of an agency’s privacy programme, performance and risks enables solutions to be discussed at the top table. Leadership messages - that privacy matters and is the responsibility of all staff - raises privacy awareness in an organisation.

My message for chief executives is privacy is everyone’s responsibility. My message for frontline staff and anyone dealing with personal information is: treat it with the same care and respect as if it were your own.

Being privacy safe goes hand-in-hand with good customer service and is a foundation of transforming the way we do business in government. For the state sector, privacy doesn’t prevent us from delivering services; it is a fundamental pillar of great service delivery. That might mean we need to change the way we do things. Citizens have every right to expect their personal information will be kept secure and need to know that government takes all aspects of privacy and security seriously.

Regardless of the sector, shape or size of your organisation, Privacy Week is an opportunity to reflect on the personal information you hold and what you could do differently to ensure it stays secure. We all have a role to play and we can all make a difference.

Getting from good to great privacy management is a marathon, not a sprint. The GCPO team is here to help government agencies meet their privacy goals, with guidance, resources and support. You can contact the team at gcpo@dia.govt.nz.

Russell Burnard is the Government Chief Privacy Officer.

2 comments

,

Back

Comments

  • There was an interesting article in the Otago Daily Times this past Saturday: http://www.odt.co.nz/lifestyle/magazine/339452/data-detectives

    Here is a "boxed summary" from the article to give an idea of what the article concerned:

    "New Zealand Police's new intelligence-led crime prevention strategy uses big data to help it monitor events and persons of interest so resources and personnel can be deployed to nip potential problems in the bud.

    Here is where Police information comes from:

    • Online: Publicly available websites, news feeds, chat rooms, blogs, and social media.

    • Police files: Includes evidence, statements and convictions.

    • Government departments: Information is shared by Police, ACC, Inland Revenue, Housing New Zealand Corporation and the Ministry of Social Development. Police say it has ''countless agreements at both district and national level''.

    • Business: It has recently emerged Police are requesting people's personal information from companies without a warrant, citing unenforceable ''maintenance of the law'' provisions in the Privacy Act.

    • Intelligence agencies: Police do not keep records of how often they request assistance from the NZSIS and GCSB."

    I can't help but think that what is happening on here is not in accordance with principle 1(b), and certainly not its spirit as a collection limitation provision. What is going on is information trawling "just in case" personal information may prove useful rather than as "necessary" for a specific purpose (unless fighting crime generally is one's purpose, in which case we may well already be living in a Police state):

    "Personal information shall not be collected by any agency unless—
    (a) the information is collected for a lawful purpose connected with a function or activity of the agency; and
    (b) the collection of the information is necessary for that purpose."

    Is this a case of "Trust is good but control is better?" (Lenin)

    Posted by Paul Roth, 20/04/2015 6:55pm (3 years ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

  • Interesting that the driver licence was mentioned as an example. I am obligated to give the NZTA my personal data. But they are quick to pass on the information they hold on me.

    They have turned my driver licence into an ID card with systems like DLVS, and in spite of allowing me to "opt out" of having my personal details disclosed from the motor vehicle register, they have allowed hundreds and hundreds of companies and individuals full access to the register.

    I now hesitate to supply government agencies, especially the NZTA with accurate up to date information, as it will undoubtedly be disclosed without my authority, or with authority dubiously obtained by a generic contract, that I have no option but to accept.

    Posted by Dave Reid, 27/04/2015 8:22pm (3 years ago)

    Post Reply

    The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.

Latest Blog Entries