Office of the Privacy Commissioner | IAPP (International Association of Privacy Professionals) ANZ Summit speech - Michael Webster
IAPP (International Association of Privacy Professionals) ANZ Summit: Sydney 2022, 24 November
I greet you all in the language of the tangata whenua of Aotearoa New Zealand. And I too acknowledge the status and place of the first nations people of this land.
Thank you for that introduction and the opportunity to share some insights drawn from the recent work of my Office, and what we intend to focus on for the year to come.
Four months into the job, I’m not claiming to be an instant expert in the intricacies of privacy law.
But I have been asking lots of questions, and doing a lot of listening, and I have had the opportunity to speak to many privacy experts, and indeed holders of strong views on privacy - which is not necessarily the same thing! – and that has created for me a picture of where privacy is at in New Zealand today, and where we want to take it.
But before I talk about that, I just want to reflect for a minute on what I did not do, and I suspect many of you did not do, when you arrived at this hotel and conference venue.
I did not check to see if the hotel has its building code of compliance, or that all building regulations were complied with when it was built and renovated, so that it is structurally sound.
I did not check to see if the hotel staff have had recent training in how to evacuate the building in the event of a fire.
I did not check the air conditioning system to ensure no noxious or lethal gases produced by machinery and engines inside or outside this building were somehow entering the building’s air-con system.
I did not go down the fire exits to check that the external fire exit doors were not chained up, or blocked by a rubbish skip.
I am standing here, trusting that all these things are in place, or have happened, or have been checked.
I suspect my trust is well placed, because the owners and managers of this building simply regard it as a core part of their role that their guests will stay healthy and be safe here.
It’s a basic, fundamental role of running and licensing a public venue – you put the health and safety of guests first.
It drives a number of behaviours throughout the organisation.
And that, in a nutshell, is what I want to see happen with privacy in Aotearoa New Zealand.
I want to see privacy treated as a core focus for agencies, as much as health and safety, or good financial reporting, or achievement of key financial and non-financial targets.
And I want to see it as a core focus because I believe that that will contribute to three desirable outcomes.
I want to ensure privacy is a core focus for agencies in order to (1) protect the privacy of individuals, (2) enable agencies to achieve their own objectives, and (3) safeguard a free and democratic society.
I’ll talk more about this strategic focus later.
But before we get going, it’s probably useful to remind ourselves about some key features of the NZ privacy legislative framework.
It is of course about promoting and protecting individual privacy, and in particular the privacy of personal information.
It applies to government agencies, the private sector – from the corner store to the major listed company – the non-profit sector, schools and hospitals, churches and intelligence agencies.
And in carrying out my statutory roles under the Act, I must, among other things, have regard to the desirability of facilitating the free flow of information in society, and government and businesses being able to achieve their objectives efficiently.
One of the first, and perhaps blindingly obvious, insights you pick up immediately upon entering the world of privacy is the importance of trust and confidence – and once lost, how difficult it is to get it back.
This very much relates to that second outcome I described earlier – to enable agencies to achieve their own objectives.
In her 2018 Sir Bruce Slane Memorial Lecture, then Justice Helen Winkelmann, now New Zealand’s Chief Justice, gave a very thoughtful and important speech on privacy, its place in our law, and its value to us all as a right.
In it she noted that:
“An invasion of privacy which undermines or negates [an individual’s] dignity can be profoundly harmful for the individual. It can distress, humiliate and shame. In extreme cases, it can destroy the social and economic foundations of an individual’s life.”
It’s not rocket science; if your staff, your customers, your clients, have trust and confidence in you as an organisation, and in how you go about your business or delivering your functions, then that creates ‘permission space’ for you to be innovative, to take opportunities, to try new ways of doing things.
Losing that trust and confidence through privacy breaches will, I suggest, undermine efforts to be innovative, to improve productivity.
Research certainly backs up the view that privacy breaches cost businesses in all sorts of ways.
