Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

This is the second issue of our new look Private Word. We've gone electronic and if you'd like to get the new version automatically, please subscribe here.

Privacy Commissioner's submission to the Law Commission's review of the Privacy Act
New computer safety resources aimed at kids
Focus on the Privacy Forum
Case Notes
Children, Young People and Privacy conference in Melbourne
New Zealand in the international privacy arena
Better Protection for Vehicle Owners' Personal Information
Tax System Review
News around the world

Privacy Commissioner's submission to the Law Commission's review of the Privacy Act

Privacy Commissioner Marie Shroff has made a submission to the Law Commission's review of the Privacy Act. You can read the submission here.

Ms Shroff supports many of the Law Commission's major proposals, and has added some suggestions of her own.

'Information privacy is under challenge as never before,' says Ms Shroff. 'Privacy is becoming a key human right in the digital environment of 21st century government and business.'

'The results of this review will shape our privacy law for a generation. OPC congratulates the Law Commission on a thorough and comprehensive review. There are many important proposals which, if implemented, will serve New Zealanders well for a decade and beyond.'

The Privacy Commissioner's submission emphasises three themes:

  • empowering individuals;
  • making the Act more effective; and
  • rising to the challenges of the electronic age.

Ms Shroff agrees with the Law Commission that the Act is fundamentally sound but that change is required in some respects. She stresses that whatever changes are made should accord with the rationale of the Act, maintain its many successful features and its international acceptability. For instance, the Commissioner cautions against proposals that could undermine the Act's code-making mechanism, as it is working well (pages 42-44).

The changes that the Privacy Commissioner supports include:

  • greater enforcement powers for the Privacy Commissioner (pages 45-48);
  • mandatory privacy breach notification (pages 92-97); and
  • a statutory 'do-not-call' telemarketing list (pages 89-90).

She also agrees that the rapid changes in digital technology require some changes to the Act. 'Today's digital environment has opened us up to new challenges. When the Act came about 17 years ago, the size, speed, and applications of today's digital technology were never envisaged. The Act needs to catch up with technology and allow the Commissioner to be a multi-facetted and flexible regulator. Agencies need to manage personal data responsibly and be proactive in preventing harm to individuals. Systemic privacy solutions are needed to cope with the systemic challenges to personal control and autonomy in the digital environment.'

The Commissioner has some proposals that the Commission could consider further. These include:

  • creation of the role of Chief Privacy Officer in government to provide leadership, expertise and help create a culture of respect for privacy across government (pages 67-68); and
  • creation of 'anonymity' 'openness' and 'accountability' principles, in line with other international data protection statutes (pages 27-28). These would empower individuals, particularly in the digital environment where information crosses national boundaries all the time.

'The reforms need to be guided in part by the international approach to privacy and ensure New Zealand keeps pace with international privacy standards. Today's world is far more interconnected than ever before. New Zealand needs to be working alongside other privacy jurisdictions ensuring our policies are compatible with theirs. New Zealand needs to maintain a reputation for good governance of privacy issues and responsible information handling - this is a necessity for trade purposes,' said Ms Shroff.

New computer safety resources aimed at kids

A new Hector's World animated interactive online resource and music video about computer security skills was launched recently by the Hon Nathan Guy, Minister of Internal Affairs.

 title=  title=

Aimed at 5-9 year old children, their parents and teachers, the resources offer a foundation of basic computer security skills by introducing young children to topics like viruses and strong passwords.

A public opinion survey released by the Privacy Commissioner in May revealed that the information that children put on the internet about themselves is the privacy issue that most worries New Zealanders.

'People's concerns about children's vulnerability on the internet indicate the need for continued vigilance to protect children and young people,' said Mrs Shroff. 'I am really pleased to see the new resources from Hector's World. These are practical tools which will help to keep children safe online.'

Liz Butterfield, Hector's World Managing Director says, 'We believe that young children can be active in their own defence online if we give them the skills and knowledge they need.'

