Office of the Privacy Commissioner: Statement of Intent 2008/09

Thu, 03 Jul 2008 16:20:29 +1200

The purpose of this Statement of Intent is to set out the medium term intentions and undertakings of the Office of the Privacy Commissioner for the period 2008/09 and our direction to 2010/11, and thereby promote our public accountability. It describes the results that our small office will work towards over the next three years, and how we plan to achieve these.

Download the full Statement of Intent booklet below

Annual Report of the Privacy Commissioner 2007

Fri, 21 Dec 2007 15:28:49 +1300

Annual Report of the Privacy Commissioner for the year ended 30 June 2007. The Report was tabled on 28 November 2007.

Download the full Annual Report below (PDF file 138 pages)

KEY POINTS

• Government information matching continues to expand. There are currently 76
authorised programmes. The 46 programmes that were operating during 2006/07
involved tens of millions of personal records.
• Over $45 million was recovered through information matching programmes in 2006/07.
• While most information matching programmes operated satisfactorily, the Office
has ongoing concerns at the margin about the operation of a small number of
programmes. Those concerns centre on the quality of the matching process and its
impact upon innocent individuals. For more information see Section Five, p35.
• The Office received 640 privacy complaints during 2006/07. About two-thirds of those
complaints were about access to personal information or disclosure of personal
information.
• Of the 701 complaints closed in 2006/07, 75% (524) were successfully settled without
needing to proceed to a final opinion.
• The Office is achieving a faster turnaround on complaints, with the average ‘age’ of
complaints dropping.
• The Office received over 6000 telephone and email enquiries during 2006/07. Topics
of enquiry ranged widely, and included the use of driver’s licence and passport
identification details, fingerprint scanning, website privacy statements and insurance
companies’ rights to access medical records.
• The Office ran New Zealand’s inaugural Privacy Awareness Week in late August 2007.
Simultaneous events ran in Australia and Hong Kong, with the common theme ‘Privacy
Is Your Business’.
• Privacy breach notification guidelines were issued during Privacy Awareness Week.
The voluntary guidelines are to help businesses and government organisations to take
the right steps after a privacy breach, including notifying people if their personal
information has been stolen, lost or mistakenly disclosed.
• Commenting on policy and legislative proposals and assessing possible privacy
impacts is a major work stream for the Office. The Office successfully dealt with
228 legal and policy related projects during the year.
• The Law Commission began an extensive review of privacy in October 2006.
The review is being conducted in four stages over several years. Part of the Law
Commission’s work programme for 2008 includes reviewing the Privacy Act 1993.

INTRODUCTION

Our data revolution
Respect for the handling of people’s personal information is fast becoming a key measure
for responsible business and government.

We are in the midst of a data revolution. We can send information globally with the tap of a key – and we do. There is no longer a time or cost barrier in copying data and distributing information widely. If we want to share, we can. We are data rich. Pressures of business efficiency mean that processing data is a competitive field, where there is an advantage to be gained by being cheaper, faster or more convenient. Outsourcing data processing to companies overseas is not only feasible, but for business reasons it may be preferable.

Individuals are increasingly aware of and want to control how their information is handled. This is against a background of a flood tide of information being collected or provided, procured and used. Current examples of the ‘information world’ include: Facebook; Bebo; Myspace; the Motor Vehicle Register; the register of births, deaths and marriages; professional hacking and information stealing; loss and exposure of information on a grand scale; border control – finger-print and retina scans.

There has been a phenomenal growth in both the number and range of data matching programmes being conducted by government. And yet I suspect few New Zealanders are aware of that escalation. Apart from the simple increase in the number of matches, and the range of agencies involved in matching work, there are matches that involve data being sent offshore. And businesses carry out data matches too. The size and scale of the private sector matching activity is unknown, because there is no monitoring of those programmes or record of their number. So data matching has gone global; and we have all become electronic citizens.

...data matching has gone global; and we have all become electronic citizens.

Transborder data flows raise real challenges to the reach of national laws.

There is a growing awareness that domestic legislation is not enough. Simply put – we don’t have much chance of enforcing the good information handling provisions in our Privacy Act in those instances where data is sent overseas by a New Zealand agency.

We have had some complaints to our office involving cross-border issues and, in practice, there have been agreements reached between the disputing parties. But we would have far greater confidence if cross-border issues arose in a country with broadly similar protections such as Australia – with whom we have recently reached a memorandum of understanding covering the management of cross-border privacy complaints, possible joint investigations and cooperation on privacy issues.¹ However, the current situation does not leave us in a strong position legally, and is probably not sustainable.