Our message to NZ organisations will be that developing and maintaining a solid privacy protective culture, that respects the privacy of individuals, is just good business.
One of the realities of looking back on the work of the office is that, in large part, it’s a story of dealing with system failure and human error in organisations, and loss of trust and confidence – but at their heart, these are stories of New Zealanders who’ve been hurt or suffered loss.
The personal side of it all – and not just the organisational impact - looms large for me – people affected by the actions or inactions of agencies … people frustrated, embarrassed, put at risk, hurt or even harmed by a privacy breach.
It reminds me that it could have been me … or you … it reminds me that, at the end of the day, privacy is also all about the dignity of the individual, and the value organisations place on that.
I see the right to privacy as a fundamental right, as much as those rights set out in our New Zealand Bill of Rights – like the right to freedom of expression, or freedom of movement.
So, when I reflect on things at a macro level, and consider broad policy proposals, and system reform, I like to remind myself – privacy is all about the people.
My Office conducted a survey in 2022 on privacy awareness and engagement; the results from that provide food for thought for all of us.
61% of those surveyed – so almost 2 in 3 – were concerned about information being collected from children online without parental consent.
The same percentage were concerned about the security of their personal information on the internet.
55% were concerned at government agencies sharing personal information without their permission.
There has, over the last year, been ongoing media coverage in New Zealand of cyber-security issues, and major stories about social media monitoring and tracking.
We consider that this is having an impact on the way people think about who they give their information to and, once given, how it is being looked after.
And the statistics bear that out - almost half of New Zealanders say they would avoid doing something on the internet due to concerns that their online activity is being tracked.
Of course, individuals have a right to disclose some personal information in a manner that makes it publicly available.
But that does not mean they give up their right to keep some personal information private.
And it also does not mean that they have given consent to have personal information that they thought was disclosed in a private manner, then obtained through the application of technology, whether in a legal or illegal way, and treated as public.
Nor does it mean, for example, that cyber-hacked personal information that is placed on the dark web has all of a sudden become publicly available information.
This is a growing area of concern, with the growth in cyber-crime in NZ.
Looking ahead, as Privacy Commissioner I have a real interest in online privacy and in the collection, aggregation and use of what is termed “open source” data by both the public and private sectors.
The explosion of new data sources and platforms, together with potent new data scraping, mining, linking and analysis tools, creates new risks of privacy intrusion.
There may well be a widespread consensus that, for example, a government agency has a public policy problem that needs to be solved, but is the action being proposed to deal with that problem – action that impacts on individuals’ right to privacy - lawful, necessary and proportionate?
A growing concern is that the reality of open source information usage could appear to run counter to these propositions.
As Professor Dana Boyd says in Privacy and Publicity in the Context of Big Data, what is in the public domain has been redefined to “accessible and available for any purpose under any circumstance”.
If this is true, then it places even more responsibility on the users of open source information to use the technology with care, to collect only what is lawfully available – not just what is accessible.
As the privacy regulator for Aotearoa NZ, throughout my term of office I will be looking for demonstrations that publicly available information is being collected within the guard rails of lawful, necessary and proportionate.
Even after almost 30 years of modern privacy regulation in New Zealand, the journey to get to a place where more and more private and public sector organisations understand what they need to do, and not do, to manage personal information in a way that is lawful, necessary and proportionate, has a long way to go.
My Office knows that education and guidance is a critical factor in supporting organisations to lift their game.
And for me, one of the greatest insights I have had is the importance of what I call the privacy ecosystem.
At its core is my Office as the privacy regulator, the NZ Ministry of Justice which is responsible for policy advice and legislation on privacy, individuals who have personal information, and private and public sector agencies who use personal information.
In the wider privacy system you find judicial bodies, industry bodies, advocacy groups, ICT providers, Māori organisations, privacy advisors, and the NZ Government Chief Privacy Officer.
It is here you find many of the sorts of people who are here today.
Many of these people have a valuable role to play in assisting agencies to meet their privacy obligations.