Read more... See the new resources.

 title=  title=  title=
 title=  title=  title=

Hon Nathan Guy and Room 6, Northland School, Wellington at the launch of Hector's World new computer security resources

Webcam covers for kids

Hector's World has also launched a webcam cover for children to use. The cover, which children can download and print, helps them be aware of the webcam and think about using it before activating the device.


The webcam covers can be found here.

Read the full UMR survey.

Focus on the Privacy Forum

The one-day Privacy Forum on 5 May in Wellington brought together a wealth of knowledge and views about privacy from speakers involved in areas of health, IT, law, business and education. Here are some of the highlights.

Sir Geoffrey Palmer
Opening the Forum, Law Commission President Sir Geoffrey Palmer offered the audience a chocolate fish for anyone who could define privacy.

Deciphering the concept of privacy and deciding what legal results should flow from that was the task set before the Law Commission two years ago. The review of the Privacy Act was the fourth part of the Law Commission's privacy project.

While the review addresses numerous and difficult issues, Sir Geoffrey Palmer highlighted the key ones:

  • Suggested reforms to the privacy complaints process with the addition of some enforcement tools.
  • The challenge to information sharing - to facilitate the sharing of personal information for individually or socially beneficial purposes while ensuring that privacy is appropriately protected.
  • Looking at the merits of mandatory data breach notification (see the debate below).
  • Asking if the current direct marketing controls are adequate.
  • Addressing the Privacy Commissioner's functions in relation to technology - should they be revised?

Read Sir Geoffrey Palmer's speech.

Youth and privacy

Do young people care about privacy? 'They sure do' as the Forum was certainly told by a savvy group of young people. And who needs to give the privacy messages to young people? Other young people do - of course.

The privacy youth advisory group, made up of secondary school students from the greater Wellington and Wairarapa area, came together for the first time in September 2009. The group discussed the issues about their personal information such as did they have control of it, did they care about it and were young people aware of the issues?

Under the guidance of two university students, the group came up with three areas for action:

  • to raise awareness about consent and appropriate use of personal information;
  • to create a privacy presentation pack for schools; and
  • to work towards privacy discussions being included on the school curriculum.

The group then developed new privacy materials. Under the umbrella of 'safety', the three key ideas behind the materials were awareness, consent and appropriate use of information.

The group has produced a poster with the concept of personal information disappearing into a black hole. There is also a wallet-sized brochure, filled with lots of ways to think about your personal information - your rights, how to safeguard it, and what to do if you think something has gone amiss.

A short film, the poster and the brochure will form part of a resource pack that will be available to schools and youth outlets later in the year. The resource is being created by young people who care about privacy, for young people who need to be aware of the issues.

The Dalziel debate: Owning up to mistakes - should breach notification be mandatory?

You might be excused in thinking that the debate between privacy lawyer Kathryn Dalziel and her sister, Hon Lianne Dalziel, MP for Christchurch East was going to lead to two defamation cases. There were few sibling secrets left after the sisters argued whether breach notification should be mandatory or not.

Kathryn, taking the negative, took one look at a 472 page report of US data breach notifications and decided 'who cared' if the West Virginia Board of Barbers and Cosmetologists licence information had been stolen from a safe, thus rendering thousands of hairdressers potential victims of identity theft. Lianne remained true to her principles - she was on the select committee that looked to establishing the Privacy Act - and argued that it's time our laws state that in the case of certain data breaches we should be told.

Some arguments against:

  • mandatory data breach notification 'will elevate what is a non-existent problem to something the equivalent of nuclear fall out';
  • it's too hard to define when a data breach notification should be mandatory: does there have to be serious harm? When do you let people know - as soon as possible, 20 working days? Who do you notify - the individuals and/or the Privacy Commissioner?; and
  • too many reports of breaches could result in 'breach fatigue'.

Some arguments for:

  • early notification can provide individuals the opportunity to minimise the negative consequences that can flow from a data breach; and
  • the deterrent effect (of mandatory reporting of a data breach) can impose an even stricter discipline on agencies to protect personal information from unwarranted disclosure.

