News and publications - Office of the Privacy Commissioner

Case Notes released March 2010

Fri, 22 Aug 2008 11:04:04 +1200

View the latest case notes released by the Privacy Commissioner.

Case Note 205558 : Debt collector fails to follow procedure and loads disputed debt with credit reporter. Read more...

Case Note 211472: Woman's health information released by District Health Board to Ministry of Health. Read more...

Case Note 210300 : Private Investigator uses credit reporter to carry out initial witness search. Read more...

Case Note 211472 [2010] NZPrivCmr 22: Woman's health information released by District Health Board to Ministry of Health

Mon, 15 Mar 2010 14:23:09 +1300

A woman complained that a District Health Board had provided her anonymised health information to the Ministry of Health as part of statistical information concerning serious and sentinel events within the DHB.

The information was published by the Ministry of Health and resulted in the woman's anonymised health information being published in a local newspaper. The woman considered that the information released by the DHB enabled her to be identified.

Rule 11

Rule 11 of the Health Information Privacy Code places limits on the disclosure of information. A health agency may disclose health information where it believes on reasonable grounds that one of the exceptions set out in rule 11(1) applies. Disclosure is also allowed under rule 11(2) in a number of other circumstances, but only where it is not desirable or practicable to obtain authorisation from the individual.

The DHB advised us that as part of the annual reporting requirements placed on DHBs it released anonymised information to the Ministry of Health. This information concerned the serious and sentinel events that occurred within the DHB over a 12 month period.

As a result, the DHB sought to rely on rule 11(2)(c)(i) and (ii) of the Health Information Privacy Code.

Rule 11(2) provides:
(2) Compliance with paragraph (1)(b) is not necessary if the health agency believes on reasonable grounds that it is either not desirable or not practicable to obtain authorisation from the individual concerned and that:
(c) the information:

(i) is to be used in a form in which the
individual concerned is not identified; or
(ii) is to be used for statistical purposes and will not be published in a form that could reasonably be expected to identify the individual concerned.

Rule 11(1)(b) generally provides that information must not be disclosed unless the individual concerned authorises the disclosure.

The health information disclosed included a brief diagnosis and the reason why the case was included in the report. On the day the report was released the DHB contacted the woman's husband and advised him that the report was being released. This was the only communication with the woman or her husband with regard to the release of the woman's health information.

There was no evidence that it was not desirable or not practicable to obtain the woman's authorisation to release the information.

However, section 22H of the Health Act, which allows disclosure of health information but does not allow the identification of the person to whom it relates, provided the DHB with a statutory basis to release the information to the Ministry.

As the information did not identify the woman, section 22H of the Health Act overrode the provisions of the Health Information Privacy Code, by the effect of section 7(1) of the Privacy Act.

We conveyed our view to the DHB that it could not rely on rule 11(2)(c)(i) and (ii) as there was no evidence that it was not practicable or not desirable to obtain the woman's authorisation to the release the information. However, we also acknowledged that section 22H of the Health Act applied.

The DHB acknowledged that more consultation with the woman would have been desirable in the circumstances, and apologised for any distress caused by the disclosure.

On this basis we closed our investigation.

March 2010

Health information - disclosure - District Health Board - Ministry of Health - identifiable individual - authorisation to disclose - consultation with the individual - Health Information Privacy Code, rule 11 - Privacy Act; section 7 - Health Act; section 22H

Case Note 205558 [2010] NZPrivCmr 21: Debt collector fails to follow procedure and loads disputed debt with credit reporter

Mon, 15 Mar 2010 14:09:29 +1300

A woman incurred a small debt which was transferred to a debt collector due to her failure to pay it by a certain time. The woman contacted the debt collector and advised it that she disputed the debt. Ten days later, the debt collector transferred the debt to a credit reporter, who then loaded it as a default on the woman's credit report.

The woman ultimately paid the debt but she was not happy that her disputed debt had been transferred to a credit reporter.

Principle 8 of the Privacy Act

Principle 8 of the Privacy Act provides that an agency must not use personal information without taking reasonable steps to ensure that it is accurate, up-to-date, complete and not misleading.

In this case, the debt collector was clearly put on notice that the woman had disputed the debt but transferred it to the credit reporter anyway.

During our investigation we learned that the transfer process between the debt collector and the credit reporter is an automated process. To comply with the accuracy aspect of principle 8, a manual notation has to be added to the record.

Debt collectors and credit reporters rely on express contractual obligations to ensure that information exchanges relating to unpaid debts are accurate.

In this case, although the woman disputed the debt this fact was not recorded by the debt collector. As a result, the debt was automatically transferred to the credit reporter, without reference to it being under dispute. In our view this was a breach of principle 8.

However, the woman was unable to show that the presence of the default on her credit report - and, therefore, the breach of principle 8 by the debt collector - caused her any harm in this case.

The debt collector agreed to review and improve its processes in terms of principle 8 and provide training to its staff to ensure that this type of situation did not recur. This was a very positive outcome and we closed the file.

March 2010

Accuracy of personal information - debt collector - transfer of debt to credit reporter - failure to follow standard procedure - Privacy Act 1993, principle 8

Case Note 210300 [2010] NZPrivCmr 23: Private Investigator uses credit reporter to carry out initial witness search

Mon, 15 Mar 2010 14:37:30 +1300

A man applied to a credit reporter for a copy of his credit report. Upon receiving the report, he was shocked to find an enquiry on it from a private investigation firm.

