Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

New guidance on CCTV
Private Word to go electronic!
Case Notes: Department lost personal information
Deceased doctor's estate fails to transfer files
Date of birth on secondhand dealers' licences
Privacy experts convene
Privacy in Schools
IT certification
Credit Reporting and Privacy Code review
News around the world
News around Parliament

New guidance on CCTV

The Privacy Commissioner has recently released new guidance on how businesses, local government and other agencies can use CCTV (camera surveillance systems) while still protecting privacy.

'CCTV is proliferating, in New Zealand as well as overseas,' Privacy Commissioner Marie Shroff said.

'It seems that everywhere you look, someone has a camera trained on you. This raises questions such as what exactly the images are being used for, how secure they are from misuse or unauthorised viewing, whether the cameras are unnecessarily intrusive and so on.

'We saw a real need for the Privacy Commissioner's Office, as the watchdog in the privacy area, to help businesses to deal properly with the privacy issues that CCTV systems create. There was very little guidance available to business and government, and so this will go some way to filling that gap, she said.

'CCTV has an important role to play in detecting and prosecuting crime, and even deterring some types of crime. But this does not need to be at the expense of privacy. People need to trust that the information the cameras collect will not be misused.'

The new guidance material gives businesses and agencies practical and easy-to-read advice about such things as:

• deciding whether CCTV is right for them;
• planning the system properly;
• selecting the appropriate technology and positioning cameras;
• making employees, customers and others aware that CCTV is operating;
• storing and retaining the images; and
• giving people access to images of them.

Download the guidelines (no charge).

Private Word to go electronic!

We've taken a huge decision - as of next year, we will be bringing you Private Word electronically, rather than in print.

The change to electronic distribution means that not only will it be cheaper for us, but we will be able to offer readers so much more in an e-newsletter than we can in print. For instance, you will be able to go straight to the news you particularly want to read and will be able to get stories in more depth, link to the full text of articles, such as case notes or submissions, and follow links to other websites.

If we already have your email address as a Private Word subscriber, we will send you the electronic version and printed versions of this issue so you can see the difference.

If you would like to continue receiving Private Word once we go electronic, we will need to know!

Send or confirm your email address, name, organisation and job title to enquiries@privacy.org.nz. That way, we can check we've got your information right, and you can get Private Word directly into your inbox from next year onwards. If we don't hear from you, we'll assume you no longer want to subscribe - this is a strict opt-in system (in good privacy tradition).

For those who don't want to subscribe to Private Word in its new form, thank you so much for being our readers over the years. We hope that you'll continue to look up Private Word on our website from time to time, and that you'll keep in touch.

Case Notes

Department lost personal information

In 2008, a government department staff member dropped a file in an Auckland street. The file contained a list with personal information about a large number of individuals. The information was then passed to media outlets.

The department followed the Privacy Breach Notification Guidelines and informed the Office of the Privacy Commissioner and all individuals affected about the loss. Some of those individuals then complained to the Privacy Commissioner.

The complaint raised issues under Principle 5 of the Privacy Act.

Principle 5, on security safeguards, provides that:

An agency that holds personal information shall ensure -
(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against -
(i) loss; and
(ii) access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
(iii) other misuse.

In considering whether the security safeguards are reasonable, the Office takes into account matters including: the steps and/or policies in place to guard against a breach of principle 5; whether those steps and/or policies have been followed; training provided to staff; and the sensitivity of the information.

The Office formed the view that the loss of the file was a breach of principle 5, and the department accepted this.

To find out if an interference with privacy occurred, there must not only be a breach of a privacy principle, but also some harm, loss or detriment. Harm can include significant humiliation, loss of dignity or injury to the feelings of the individual.

Here, the department acted promptly to mitigate the harm to individuals. It followed the Privacy Breach Notification Guidelines to minimise the impact of the incident.

The steps taken included: getting the original file and copies back, with the assistance of the police; seeking and receiving legal undertakings from media outlets that the information would not be published or disclosed; notifying the Privacy Commissioner's Office and seeking advice; notifying all affected individuals; and investigating and taking steps to reduce the likelihood of the situation reoccurring.

Because these steps were taken, the department managed to contain the disclosure. The file was promptly recovered and was not widely circulated before recovery. The incident had the potential to cause harm to the individuals, but the steps taken meant they suffered no harm as a result of the incident.

Although the department breached principle 5, there was no interference with privacy because the individuals did not suffer any harm. The Office informed the individuals of the conclusions and closed the file.

View the Privacy Breach Notification Guidelines.

Case Note 211257 [2009] NZ PrivCmr 16

Deceased doctor's estate fails to transfer files

Following the death of a general practitioner, his patients' medical files went into storage.