One of the effects of a revolution in personal data is the growth in ‘privacy pollution’.

Privacy pollution
One of the effects of a revolution in personal data is the growth in ‘privacy pollution’. Privacy pollution accumulates, is pervasive and hard to avoid. Privacy pollution has some similarity to air pollution: small blots of contamination build to form blankets of smog. In themselves, they are relatively minor – specks of soot or puffs of smoke – but in combination the effect can be overpowering. Like environmental contaminants, privacy breaches run from annoyances like direct marketing calls, across to serious and even criminal actions, like identity fraud.

We leave traces of ourselves everywhere we go…

The second key feature of privacy pollution is its pervasive nature. We are unwittingly captured each day on CCTV in the supermarket, at the petrol station, in the video shop, on the street and at the bank. We leave traces of ourselves everywhere we go, work, shop or live – travel, entertainment, hospital and GP, the internet, telephone and government records – to name but a few. Our transactions are recorded, stored and shared. Our behaviour is silently recorded on camera. We no longer simply buy products – we demonstrate ‘purchasing patterns’. Twenty years ago, my supermarket did not know what brand of toothpaste I bought unless someone stood by the checkout. Now, all my prior purchases are available to them (and me) electronically.

A third characteristic of privacy pollution is that there is unlikely to be an immediate legal remedy. The Privacy Act may not provide much comfort when the activity is generalised, such as street surveillance, or is done in accordance with specific statutory authority, such as the universal ID cards issued to all citizens of some countries. Certainly there may be instances where people can remove themselves from a mailing list or opt not to provide additional personal details, or choose not to spend time in a CCTV area but, often, there will be little realistic alternative.

These tiny but insidious measures combine together to shape our behaviour. We must strive to find some way not only of limiting the impact that this has on each of us, but also to find spaces in which we can be free.

The overall effect is that these tiny but insidious measures combine together to shape our behaviour. Together, they contribute to a climate where private space, thoughts and choices are encroached upon and subtly eroded. We must strive to find some way not only of limiting the impact that this has on each of us, but also to find spaces in which we can be free.

American law professor and academic Walter Gellhorn recognised back in the 1950s,
at the height of the Cold War, the temptation to disregard the freedom we already enjoy and to approach casually the risks of incursions. He said:²

The trouble is that small restrictions accumulate into large restrictions and, in the process, may become as habitual as, before, freedom was.

I note two general developments in relation to this.

One is an international trend toward the use of citizen identity cards. Identity cards are being introduced in many countries throughout Europe. In China, there have been concerns raised about the extremely wide-ranging information stored on ID cards. One report, for instance, noted that data on the chip will include not only the citizen’s name and address, but also work history, educational background, religion, ethnicity, police record, medical insurance status and landlord’s phone number. Even personal reproductive history will be included for enforcement of China’s controversial ‘one child’ policy. Plans are being studied to add credit histories, subway travel payments and small purchases charged to the card. Closer to home, Australia is introducing a health and social services access card.

A second initiative is the development of DNA databanks.

In the United Kingdom, The Times newspaper reported recently that some British police forces are seeking increased powers to take DNA samples. The proposal includes police being able to take DNA samples from people for non-imprisonable offences, such as speeding and dropping litter. It is good to find that the Association of Chief Police Officers warned that allowing police to take DNA samples in those instances might be seen as demonstrating the “increasing criminalisation of the generally law-abiding public”.³
The Times also reported that already:

"There are almost four million samples on the DNA database, including more than
100 of children aged under 10, even though they have not attained the age of
criminal responsibility. A further 883,888 records of children aged between 10 and
17, and 46 records of people aged over 90, are held on the database, which costs
more than £300 million."

The British Home Office consultation paper noted those asking for the change saw it as “a means of increasing officer confidence in knowing who they are dealing with and enabling them to deal more effectively with the incident at the scene”.

British public and watchdog disquiet is growing. The Human Genetics Commission announced it will be conducting the first public inquiry into the DNA database. Speaking as chairperson of the
Commission, Baroness Kennedy, QC, noted that the database has “a preponderance of young men, with a third of black males currently on it. And anyone on it is there for life”.

