What's new - Office of the Privacy Commissioner

Launch of new APEC Cross Border Privacy Enforcement Arrangement

Wed, 28 Jul 2010 14:28:09 +1200

MEDIA RELEASE

16 July 2010

New Zealand Privacy Commissioner Marie Shroff welcomed the public launch today of the APEC Cross Border Privacy Enforcement Arrangement (CPEA). New Zealand is a founding participant and co-administrator of the arrangement, along with the US Federal Trade Commission.

"Information now moves freely on a global scale", said Ms Shroff. "Smaller countries like New Zealand are inevitably 'takers' of global technology and services from big players such as Microsoft, Facebook and Google. We need to be a part of international moves to protect our consumers' data in the global digital world."

"This new arrangement should be welcomed both by consumers of countries involved and by business which seeks a consistent environment internationally for data protection and enforcement."

The CPEA is the outcome of several years' work by an APEC Pathfinder project. The New Zealand Office of the Privacy Commissioner has been actively involved in the development of the arrangement and its implementation.

ENDS

Contact: Katrine Evans on 021 509 735.

Links to APEC documents:

for the News release from the APEC Secretariat see www.apec.org/apec/news___media/media_releases/20100716_ecsg_cpea.html
for a Fact sheet on the CPEA see: www.apec.org/apec/news___media/fact_sheets/201006cpea.html

Erratum: Proposed Amendment No 4 to Credit Reporting Privacy Code 2004

Mon, 26 Jul 2010 15:30:15 +1200

Proposed Amendment No 4 to Credit Reporting Privacy Code 2004: Erratum 26 July 2010

The proposed amendment that was publicly notified on 16 June contained two small errors. This erratum is provided to assist people that may wish to make a submission by the closing date of 13 August.

Clauses 5 and 8(2) of the proposed amendment contain the same following typographical error:

The reference to "credit provider" in the proposed rule 5(2A)(a) (at page 4 of the proposed amendment) should read "credit reporter".

The reference to "credit provider" in the proposed rule 8(3A)(a) (at page 5 of the proposed amendment) should read "credit reporter".

The meaning of these two amendments is made clear in part 6 of the clause-by-clause analysis of the information paper. We apologise for this error.

Media Release: New Australian Privacy Commissioner

Fri, 23 Jul 2010 14:45:28 +1200

New Zealand Privacy Commissioner Marie Shroff welcomes the appointment of the new Australian Privacy Commissioner, Timothy Pilgrim.

"Timothy is well known and highly respected in the privacy arena of Australia and New Zealand. I look forward to continue working with him in his new role through international partnerships such as the Asia Pacific Privacy Authorities (APPA)," said Ms Shroff.

ENDS

Contact: Cathy Henry on 021 509 735.

For further information see:
Your Link

Your Link

"Privacy and Society" The Experience in New Zealand, June 2010

Thu, 22 Jul 2010 11:14:16 +1200

View the Privacy Commissioner's speech to the 33rd APPA forum held in Darwin, Australia on 3-4 June 2010 entitled "Privacy and Society" The Experience in New Zealand.

Office of the Privacy Commissioner: Statement of Intent 2010-2013

Mon, 05 Jul 2010 10:43:23 +1200

The purpose of this Statement of Intent is to set out the medium term intentions and undertakings of the Office of the Privacy Commissioner for the period 2010/11 and our direction to 2013, and thereby promote our public accountability. It describes the results that our small office will work towards over the next three years, and how we plan to achieve these.

Download the full Statement of Intent booklet below.

The Future of Privacy: Panel discussion

Wed, 30 Jun 2010 14:46:55 +1200

Listen to the debate.

NZ Doctor Series - Privacy Matters (# 21)

Wed, 30 Jun 2010 09:22:52 +1200

May 2010

Vox populi, vox dei ("the voice of the people is the voice of God") is a phrase with an impressive pedigree. Its first known mention is in a letter to Charlemagne in 798 AD. While many medieval concepts have not stood the test of time (witch burning, the sale of indulgences) this is one that still has a lot of value.

As Privacy Commissioner, my responsibility is to help protect New Zealanders' information. Naturally I can't do that properly without listening to the "vox populi" from time to time.

My most recent UMR survey , which I announced in Privacy Awareness Week (3-9 May), gives some interesting insights into what people think about the use of their health information.