Some of the deceased doctor's patients went to a new practice nearby, which contacted the spokesperson for the deceased doctor's estate and requested, under section 22F of the Health Act, that he send through the patients' files.

The estate spokesperson advised that as no executor had been appointed to the estate he was not in a position to transfer any of the files. The spokesperson was concerned that he would face liability for making a decision about the deceased doctor's estate without the legal authority to do so.

Section 22F of the Health Act places strict legal obligations on health agencies to transfer health information when requested by a health provider in order to treat a patient. It is crucial that health providers have access to medical notes about a patient in order to ensure that they receive the correct treatment.

Circumstances in which a health agency may refuse to transfer health information include where the patient vetoes it.

The Office contacted the spokesperson for the estate and acknowledged that he was in a difficult position. After discussions, he agreed to immediately transfer the files. The spokesperson acted quickly and, as a result, the complaint was resolved.

The Office also explained to the spokesperson that it was essential that he continued to quickly transfer any future files requested by new doctors and he ensured that, once appointed, the executor of the estate was made aware of the legal obligations created by section 22F of the Health Act.

Case note 209438 [2009] NZ PrivCmr 20

Date of birth displayed on secondhand dealers' licences

A man complained that secondhand dealers' licences, which must be displayed to the public, include the holder's date of birth. He was concerned that publicly displaying the date of birth could create a risk of identity theft and that a date of birth is a personal matter.

Section 8 of the Secondhand Dealers and Pawnbrokers Act 2004 ('the Act') provides that an application for a Secondhand Dealer's Licence must include an applicant's full name, residential address and date of birth.

Section 36 of the Act sets out that every licence holder must ensure that a certified copy of their licence is displayed in their place of business. Section 9 of the Act only requires that the licence must include a photograph of a licence holder, and does not require that a date of birth has to be included.

The Office asked the Ministry of Justice whether there was any authority under which the licence had to show the date of birth.

The Ministry of Justice consulted the Licensing Authority. The Authority accepted that there was no express statutory requirement for an individual's date of birth to appear on either the original licence or the certified copy that must be displayed in the licence holder's place of business. The date of birth was simply included as an additional means of identification for the purposes of section 36(1) of the Act, which requires a licence holder, on request, to show their licence to a member of the Police.

The Licensing Authority proposed to review the practice and in the meantime, it has taken steps to delete the date of birth from the certified copy of the licence that must be displayed in a place of business.

Both the Office and the man who made the complaint considered this was an appropriate resolution.

Case Note 210634 [2009] NZ PrivCmr 19

Privacy annual report

The past year has seen a marked increase in enquiries and complaints to the Office. There has also been a large growth in media interest in privacy issues, Privacy Commissioner Marie Shroff says in her 2008/09 annual report.

'This year's Annual Report reflects today's reality - privacy issues permeate many areas of business, government and society,' Ms Shroff says.

'People are concerned about the use and security of their personal information. It could be their personal health information, data being transferred across national borders, information being shared in government, or information used in credit reporting. These are just some topics on an ever-growing list,' Ms Shroff says.

A change in format to this year's report is inclusion only of the past year's information matching programmes activities. View the full programme information, which includes previous years' activities.

View the full report.

Privacy experts convene

International privacy experts gathered in Madrid in November for a special workshop, ‘Privacy by Design', developed by Ontario's Information and Privacy Commissioner Dr Ann Cavoukian.

The concept aims to embed privacy into the design of technology, business practices and infrastructure by treating privacy as the default rather than adding protection ‘at the end'.

Privacy Commissioner Marie Shroff spoke at the workshop about New Zealand's principles-based approach. She highlighted New Zealand's legally binding codes of practice, guidance notes and use of media and strategic partners to raise public awareness.

Following the workshop, about 1,000 privacy experts from 83 countries convened for the 31st International Conference of Data Protection and Privacy Commissioners. The conference looked at privacy challenges, and included discussion on a joint proposal for global privacy standards that would become a universal and binding tool.

Privacy in Schools

L to R: Hon Dr Lockwood Smith, Ms Alexandra Lang, Marie Shroff and Kathryn Dalziel

Privacy in Schools - a book for practical advice for schools about how the Privacy Act works - was launched by the Speaker of the House, Hon Dr Lockwood Smith, in Christchurch in September.

The book, written by lawyer Kathryn Dalizel, includes discussions and examples of each of the privacy principles and looks at other relevant legislation that may need to be applied first.

'It was wonderful to share the evening with so many people from schools and other education associated agencies like ERO, and to be with colleagues, family and friends. Privacy in schools is a subject that I value highly and I was really pleased that it received this level of attention,' Kathryn Dalziel said.

Order a printed copy or download a copy free.