Both citizen ID cards and DNA databanks have provoked genuine and vigorous debate. How do we neutralise the invasive and concerning aspects of these projects without losing the claimed benefits? Individuals must be aware, make choices and retain control wherever they can. Where they cannot, privacy commissioners and governments have to watch, monitor and control.

Individuals must be aware, make choices and retain control wherever they can. Where they cannot, privacy commissioners and governments have to watch, monitor and control.

I do not profess to hold the answers to these complex issues. Both citizen awareness and watchdog activity will assist. But I am convinced that efforts must be made and that international cooperation is part of the solution. We must consider supra-national and cross-border initiatives.

Privacy Awareness Week
The Awareness Week successfully met one of our key goals – to communicate and raise awareness about privacy and personal information issues and risks, and how these can be countered.

Early in 2007, the Privacy Commissioners of New Zealand, Australia and
Hong Kong agreed to run a Privacy Awareness Week (PAW) simultaneously across the region in the last week of August 2007, with the multi-layered theme ‘Privacy Is Your Business’. PAW was a success for the Office, and I look forward to a repeat in 2008. PAW activities are outlined later in this report.

A key initiative during Privacy Awareness Week was the announcement of voluntary
guidelines to assist business and government to take the right steps in the event
of a privacy breach.

The guidelines include notifying people if their personal information has been stolen, lost or mistakenly disclosed. ‘Breach notification’ is a new and mandatory requirement in many overseas jurisdictions and guidance will help organisations take measures to minimise the impact on customers and clients. The draft guidelines were well-received by business and media.

Where to from here?
Complaints to the Office are trending downward in number. I regard this as a positive
development. Consequently, more resource may be able to be devoted to ‘growth’
areas such as technology monitoring and advice, government data matching and communications.

The Office is also currently involved in the Law Commission’s review of privacy. This major project has wide-ranging terms of reference and will continue through the next reporting period and beyond. Among other things, the Law Commission will be reviewing the Privacy Act. I look forward to assisting the Commission’s work as far as possible and will continue to follow the project with great interest.

Privacy is a notion that we associate with the individual but, evermore, I am becoming conscious that society too, has an interest in privacy. Legal academic Daniel Solove says:⁴

“ Privacy, then, is not the trumpeting of the individual against society’s interests but the protection of the individual based on society’s own norms and practices.”

When the quality of our personal – and public – space is diminished, we are all the poorer.

Marie Shroff
Privacy Commissioner

¹ Memorandum of Understanding between the Office of the Australian Privacy Commissioner and the Office of the New Zealand Privacy Commissioner,
http://www.privacy.org.nz/library/memorandum-of-understanding.
² Walter Gellhorn Individual Freedom and Governmental Restraints (Baton Rouge, Louisiana State University Press, 1956) 39-40.
³ Richard Ford, “Police want DNA from speeding drivers and litterbugs on database” The Times, 2 August, 2007 (www.timesonline.co.uk/tol/news/uk/crime/
article2183105.ece?print=yes&randnum...).
⁴ Daniel J Solove “ ‘I’ve got nothing to hide’ and other misunderstandings of privacy” (2007) 44 San Diego Law Review, 15. Available at SSRN: http://ssrn.com/
abstract=998565.

Office of the Privacy Commissioner: Statement of Intent 2007/08

Mon, 12 Nov 2007 09:45:22 +1300

The purpose of this Statement of Intent is to set out the medium term intentions and undertakings of the Office of the Privacy Commissioner for the period 2007/08 and our direction to 2010/11, and thereby promote our public accountability. It describes the results that our small office will work towards over the next three years, and how we plan to achieve these.

Download the full Statement of Intent booklet below

Annual Report of the Privacy Commissioner 2006

Thu, 23 Nov 2006 14:06:12 +1300

Download the full annual report below (PDF file 124 pages)