Chairing the debate, Assistant Commissioner Blair Stewart summarised the extremes of the arguments: 'Is California dreaming or should it be the death penalty for these breaches?' (The US State of California implemented security breach notification law in 2003.)

The Final Panel - The Future of Privacy: where will we be in five years time?

Five speakers from five different backgrounds talked about the future of privacy. You can hear their full presentations on YouTube (see the links below).

Iain Rennie, State Services Commissioner
Hear from Iain Rennie about how the government may look in a decade from the point of view of an individual citizen, and the tensions and challenges the state sector may face in how it uses and takes care of information.

Professor John Burrows QC, Law Commissioner
Listen to Professor Burrow's private nightmare: 'Privacy is at risk and will become more so, yet in five years time the law may not have moved one iota.' Professor Burrows says that technology and processes will improve in ways that we can't predict now and the law will have done absolutely nothing.

Jon Macdonald, CEO, Trade Me
The reinvention of social media, advances in video and image technology on mobile phones, and the continued concern about our children sharing information are some of Jon Macdonald's thoughts of what we can expect in the future. Jon predicts, however, that five years from now privacy will be far more the same than different and 'frankly not that scary'. Hear more ...

Alma Whitten, Google
Alma Whitten thinks it's a safe assumption that we'll see infrastructure continue to improve with more people having faster internet access. This will lead to more and more companies using increasingly richer applications, with further creative work being put into software development. Alma hopes that we can walk forward with our eyes open - where software will work really fast but also have the transparency and control and understanding of where the data is going.

Listen to more of Alma Whitten's predictions of a world where the division between the digital world and the real world will get smaller and smaller.

Martin Cocker, Netsafe
Martin Cocker sees a future of digital citizenry in a 'super networked public'. Martin explains that to be an effective digital citizen is to be able to look after yourself in an online world and make the most of the opportunities that it provides. It's about having the skills to shape your digital environment. Hear more from Martin Cocker about creating a capable digital citizenry to ensure there is trust and balance in a digital society.

Case Notes

Case Note 211183: Ministry of Social Development discloses information to the Official Assignee
Case Note 212548: Woman requests copy of responses she gave in a phone survey
Case Note 208123: Woman wants to know names of Police Officers who accessed her record
Case Note 209903: Man complained that Trade Me required his firearms licence number
Case Note 210106: Woman seeks access from former employer to content of verbal reference
Case Note 209484: Police disclose recognisable image of crime victim to media

Children, Young People and Privacy conference in Melbourne

The Victorian Privacy Commissioner's conference on Children, Young People and Privacy (Melbourne, 21 May) started with a rap and ended with a buzz!

At the start of the conference, around 250 participants were treated to two raps performed by Tjimba and the Young Warriors - the second one, 'Privacy' specially written for the occasion. This got the conference off to a lively start, and the energy just kept going all day, fuelled by the excellent MC abilities of renowned actress and children's TV presenter Noni Hazlehurst, some wonderful presentations, and also the presence of around 50 secondary school students.

Of course, much of the discussion at the conference focused on online privacy issues such as use of social media. This included particularly startling discussions on 'sexting': the practice of sending nude or semi-nude photographs on mobile phones or on the internet, usually to current partners who then may misuse the photograph. This is a huge problem in Australia and presumably (though it seems, at the moment, more silently) in New Zealand as well. There were also presentations on 'offline' topics such as health, social research, the particular difficulties faced by gay youth and at risk youth, and the development of resources for young people.

On the latter point, Katrine Evans, Assistant Privacy Commissioner (NZ), and Andrew Goddard, one of New Zealand's privacy youth advisory group leaders, did a joint presentation on the work of the advisory group including showing off the poster and brochure, and 'premiering' the short film that the group produced. In addition, Liz Butterfield talked about Hector's World and showed the music video that goes with Hector's new computer safety episode.

The conference generated a real buzz, and will hopefully result not only in better informed discussion overall about what young people think and do, but also in the voice of young people themselves being increasingly heard in that discussion.

The conference programme and the presentations are available here.