A little over 60% of respondents were concerned about insurance companies getting full medical records from GPs. This was a new question and I will be interested in seeing how public opinion develops over time.

Moving to the unabashedly positive news, at least for my readers in this magazine, 94% of New Zealanders think the health sector - defined in the survey as doctors, hospitals and pharmacists - are trustworthy custodians of health information. This is a testament to the high ethical standards in the medical profession, particularly as that figure constitutes a slight rise since the last survey.

Possibly as a result of this high level of trust, only 32% of people are concerned about doctors sharing their health information with other health providers.

However these results shouldn't lead to complacency. There is widespread (80-90%) concern about personal information on the internet, particularly when it relates to children. And there is a high level of worry (79%) about information being held by overseas businesses.

There is also a steady increase in overall concern about privacy - 59% of people have a high concern about the privacy of their information, up from only 47% back in 2001. I suspect this is at least partly because of the rise of the Internet as a vital part of daily life, a suspicion that is borne out by other parts of the survey.

With the inevitable rise of Internet health portals, cloud computing and shared electronic health records this has some interesting implications for health practitioners. Already vast quantities of personal information are held in web-based systems like Google's Gmail. Practically this means data is being stored overseas, in vast data warehouses.

If, as seems likely, this approach extends to health information then doctors may find themselves in the position of relying on an overseas company to protect their own patients information - not necessarily a comfortable place to be!

The voice of the people, as expressed in the 2010 UMR survey, is pretty clear about how much trust is vested in doctors' handling of patient information. In my view, though, we must continue to be careful. These sky-high levels of trust are a treasure to be preserved rather than a resource to be spent.

NZ Doctor Series - Privacy Matters (# 20)

Wed, 30 Jun 2010 09:16:46 +1200

April 2010

Information kept where no-one can get it is a bit like a miser's gold buried at the end of his garden. Just as with money, information's value isn't intrinsic - what really matters is how you use it, disclose it or dispose of it.

In general you can treat information in line with the purpose you obtained it for, so day to day uses and disclosures will present no problem.

But what about when you shut up shop, or your practice or PHO joins with another agency? PHOs and DHBs are merging and closing down all over the place these days so the latter, in particular, is much in the news. So what do you need to know?

First, remember that under the law you must keep hold of health records for at least ten years from the last appointment. In fact the Medical Council recommends holding onto certain records for even longer[1].

This can sometimes be problematic for mundane reasons (such as space) but the law is the law - and you can always convert old records into electronic form if physical space is an issue.

Other dilemmas can arise when a fellow doctor unexpectedly dies, leaves the country or ceases practice. Most of the time matters can be arranged ahead of time, but if there is not the time or opportunity to do so, then you or your practice may be left with a pile of unwanted medical records.

Unfortunately your legal obligation remains. Unless you transfer the records to another practitioner, or to the patient themselves, you will have to hold onto them in some form for the full ten years.

And what about mergers? As part of a merger of two health agencies, you'll probably need to share patient information in bulk. You may not know that much ahead of time that a merger is afoot, so getting patients' permission for the disclosure is likely to be impractical if not impossible.

However the law allows disclosure of information to another agency where necessary for the "sale or disposition of a business as a going concern". This should cover the transfer of records from one organisation to another, where the same business is being carried on.

That's not the end of the story, though - notifying patients as soon as possible of what is to happen with their information is absolutely crucial. Privacy is often about making information flows transparent. For instance when my GP retired a few years back he contacted all his patients to tell us to whom he'd be transferring our records.

For this kind of anticipated transaction, and assuming you've been open to your patients about why you hold their information and what you plan to do with it, privacy law shouldn't be much of a constraint.

But when you step outside the normal course of business, things can get tricky. Remember that there are constraints around how you hold onto and dispose of patient information, and think ahead to what might go wrong. Because the one thing that a doctor cannot be is a miser when it comes to his or her patient's information.

[1] The Medical Council guidelines on retention are available at http://tinyurl.com/y8g5f5h

NZ Doctor Series - Privacy Matters (# 19)

Wed, 30 Jun 2010 09:11:45 +1200

March 2010

American lawyers do pretty well for themselves, by all accounts. Scalded by a coffee at McDonalds? Sue. Drop some olive oil in a supermarket, then bruise yourself falling over? Sue! Drink yourself to cirrhosis on Jack Daniels? SUE!