Beyond this, there are the bodies that have an influence on the privacy system – Parliament, other regulators, even foreign privacy regulators.
It will be a great day for privacy when all these components and bodies work even more effectively together, understanding and supporting each other’s efforts.
The purpose of the Privacy Act is to promote and protect individual privacy by providing a framework for protecting an individual’s right to privacy, including their right to access their personal information.
To achieve it, we need to help agencies improve their privacy practices, lining up their policies, IT and operational activities in ways that are privacy-protective while being transparent about why, how and when personal information is being gathered, used and shared.
And we need privacy professionals to remind their employers and their clients of their duties and obligations, and to identify areas of risk.
We also have to head off a “race to the bottom” and remove the temptation for organisations to exploit grey areas for a competitive advantage – once one agency builds a shortcut around privacy into their business model, others will want to follow suit.
So, that’s why I want to elevate privacy to one of the key types of issues that your employers and clients consciously and proactively manage, like for example workplace health and safety.
This is about strengthening the ‘fence at the top of the cliff’ to protect the privacy of individuals.
My view is that privacy needs to run through everything an organisation does.
I also want to emphasize that it needs preparation and planning to build a privacy protective approach into an organisation’s culture, operations and decision-making.
But this is what will make organisations resilient.
This is what will help build the trust and confidence of the public.
This is what will enable organisations to efficiently comply with their privacy obligations and liabilities, and enable organisations to grow and evolve without wasteful redesign of systems and processes.
This is what will save the significant costs that can be faced when responding to, and recovering from, a privacy breach.
And, starkly, this is what will help keep organisations out of the media spotlight for questionable privacy practices.
I know that many of you here today carry out a very important role in helping employers and clients with their privacy obligations.
You provide an essential service to help them work through real privacy issues when they come up, ones that they may not have thought about before or planned for.
But you cannot do it alone.
I’m actively thinking about how we encourage organisations not to completely devolve privacy risk to privacy teams or to their privacy officers or advisors – and encouraging them to keep a strong link to privacy risk management at a governance and senior executive leadership level.
Boards and senior leadership teams need visibility of their privacy risk management systems - how well these are operating, and learning from the experiences of others.
Having heard quite a few worrying privacy breach stories over the last four months, my vision … my hope … what I think is well needed, is that one day all executive leadership teams include within them a champion for privacy, and at least once a year the organisation’s governance and leadership asks itself the question: “what does a mature, privacy protective, organisation look like? And “are we one?”. And, “if we’re not, how do we become one?”.
Every privacy story is a gift of how we can help organisations do things better, more strategically and enable them to get on with their important services and contributions to our economy, our country and our people.
And my Office is here to help organisations with practical information, case notes and guidance.
Of course, when it comes to my office, it’s not all education and engagement.
I also want to emphasize that as the privacy regulator I have a range of functions to respond to privacy issues, ranging from the adversarial to the collaborative.
My objective is make sure we meet privacy compliance issues with the appropriate level of response.
This means working with organisations that have privacy issues, on a co-operative basis, whenever an organisation is willing to engage with my Office, is willing to acknowledge the issue they have and to make their best efforts to put things right for the people concerned, and to ensure it doesn’t happen to other people in the future.
Organisations don’t need to be overly defensive or evasive with my Office’s investigations into what has gone wrong.
That doesn’t help me and it doesn’t help them.
With free and frank information sharing, we can make sure that many privacy problems get dealt with effectively and do not need to be escalated to enforcement action.
As many of you will know, it was in 2020 that the Privacy Act was amended to give my office an additional range of compliance and enforcement tools.
We are starting to see the benefits of having additional compliance functions, and a dedicated compliance and enforcement team.
After 2 years of now being able to get into systemic issues, it’s clear that our regulatory model is one based on “high trust” that expects that most agencies are complying.
Concerningly, we are finding that in reality, the degree of privacy maturity is not as developed as we would have expected for legislation that has been in place for nearly 30 years.
