View the full Annual Report.
1: KEY POINTS
Information and communications
We received just over 7,000 enquiries from members of the public and organisations seeking advice on privacy matters.
This year we had 212 media enquiries. About 80 percent of these enquiries were driven by external events, incidents or developments, such as location based technology, Facebook practices or loss of client information by businesses.
This year's Privacy Awareness Week, run with our partners from the Asia Pacific Privacy Authorities (APPA) forum, featured an international online survey about social media, which got over 10,000 responses. We will release the results later in 2011.
We finalised our new education kit for schools, 'Your privacy - but is it really yours?', and distributed it to secondary schools and organisations working with youth.
We released our health information toolkit, containing fact sheets, a narrated PowerPoint presentation, a new edition of 'On the Record' and health case notes.
We formed an advisory group of senior citizens to listen to what they had to say about privacy. They helped us to develop advice on the five topics that they saw as most important: financial privacy, scams, health information, business use of information, and keeping safe online.
The Office delivered 37 workshops and seminars to members of the public and stakeholder groups. The Commissioner and staff also gave 44 presentations, such as to health and business groups, both in New Zealand and overseas.
We received 968 complaints, a similar number to last year.
28 percent of complaints were closed by settlement or mediation, an increase from last year. We try to move parties towards settlement, helping them to avoid the expense and stress of tribunal proceedings.
96 percent of complaints are under 12 months of age, with 80 percent closed within six months of receipt.
Policy and technology
We monitored 47 active government information matching programmes this year, 31 of which use online data transfers.
Policy work during the year involved a wide range of projects with central and local government, the private sector, industry bodies and voluntary organisations. We advised on major legislative projects including the Search and Surveillance Bill, the Customs and Excise (Joint Border Management and Information Sharing) Bill, the Taxation (Tax Administration and Remedial Matters) Bill and the Courts and Criminal Matters Bill.
Amendment No.4 to the Credit Reporting Privacy Code 2004 was issued in December 2010. This took the first steps towards allowing greater collection of personal information, balanced with more stringent safeguards such as providing a credit freezing facility and information to the public about their rights. We put out a consultation draft of Amendment No.5 at the end of May 2011, which moves further towards a more comprehensive credit reporting system.
We continued to work with the Law Commission on its review of the Privacy Act. We supported the Law Commission's development of recommendations that would upgrade our 18 year old Privacy Act and provide some additional tools to protect New Zealanders' personal information in the digital age.
We conducted a survey of major public and private sector organisations about their use of offshore information and communications technologies, including cloud computing services. We are using the survey results to work towards guidance on how to manage privacy as part of cloud computing.
We developed 'Getting Started' (privacy.org.nz/getting-started), a tool to help agencies think about how to get privacy right when they are developing policy projects.
We issued the Christchurch Earthquake (Information Sharing) Code 2011 (Temporary) to enable those dealing with the emergency to share personal information to assist victims of the earthquake and their families, and to help in the coordination and management of the response.
We made substantial progress in securing a finding from the EU that New Zealand offers an adequate standard of data protection'. In February, New Zealand's law received a positive recommendation from the influential Article 29 Working Party.
We hosted the annual Asia Pacific Privacy Authorities Forum in Auckland in December, bringing together delegates from as far afield as Mexico and Macau.
The Office assisted in the establishment of the Global Privacy Enforcement Network (GPEN) and became a founding member when it started in September.
Some headlines from the privacy year
Equipping the Privacy Commissioner for the 21st century
We worked with the Law Commission during the year on its review of the Privacy Act. The Commission's package of recommendations will help to power up privacy law for the 21st century.
In particular, the Law Commission has recognised that we need some additional legal tools to be effective, particularly in the digital age. There are a growing number of issues that cannot be properly addressed through a complaints system alone. People cannot complain if they do not realise what is happening with their information - and, increasingly, government and business practices fly below people's radar. Also, a complaints system can only be driven by problems after they occur. It is becoming more and more important to find out what is happening before things go wrong.