IT certification

The New Zealand Computer Society recently launched 'Information Technology Certified Professional' (ITCP), a formal professional certification for people working in IT. The certification assesses all aspects of the skills, competence, knowledge, responsibility and ethics required of senior IT professionals. Included in the curriculum is a section that looks at privacy principles and policies, managing personal information and ‘privacy by design'.

Credit Reporting and Privacy Code review

The Credit Reporting and Privacy Code was likely to be amended next year following extensive public consultation round, Privacy Commissioner Marie Shroff told New Zealand Credit and Finance Institute Conference in October.

The Office of the Privacy Commissioner was waiting for further details on proposed Australian changes before finalising views on how the New Zealand Code should be changed, given the benefits of enhancing Trans-Tasman alignment as far as possible.

Mrs Shroff said positive credit reporting was a key area the review would address, but should she had not yet developed a favoured direction on the issue. Some of the Code reference group supported an extension to the amount of information held on credit reports. There was less agreement about which additional categories should be permitted.

Possible credit report information fields could include: the type of credit account (mortgage, credit card, personal loan etc); amount approved, including limit updates; lending institution; repayment status over the previous two years; or number of repayment cycles missed over the previous two years.

On the question of collection and retention of driver licence numbers, Mrs Shroff said she was aware that credit reporters had emphasised they would value the inclusion of this in the Code to improve the accuracy of credit details, and she was looking into it further. Consumer advocates had said the move could prevent identity fraud, for example, where people taking out multiple loans under different names.

The Office was also planning to look at issues around how credit reporters might be able to limit the harm of identity fraud through facilities such as credit monitoring and credit freezing services, though the logistics and feasibility of credit freezing needed to be explored. US laws, in particular, would be considered.

In regard to credit scoring, Mrs Shroff said the reference group did not discuss the issue, but it would be part of the review process.

Read the Reference Group report and the Privacy Commissioner's speech.

News around the world

• In a landmark decision, UK Judge Justice Eady refused to grant an order to protect the anonymity of blogger Richard Horton, a police office, who had sought an injunction to stop The Times newspaper from revealing his name. Justice Eady ruled that 'blogging is essential a public rather than a private activity.' Read more ...

• Sydney's new fleet of Warratah suburban trains will feature 7000 CCTV (or internet protocol) cameras, about 98 cameras per train. The cameras will allow on-board guards to monitor each carriage, mainly for commuter safety. Read more ...

• The Internet Eyes website is offering to stream live security footage into EU homes - and pay viewers in points worth up to 1,000 if they alert store detectives to shoplifting or other crimes. Read more ...

• A recent Unisys Security Index showed 81 percent of New Zealanders are happy to use fingerprint scans to prove their identity and 68 percent are willing to have their eyes scanned. More than half were extremely or very concerned about identity related issues. Read more ...

News around Parliament

• The Justice and Electoral Select Committee has recommended that the Privacy (Cross-border Information) Amendment Bill be passed. The Bill will have two main impacts: it will help ensure New Zealand law meets the expectations of our trading partners, and it will remove an anomaly so that people living overseas can access their personal information held in New Zealand. The Bill will also give the Privacy Commissioner the ability to cooperate with overseas privacy authorities when dealing with, or transferring, privacy complaints.

View the Privacy Commissioner's Report to the Minister of Justice on the Privacy (Cross-border Information) Amendment Bill.

• The Justice and Electoral Select Committee was due to report back to Parliament on the Search and Surveillance Bill in February, but has extended the deadline until May. The Privacy Commissioner's recommendations for change relate to things that appear to be oversights in the drafting. The main points are:

• All warrants and orders should have judicial oversight.
• All warrants should be specific about what is being sought, and where it is sought from. Though this is the intention of the Bill, the Office believes the drafting could make this clearer, particularly in relation to warrants that authorise searches of material that is stored remotely (such as on offshore servers, or in hotmail accounts).
• If a person has been the subject of a surveillance warrant, they should be told as soon as possible. Sometimes it will not be appropriate to notify people (for example because of national security risks), but notification should be the default position.

View the Privacy Commissioner's Search and Surveillance Bill 2009 Submission to the Justice and Electoral Select Committee.

• The purpose of the Criminal Investigations (Bodily Samples) Amendment Bill, passed by Parliament in October, is to allow Police wide powers to collect DNA from people before being charged or convicted, for uses such as matching DNA profiles against samples from unsolved scenes of crime. The Office had some concerns about the Bill but, contrary to our recommendations, the legislation does not establish an independent oversight body or limit the sampling to serious crimes.

View the Privacy Commissioner's submissions on the Criminal Investigations (Bodily Samples) Amendment Bill.

The staff at the Office of the Privacy Commissioner wish you a happy and safe time over the festive season.