Overall, the Office has not so far issued many formal compliance actions.
This quarter saw the completion of all requirements included in the first compliance notice issued under the Privacy Act 2020.
This notice had been issued to the Reserve Bank of New Zealand, following a cyber-attack, and covered remediation steps.
The Police were issued with our second compliance notice on matters of retention in connection with a joint investigation of photography and fingerprints, and are reporting quarterly on remediation steps.
The potential to issue formal compliance action is having a clearly observable effect.
We are noting positive compliance responses to lower level actions such as draft compliance notices, compliance advice, requests for assurance, requests for information, and letters of concern.
This means the need to move to more formal measures is reduced.
It is also noticeable that agencies are engaging external experts to carry out important privacy breach investigations, and adopting the recommendations from those reviews.
At this level we are therefore seeing evidence of a willingness to comply when issues are raised.
Agencies can continue to expect to hear from us not just about complaints from individuals, but also where my Office proactively identifies an issue that may require remediation or assurance.
Just to balance things up a little, so far I’ve been speaking a lot about my expectations of organisations out there.
I thought it might be instructive to share some of what I’m hearing about others’ expectations of me and my Office.
So, what do others expect of me … what do you expect of me?
In the short time I have been Privacy Commissioner, I have tried to meet with as many stakeholders as possible – to hear their expectations, and get a sense of what they see as important in the world of privacy regulation.
Some want me to take a ‘pragmatic’ approach, fulfilling my statutory responsibilities, but not getting too evangelistic or extreme about it.
Some back an approach where a focus on education and engagement moves more forcefully into compliance and enforcement action.
They want an even stronger assertion of privacy rights, and a ‘less carrot, more stick’ approach to regulation.
Some fear a dystopian future, where all ‘those’ books and films come to life, and want me to do my damnedest to put big tech and social media – and the growing surveillance society - back in its box.
I have no problem with such diverse and strong views – it speaks of healthy debate around the right to privacy, which is better than no debate at all.
But it does provide a cautionary lesson for those who have the ability to shape and respond to the privacy rights environment – including all of you here.
If I was to assemble a set of people on this stage, ranging from those who give less prominence to privacy in relation to other values or factors, to those who give more - it might look like this – apologies for the somewhat crude stereotyping!
Over there we have the chief executive of Omnicorp, whose driver is financial performance.
There we have a senior manager of a government agency responsible for community safety service delivery initiatives.
I’m here as well.
But, and this is one of the interesting things that my series of stakeholder and media engagements has revealed to me, there are representatives of many other perspectives up here as well.
We are joined by a range of people, from interest groups, to citizens’ rights groups, to the person in the street, many of whom are suspicious of any claims of being privacy aware that are made by organisations like Omnicorp or our government agency - or who know from bitter experience that their privacy is not respected and protected.
And the question is, not just for me but for all of you, what are we going to do about it?
In a world that is increasingly fractured and fractious, there is, I would argue, an increasing pressure on those of us in this room to do two things:
First, to work to open the eyes of those in the public and private sector organisations as to the degree of concern that there is about protecting the right to privacy.
And second, to also work with them to strengthen their approach to carrying out their functions within a framework that demonstrates a strong awareness of that right.
I promised earlier that I would return to the New Zealand regulator strategic journey.
Just a reminder about that journey: the legislative changes in 2020 gave us new functions and powers, and the potential to do more to protect New Zealanders’ privacy rights.
The heart of our current strategic direction is to set our aim on making privacy a core focus for agencies.
As I said earlier, agencies need to regard privacy as they do other important obligations, such as health and safety.
By focusing on agencies, we are strengthening the ‘fence at the top of the cliff’.
We have also challenged ourselves to improve our engagement with te ao Māori, or the Māori world, and its perspectives on data and privacy.
With the actions we take under this new strategic direction, over time our work should see more individuals exercising their privacy rights, and seeking our assistance when they feel their privacy rights have not been protected or respected.