KEY POINTS

The Privacy Commissioner’s 2006 public opinion survey found a strikingly high level of public concern about how businesses handle personal information. More than 80 percent of people surveyed pinpointed the internet and business as key privacy concerns.
The Credit Reporting Privacy Code came into full effect on 1 April 2006, and has been well received by consumers, credit reporters and the financial sector.
A new-look, simple-to-navigate website was launched – www.privacy.org.nz. It includes plain English information on privacy rights and responsibilities, information about internet safety and a full text search engine.
A total of 636 formal complaints were received during the 2005/06 year. The continuing downward trend of recent years seems to be the result of proactive handling of complaints by the Office’s staff and more targeted privacy training. Telephone enquiries remained steady at around 6,000.
The Office closed around 60 percent of new complaints during 2005/06, usually within six months of receipt. The backlog of old files continued to drop. Where parties were willing, the Office continued its policy of attempting to settle complaints,
Problems with access to personal and health information continued to dominate, making up about 50 percent of complaints. Disclosure of personal or health information was the second most common complaint.
The Office’s three-person technology team completed its first full year of work. The team participated in e government work, established public and private sector information forums, and surveyed private and public sector website privacy notices.
Legal and policy capacity within the Office was enhanced in the second half of the year, and a new position of Policy Adviser (Health) was established.
The Office advised on the privacy implications of proposed legislation, policies and practices. Topics included counter terrorism, trans-border data sharing, use of biometric information, and proposals on access to court records.
Media enquiries focussed on technology issues. Many speeches, presentations and education sessions on privacy issues were given in response to requests.
Government information matching continued to expand. There were 40 programmes in operation during the 2005/06 financial year, compared with 36 in 2004/05. A further four new programmes were authorised by Parliament.
There was a 45% increase in the number of government information matching programmes using online information transfer. These online programmes require special permission from the Privacy Commissioner.

INTRODUCTION

A striking result of our 2006 public opinion survey on privacy was the high level of public concern about how businesses handle personal information. More than 80 percent of people pinpointed the internet and business as key privacy concerns. Ninety-three percent of those surveyed rated good personal information practices by businesses as more important than convenience, and as important as efficiency, product quality and service.

General concern about invasion of privacy rose (to) 56 percent in 2005/06, from 49 percent in the 2001 survey. Privacy now ranks sixth out of nine major issues tested. Public concern about privacy invasion now ranks ahead of unemployment, behind education, crime and violence, health, the environment and the economy.

Rapidly developing technology fuels public awareness and concern about privacy invasion. The way in which we lead our lives, and the ways in which government and business serve us, are increasingly influenced by or dependent on technology. For instance:

an estimated one million New Zealand households have internet access
industry sources estimate that there are about 3.8 million mobile phone connections in New Zealand
the DNA profiles of more than 50,000 people are stored on the Police DNA databank
requests for details of motor vehicle owners have grown from 2 million in 1998/99 to 10.8 million in 2005/06.

All kinds of organisations and businesses use advanced technology to collect, sort, store and trade our personal information, both to make our lives easier in dealing with them and also for their own use. It is no coincidence that the language of the computerised information world is increasingly strewn with metaphors – such as data mining, data banks and data warehousing – that are drawn from commerce. Mainly through the power of technology, our personal information is increasingly a tradeable commodity, with a real market value.

The day-to-day work of the Privacy Office in acting as a watchdog to protect personal information and to promote good practice has become increasingly focused on technology and science-driven issues.

On 1 April 2006 the Credit Reporting Privacy Code, developed by the Office, came into full effect. Credit reporting is a prime example of an industry that uses personal information for commercial purposes. The industry collects, holds and sells personal and credit related information about an estimated two million New Zealanders. The Credit Code now requires the industry to give individuals free access to their credit records and to limit information collected to that relating to credit. Credit reporters are obliged to ensure greater accuracy of information held and disclosed, and to increase controls on release and reduce misuse (eg. unauthorised release). The industry cooperated fully in our development of the code. The benefits are becoming clear – thousands of New Zealanders have used the new right to access credit information about themselves.

Our legal/policy staff have also continued to contribute to the development of government policy and legislation, especially involving the uses of technology. Examples this year included submissions on the SPAM (Unsolicited Electronic Messages) Bill, proposals on anti-money laundering and the financing of terrorism, and the Financial Transactions Reporting Act. The globalisation of information flows – for example for customs, immigration, passports and banking – has also generated work for the Office.

In its first full year, our three-person technology team actively participated in e-government development work, including the government logon service and all-of-government online identity authentication. The team established information forums for the public, business and government on data matching, and technology and privacy, and carried out a survey of private and public sector websites. The survey showed that only just over half of the websites had privacy notices. Two consumer-oriented guides, one on websites and personal information and the other on the safety of personal information on the internet, were produced. Among the issues the team dealt with were privacy aspects of digital rights management, CCTV use and guidelines for biometric technologies. Government information matching continues to expand, with 40 programmes operating during the 2005/06 financial year.