Whether true or not, these well-worn tales typify the States' litigation-happy culture. In 2004, costs associated with this kind of claim amounted to a quarter of a trillion dollars.

In New Zealand, by contrast, fall off a ladder and hit your head and ACC should pick up the tab. Since the scheme's inception in the 1970s there is no longer a right to sue for personal injury, in exchange for not needing to take a spin on the legal roulette wheel. In effect we all have compulsory accident insurance, but with levies instead of premiums. Naturally there are a few wrinkles.

For instance, claimants must allow the treating clinician (generally either a GP like you or a physiotherapist) to give ACC any information relevant to the claim.

On one level this requirement is a little unusual because it requires a claimant to give permission. You might wonder - if you have to give "permission", is it really permission? It makes more sense when you think of it as a compulsory insurance policy - if you sign up for a private insurance policy, it's accepted that the insurance company will need some information.

However, with ACC just as with a private insurance company, the information provided needs to be relevant to the claim. Also, claimants need to know that they're allowing you to pass on information about them.

In the past, this has been done by way of the ubiquitous ACC45 form. Fill out the front, read the privacy statement on the back. But these days, electronic communication is the norm. Paper forms are used much less frequently than before - and information typed into a GP's PMS doesn't have a ‘back' on which to put the privacy statement. So how are patients to know what they're agreeing to when they fill out the form? Do they understand that they are authorising you to disclose relevant information about them to ACC?

There is a wider issue here, and it comes back to openness. GPs collecting patient information need to be open about how it's going to be used. The number of possible uses for information is constantly on the rise - how to make sure people know about it? In the past that openness has been conveyed by statements on forms, but there's a limit - call it ‘information bandwidth' to the amount of text people can meaningfully take in.

I'm talking with ACC about how to make sure people know what they're agreeing to. I'd be interested in GP experiences in this area - contact my staff on submissions@privacy.org.nz if you'd like to make a comment.

Case Note 209484 [2010] NZ PrivCmr 15: Police disclose recognisable image of crime victim to media

Wed, 23 Jun 2010 21:04:58 +1200

A man ("the victim") worked at the front counter of a finance company which was robbed at gun point. The finance company provided CCTV footage of the robbery to the Police. The Police took a series of still photographs from the footage and disclosed these to the media to assist in apprehending the offender. However, the victim was clearly visible in one of the photographs. This photograph was published by a number of news agencies, both in print and on the internet.

Principle 11 of the Privacy Act

Principle 11 provides that an agency shall not disclose personal information unless it has reasonable grounds to believe that an exception applies to allow that disclosure.

The Police disclose images of robberies and other crimes to the media in order to identify and apprehend offenders. This is a commonly used method and appears to deliver good results. Principle 11(e)(i) allows the Police to disclose information if they believe on reasonable grounds that it is necessary to avoid prejudice to the investigation, prosecution and punishment of offences.

In this case, the Police disclosed three photographs of the robbery. Two showed the offender from the front and back and the third showed the offender's vehicle. However, one of the photographs also clearly showed the victim's face as the offender interacted with him.

While we were satisfied that the Police had good reason to disclose images of the offender to the media, we were not satisfied that it was necessary for the Police to disclose an image of the victim for the same purpose. The Police should have obscured the image of the victim before disclosing the photograph to the media.

We formed the view that the Police had breached principle 11 by disclosing the image of the man. We also formed the view that this disclosure caused the man harm. Following the publication of the image, the man believed that his safety was compromised and was significantly distressed as a result. This can be a common consequence of disclosing images of victims of violent crime.

The Police's internal guidance on the release of visual material to the media did not specifically address the issue of images of witnesses or victims but did require staff to seek consent from witnesses or victims before disclosing personal information about them. This guidance had not been followed in this case.

In light of this we suggested that the Police could make their internal guidelines clearer. The Police accepted our suggestion and agreed to amend the guidelines to ensure that photographs containing images of individuals other than an offender would not be published in a way that would identify those other individuals.

The victim and the Police settled the complaint on mutually agreeable terms. We then closed our file.

June 2010

Disclosure of personal information - Police - disclosure of victim's image to media - principle 11(e)(i) did not apply - image should have been removed prior to disclosure - harm suffered - Privacy Act 1993, principle 11, section 66(1)(b)