Our compliance actions and complaint investigations will keep agencies accountable.
We will set clear expectations with privacy codes and guidance.
You will see a strong emphasis on education and engagement in the years to come.
And that emphasis on education and engagement extends beyond informing organisations about the rules of the game, to engaging with them on ideas and initiatives for good privacy practice.
That may all sound very obvious and ordinary, but what I and my Office want to see - to steadily bring about over time - is behavioural change in relation to privacy.
Behavioural change is a matter of changing people's attitudes, beliefs and perceptions of social norms – in this case, the value of privacy.
This can be both changing people's factual understanding by providing the right information about the behaviour itself, or by shaping how people value the outcomes.
My Office will, as other priorities allow, do the research, analysis, consultation and publication of advice and guidance that we hope will support organisations to run their own campaigns to build a privacy protective operating model in everything they do.
We need you all to be involved; we want you to have your say; we value your professional insights - hearing your experiences and ‘war stories’; and we will, therefore, make sure we build adequate time for consultation and engagement into what we do in this space.
We have already started doing this in the increasingly important area of biometrics.
Biometric technologies can have major benefits, including convenience, efficiency and security, but they can also create significant risks, including risks relating to surveillance and profiling, lack of transparency and control, and accuracy, bias and discrimination.
We have been consulting to hear from New Zealanders amid growing concern over this issue, such as examples of stores using Facial Recognition Technology as part of CCTV systems.
Technology and privacy don’t need to be mutually exclusive, but organisations using biometrics do need to have appropriate safeguards and protocols.
The consultation will help inform the potential drafting of further guidance or rules, enabling organisations to innovate and benefit from emerging technologies while protecting people from harm.
Other current areas of focus are children and privacy, and privacy and the small business sector.
I also want to highlight one project in particular that my office will be focusing on over the coming year – and that is what we call the Privacy Risk Management System – or the PRMS.
This programme will evaluate options and design regulatory interventions which provide clarity to the regulated sector about what is required to transition to a state of privacy maturity, and which places accountability on agencies for their compliance with the Privacy Act.
Lifting privacy maturity means the PRMS will set in place the foundations that agencies should have so that they can be confident that they are compliant with the Privacy Act, and have robust systems in place for when things go wrong.
At this stage, we can see that the draft elements of a PRMS might be:
- Developing and implementing a Privacy Management Plan
- Establishing an effective breach response plan
- Safeguarding the security of personal information
- Ensuring appropriate governance oversight of privacy risks
- Staff undertaking appropriate privacy training
- Maintaining effective controls on access to personal information
- Undertaking Privacy Impact Assessments
- Providing appropriate transparency of how personal information is being used
- Undertaking continuous improvement
- Creating an effective privacy complaint mechanism
- Resourcing the privacy function sufficiently.
A key phase in the development of this programme will be engagement with those in the privacy ecosystem.
This will help us further refine our problem definition, and inform the design of the PRMS.
So, as I look ahead, and reflect on the medium-term priorities for the Office of the Privacy Commissioner, to sum up, we will continue to meet our statutory responsibilities by championing the interests of people who want their right to privacy protected and respected.
And, by helping organisations to grow their levels of privacy maturity, and to strengthen their privacy compliance, you are contributing to that as well.
People might be clients of government agencies, or customers of private sector businesses, but most importantly they are citizens of Aotearoa New Zealand, with important rights that need to be protected.
As the great New Zealand modern day philosopher and former All Blacks captain Tana Umaga once said during a Hurricanes/Crusaders rugby game, “we’re not playing tiddlywinks” out there.
Privacy underpins a free and democratic society, and nothing, nothing, is more important than that.
Yes, efficient service delivery, business success, customer satisfaction, return to shareholders – they are all very important and need to be taken into account … but I’m going to do my very best to ensure important rights and freedoms are not overlooked, or traded away, in pursuit of these objectives.
Privacy is precious; we can all work together to protect it and respect it.