Internationally, good personal information handling is becoming a key part of globalised commerce. Cooperation amongst government and privacy authorities worldwide has produced a number of significant developments. The Asia Pacific Economic Cooperation (APEC) grouping approved an APEC privacy framework in November 2005 and our Office played a strong role in its development. Regional cooperation has been enhanced by the adoption by the expanded Asia Pacific Privacy Authorities forum (APPA) of a formal statement of objectives. These set out to improve standards, share knowledge and promote best practice. The International Privacy Commissioner Conference in late 2005 unanimously adopted a declaration about global coordination to enhance privacy objectives. Although these are first steps, they mark a new impetus for cooperation to advance privacy protection internationally, against a background of electronic cross-border information flows.

During the year the news media raised many technology related privacy issues. These included biometrics (such as finger scanning in the workplace), widespread use of CCTV, the potential for the sharing of health and DNA databases, internet blogs, skimming of EFTPOS terminals, the safety of home computers, covert filming and bugging, the use of public registers by direct marketers, proposals for a variety of new databases (eg. all children and all state housing tenants), the use of radio frequency identification devices (RFIDs), the transfer of New Zealanders’ information overseas, checking of employee emails, the sale of CCTV footage, internet banking, a prostitutes’ register, infant heel prick cards, tracking people via their mobile phones and credit reporting. This extensive list of topics reflects a broadening and welcome media awareness of privacy issues. I am pleased that the media are now playing a valuable part in telling the many developing privacy stories and alerting the public to risks. In March this year we were encouraged that our Privacy Issues Forum attracted overseas speakers, a more than full attendance, and significant media interest in the wide-ranging issues covered.

Our new website is now online. New material includes guidance for employers, a ‘your privacy’ section and a special area where we offer help with common fears about internet safety, including email, web browsing and e-commerce.

Demand for our 0800 line has remained constant, with around 6,000 calls received this year and an increasing number of email enquiries.

Incoming written privacy complaints continued their steady (although slowing) decline to a total of 636 during the 2005/06 year. A combination of proactive handling by the enquiries and complaints teams – encouraging early action and self-resolution – and training of the staff of organisations complained about seems to be responsible for reducing numbers of formal complaints. The assessment and conciliation team in the Office now closes around 60 percent of new complaints, usually within six months of receipt. Problems with access to personal and health information continue to dominate, at 50 percent of complaints. The Office is targeting areas generating clusters of complaints and held 88 education seminars on these during the reporting period. Our backlog of old files also continues to drop, with complaints over 12 months falling from 248 at the end of June 2005, to 88 at the end of June 2006.

Through the power of science and technology, what we formerly regarded as free or private space is increasingly being invaded. Who would have envisaged 20 years ago that our choices of food, clothing and books could be logged, monitored and used; our health information exchanged freely; or that our children would interact with the world via the internet? Our homes are no longer sacrosanct if we commit personal information to technology and the internet. It is within our power to benefit from and to control this, but we do need to be aware of the opportunities and risks.

A senior IT figure said some years ago “you have zero privacy anyway – get over it”. Fortunately the news is not all bad. Business and government agencies, initially dazzled by the profit and efficiency potential of technology, are now increasingly alive to the privacy message. They are aware that responsible information management is needed to protect client and consumer loyalty and trust, and thus the ability to run a viable and profitable operation. That same senior IT figure is reported to have remarked this year, following his own personal information being disclosed, that privacy and security were now his top priority and that he now understood the consumer perspective.

A silent revolution has occurred in the way our personal information is handled. This revolution has the potential to be as far-reaching and pervasive in its effects as the invention of the printing press more than 500 years ago. We need to grasp this change, direct and use it. But we also need to protect our identities in the process, and value our information as much as do those who profit from it.

Marie Shroff
Privacy Commissioner

Office of the Privacy Commissioner: Statement of Intent 2006/07

Wed, 02 Aug 2006 09:33:43 +1200

The purpose of this Statement of Intent is to set out the medium term intentions and undertakings of the Office of the Privacy Commissioner for the period 2006/07 and our direction to 2009/10, and thereby promote our public accountability. It describes the results that our small office will work towards over the next three years, and how we plan to achieve these.

This is our first Statement of Intent. It has been developed through consulting
within the Office and draws on work with stakeholders.

Download the full Statement of Intent booklet below

Annual Report of the Privacy Commissioner 2005

Wed, 26 Jul 2006 09:10:45 +1200

Annual Report of PRIVACY COMMISSIONER for the year ended 30 June 2005.