New Zealand in the international privacy arena
- an interview with Assistant Commissioner (Auckland) Blair Stewart

Protecting New Zealanders at risk from cross-border privacy breaches is becoming an increasing focus of Assistant Commissioner (Auckland) Blair Stewart's international work.

To protect New Zealanders, the Office of the Privacy Commissioner is working to build international enforcement cooperation between countries that already have privacy laws.

'New Zealanders are dealing more often with companies based overseas and there is growing concern about what can be done to ensure that the personal information they send offshore is not misused. There is also a focus on what can be done to help New Zealanders if something does go wrong with the personal information that overseas organisations hold,' says Blair.

Part of Blair's work involves contributing to the development of international norms for privacy protection such as the Asia Pacific Economic Cooperation (APEC) privacy framework that in part aims to help ensure companies meet certain standards when dealing with personal information. Blair says companies are starting to recognise that privacy protections help them build trust and attract international business from both individuals and other businesses.

As part of this kind of initiative, Blair is working towards getting the European Union to recognise that New Zealand's privacy law meets their minimum standards. He says that without this recognition, EU countries are constrained in sending personal information to New Zealand for processing and there is concern that local companies will be missing out on business.

'In addition to putting privacy protections in place to stop misuse from occurring, it is also important to set up international enforcement mechanisms to investigate when things have gone wrong,' says Blair.

A large part of his international work just now involves setting up ways for privacy enforcement agencies in different countries to refer complaints to each other so that issues can be investigated in the jurisdiction in which they happened.

For example, Blair says Canadian privacy authorities had received complaints about the way a United States company was dealing with personal information from Canadians. The Privacy Commissioner in Canada was having difficulties investigating a US company and so referred the matter to the US Federal Trade Commission. The Federal Trade Commission was able to add the Canadian element to the investigation it was already undertaking with local investigative powers behind it.

Blair says that as a small agency in an isolated country, the Office of The Privacy Commissioner is working strategically with bigger multi-lateral partners and blocs to try and protect New Zealanders' privacy in an increasingly global age.

Credit Reporting Privacy Code 2004 Proposed Amendment

The Privacy Commissioner recently released a proposed amendment to the Credit Reporting Privacy Code 2004 and anyone interested is invited to make submissions by 13 August 2010.

The amendment will make significant changes to credit reporting in New Zealand. Most notably, it will allow for the collection and reporting of more comprehensive information by credit reporters - positive credit reporting.

The amendment will also:

  • provide credit reporters with the ability to retain and use the driver licence number;
  • impose more explicit restrictions on direct marketing purposes; and
  • require external accountability in relation to credit reporter's compliance checking.

Positive credit reporting
The proposed amendment will allow more comprehensive reporting including several new fields of information relating to the current credit accounts held by an individual. The key information will include:

  • type of credit account;
  • credit limit (which may change from time to time); and
  • the status of the account as open or closed.

Positive reporting will:

  • give credit providers a more accurate and complete picture of an individual's creditworthiness, allowing them to make better risk assessments, leading to more responsible lending decisions;
  • allow credit products to be tailored to individuals, reducing the costs of credit for some
  • increase competition in the credit industry; and
  • open mainstream credit to a wider pool of individuals who may otherwise be excluded due to a lack of verifiable information about them.

Driver licence number
The amendment will enable the use of the driver licence number in credit reporting for the first time. Currently, the Code generally prohibits the collection and retention of driver licence numbers by credit reporters.

The use of the driver licence number by credit reporters to match credit information about individuals may better ensure that the right information is reported about the right individuals. The driver licence number is particularly useful as it does not change with new versions of the licence, it can be verified through the New Zealand Transport Agency and the driver licence is widely carried by adults in New Zealand.

However, the driver licence number is a unique identifier that was not assigned for this particular purpose. A number of significant safeguards have been proposed to ensure that the driver licence number is not misused or made available to others. The Code will prohibit the setting up of a duplicate national database of driver licence numbers.

Read more... and view the proposed amendment and information paper and also some FAQs. More...