So, for example, the Law Commission has suggested we should be able to order agencies to comply with the law and to release information to requesters, and that we should be able to audit or to order agencies to self-audit their systems. We think these are tools that would streamline how we can deal with the issues that are of most importance for New Zealanders' privacy. Mandatory notification of privacy breaches would help people to protect themselves when things go wrong, as well as bringing careless companies to heel. And a statutory 'do not call' scheme would give people greater choices over whether their information is used for marketing.
We look forward to seeing the Government's response in early 2012 to the Law Commission's recommendations.
Another year, another set of technology challenges
As usual, we have kept a close eye on developments in the field of information and communications technology ('ICT') during the year.
We released a survey in May on how agencies make international disclosures and use offshore ICT: http://privacy.org.nz/assets/Files/Media-Releases/Overseas-ICT-Survey.pdf. Fifty major public and private sector organisations answered the survey, most of whom hold large amounts of personal information. We are using the survey results to work towards guidance on how to manage privacy as part of cloud computing.
We also conducted a survey on social networking, together with our partners in the Asia Pacific Privacy Authorities forum. The results will be released in December.
Security challenges and new privacy questions continue to raise their heads, even for big ICT firms. For example, this year saw Sony repeatedly become the target of hackers. Apple and Google were called before Senate committees in the United States to explain how their products use geolocation features. Facebook and LinkedIn fielded questions from their users (as well as regulators) about unilateral changes to their privacy settings. And web services that require users to use their real name are sparking debate over when it is acceptable for people to transact anonymously or pseudonymously, both online and offline.
The News of the World phone accessing scandal led to serious questions being asked in several jurisdictions about media behaviour - and about people's own awareness of how to secure their private communications. It also raised issues about how to deal with 'blagging' (impersonation of others to get information).
Managing identity continues to be a field of significant interest, particularly for government and major businesses. For instance, we have close contact with the New Zealand i-government initiative. The new regulations to combat money laundering also involve the need for businesses to be certain that people are who they say they are. And biometric technologies continue to get more reliable, more ubiquitous, and smarter.
Data collection, data mining and data regulation - getting the balance right
It is a common saying that information is power' but, these days, it is probably even more correct to say that information is money'. Many of the current challenges to privacy arise because of the cash value that personal information has.
This is not to say that making a profit from personal information is necessarily bad. On the contrary, many legitimate businesses (including credit reporters, online service providers and targeted marketing enterprises) play a major part in our economy and in the way our society operates. However, it is increasingly important for all those businesses to get privacy right in everything they do. As the regulator in the area, we have to play a major part in making sure that the benefits of information collection and use are balanced with proper respect for the people behind the information.
We have nearly completed work on possible reforms to the Credit Reporting Privacy Code. We issued a consultation draft in May and held public hearings about the possibility of permitting more comprehensive information to be stored and used on credit reports.
The changes to the Code would include more stringent safeguards such as providing a credit freezing facility and better information to the public. By the time this Annual Report is published, we will have issued the Code amendments.
Parliament has also passed a law (the Courts and Criminal Matters Bill) permitting outstanding court fines to be added to credit reports. This will also add to the variety of information available on credit reports.
Collection of information into large databases was also highlighted this year when New Zealand Post conducted its second Lifestyle Survey, inviting people to complete a detailed questionnaire in exchange for a chance to win a prize. The information that people submitted was added to a database, and mined to produce lists that businesses with particular marketing niches could rent. This is only one of an increasing number of examples of collection and use of 'big data' by business and government - this is an area that we will be paying close attention to in the years to come.
Changing how government agencies share information
A major aspect of the Law Commission's review of the Privacy Act was to recommend a new method by which government agencies could share personal information.
Instead of having to pass primary legislation if agencies wish to share information in a way that might breach the privacy principles, the recommendation is that an Order in Council can approve information sharing agreements between government agencies.
The recommendation is finely balanced to try to make sure that conditions for public trust in government and privacy are maintained, as well as making sure that justified information sharing can be done efficiently. It includes major safeguards including full consultation with my Office before an agreement can go to Cabinet, the ability for me to publish reports with my view about an agreement, the ability for agreements to be disallowed, and also for them to be regularly reviewed.