Submissions may be emailed to Code@privacy.org.nz or sent to:

Credit Reporting Privacy Code Amendment
Office of the Privacy Commissioner
PO Box 466
Auckland 1140

Better Protection for Vehicle Owners' Personal Information

Ever since the Motor Vehicle Register was set up over 80 years ago, it has been possible to find out the name and address of the registered owner of a motor vehicle simply by going into a Post Shop and filling out a form. More recently this information was available on line, and in bulk. Anyone was entitled to this information and there were no limits on how it might be used.

As a result, vehicle owners' information has been used for mass marketing campaigns, opinion polling and market research. Data marketers are currently significant users. They process the vehicle owner data, sorting it and sometimes combining it with other information, before on-selling it to their clients. Many vehicle owners believe the information that they are compelled by law to provide should not be made available to businesses for pure commercial gain. More concerning, the information has been used by organised crime to target high value vehicles. It has also enabled stalkers to trace their victims.

A new law
A new law will come into effect on 1 April 2011 that will help to deal with these concerns. Information will still be available in many cases but there will be strong safeguards protecting vehicle owners' privacy.

The new law creates three access 'channels':

  • automatic access for law enforcement, taxation and other government purposes;
  • access via the Official Information Act; and
  • access via a special authorisation granted by the Secretary for Transport.

Official information requests
Anyone may apply under the Official Information Act for personal information concerning one or more vehicle owners. Requests should go to the NZTA.

The NZTA, when considering an Official Information request for names and addresses held on the Motor Vehicle Register, must weigh up the public interest in releasing the information sought against the privacy rights of the person concerned. To assist the NZTA to understand the public interest benefits of releasing the information, applicants may wish (but are not obliged) to advise the NZTA of the purpose for which they are seeking the information. Each application will be looked at on its merits.

Access by businesses and how to 'opt out'
Alternatively, any person may seek a special 'authorisation' for ongoing access for a specific purpose from the Secretary for Transport. We expect that most applicants will be businesses. In considering an application, the Secretary must consult the Privacy Commissioner, the Chief Ombudsman and the Commissioner of Police.

If you do not wish your name and address to be released to a person who has been granted an authorisation from the Secretary for Transport, you may ask for your details to be withheld. You can opt-out online at http://www.nzta.govt.nz/transact/ or phone 0800 108 809. (Please note that although your desire to opt-out will be recorded now it will not take effect until the law comes into force on 1 April 2011).

Information that is not personal
Names of companies or other corporate bodies will continue to be publicly available. Vehicle details will also continue to be available.

You can get more information from the NZ Transport Agency website: http://www.nzta.govt.nz/vehicle/registration-licensing/information-qa.html

Tax System Review

Inland Revenue is currently reviewing some aspects of how they operate the tax system. It has recently released a discussion document so the public can have their say on the proposed changes (available at www.taxpolicy.ird.govt.nz).

The discussion document raises some interesting issues, particularly:

  • the proposal to lower the thresholds for tax secrecy to allow Inland Revenue to release more personal information in certain circumstances; and
  • a proposal for a new information sharing framework for PAYE information.

The consultation process closes on 23 July 2010. Inland Revenue is also running a consultation forum at www.makingtaxeasier.ird.govt.nz, which provides a quick way to make comments on specific questions.

News around the world

The UK's new coalition government plans to cancel the national ID card programme. It will also scrap the National Identity Register, a computer system storing information from biometric passports and ID cards, and the next generation of biometric passports. Read more ...

The Council of the European Union is considering establishing a new agency that would tie together law enforcement agencies and other entities dedicated to fighting cybercrime. One of the Council's goals is to gain more ratifications of the Council of Europe's Cybercrime Convention, the only international treaty covering computer crime. Read more...

Recently Google revealed a new tool designed to reveal for all to see when government agencies around the world ask Google to provide them with user data or remove certain content. Read more...

The Privacy Commissioner of Canada has launched an investigation into Google's collection of data from unsecured Wi-fi networks as its cars were photographing streetscapes for Street View. The investigation will determine whether Google contravened Canada's private-sector privacy law. Read more...