The man was not satisfied with the outcome of a complaint to the credit reporter, and complained to our Office. In particular, the man complained that the private investigator had not provided the credit reporter with any evidence to support its reasons for accessing his credit report.

Principle 1 of the Privacy Act

Principle 1 of the Privacy Act provides that an agency shall only collect personal information that is necessary for a lawful purpose connected with the function of that agency.

The private investigator said that he had accessed the man's credit report for the purpose of court proceedings and that the information he sought - relating to the identity of the man as a potential witness - was necessary for those proceedings.

We agreed that, if the private investigator was able to establish that court proceedings were in progress or reasonably in contemplation at the time, he may have had a valid reason for collecting information of this sort from the man's credit report. However, the private investigator was unable to provide any evidence to support his submission. In fact, he was unsure whether this had been the reason for the search in the first place.

On that basis, we were not satisfied that the private investigator did have a lawful purpose to access the man's credit report and that he had breached principle 1 of the Act.

Principle 2 of the Privacy Act

Principle 2 of the Privacy Act provides that an agency shall collect personal information directly from the individual concerned, unless an exception applies. Principle 2 enables individuals to have some control over the information that is collected about them. Individuals can only do this if they know information is being collected. This is why an agency may only access an individual's credit report with the individual's authorisation unless an exception applies.

Again, the private investigator said that it was necessary to go straight to the credit reporter to collect information about the man as court proceedings were in progress. The private investigator was seeking to rely on principle 2(2)(d)(iv) of the Act to collect information from another source. The private investigator was unable to provide any evidence that court proceedings were in progress or reasonably in contemplation.

The private investigator also said that he went straight to the credit reporter because approaching potential witnesses by telephone could fail to gain their cooperation. The private investigator was seeking to rely on principle 2(2)(e) of the Act, which allows an agency to collect information from another source if collecting it from the individual would prejudice the purpose of the collection.

However, the private investigator already knew the man's address and we were satisfied that he could have approached the man in person to establish his identity and, if necessary, secure his cooperation. Therefore the private investigator could not rely on principle 2(2)(e) of the Act either.

The investigation indicated that the use of credit reports to establish the identity of witnesses was a relatively common practice. This may result in an adverse credit record in the eyes of some people.

In this case, the man was unable to show that he had suffered any harm as a result of the private investigator's enquiry. Further, the credit reporter had removed the enquiry following the man's complaint. However, we recommended to the private investigator that, given the potential for harm in such cases, private investigators should use other methods to carry out such work.

March 2010

Collection of personal information - private investigator - accessed credit report without knowledge or authorisation of individual - information collected not necessary for a lawful purpose - information collected should have been sought directly from individual - principle 2(2)(d)(iv) did not apply - principle 2(2)(e) did not apply - no harm suffered as a result - Privacy Act 1993, principle 1, principle 2

Privacy Commissioner's paper on Enforcement, Compliance and Complaints: Media release

Thu, 04 Mar 2010 15:45:12 +1300

4 March 2010

The Office of the Privacy Commissioner contributed to the Law Commission's Issues Paper on the review of privacy, released yesterday. The Privacy Commissioner Marie Shroff recently released a paper offering suggestions to reform the Privacy Act's enforcement, compliance and complaints machinery.

"Our proposals would keep what is best in the current arrangements. The Privacy Act processes are very successful at resolving disputes quickly and at an informal level; they get privacy problems solved for individual New Zealanders. Also, where mistakes happen, most businesses and government agencies voluntarily make changes to ensure they protect their customers' privacy in future. By keeping things out of the courts, the processes deliver low cost solutions for business and individuals and they look primarily to education rather than regulation. We need to maintain those benefits.

"However, these processes need to be supplemented by new enforcement mechanisms that will work in effective, cheap, quick and simple ways. This is particularly necessary where systemic changes are needed in order to protect consumers but where change is not likely to be driven by a complaints process. Sometimes, people simply don't know what is going on with their information and so they don't complain. Sometimes, it's not worth complaining because the effect on each individual consumer is relatively minor - but the cumulative effect of what the agency is doing may create serious privacy concerns.

"Our proposals address these concerns. For instance, a key element is that if an agency has clearly misused personal information and it does not voluntarily take steps to protect that type of personal information properly in future, I should be able to require it to do so."

Ms Shroff says, "I encourage everyone interested in the subject to contribute to the Law Commission's public consultation on its review of the Privacy Act."

View the Privacy Commission paper.

ENDS

For more information contact Cathy Henry on 021 509 735.

The Law Commission's Issues Paper on the review of the Privacy Act is on www.lawcom.govt.nz and www.talklaw.co.nz

Privacy Commissioner welcomes Law Commission review : Media release

Thu, 04 Mar 2010 14:38:32 +1300

4 March 2010

Privacy Commissioner Marie Shroff welcomes the Law Commission's Issues Paper on the review of the Privacy Act, released yesterday.

"This has been a huge amount of work for the Law Commission and we thank them for the high quality paper they have produced. The Commission has looked extensively at privacy and we are looking forward to the discussions that will take place as a result," says Ms Shroff.

"Since the Privacy Act was passed 17 years ago, the digital revolution has transformed our business and social environment", says Ms Shroff. "New Zealand needs to keep pace with technological impacts on privacy. There are real challenges to data protection, and in our fast-paced digital world we need to be equipped with the right tools to do our job. The Law Commission's review will help to ensure we are able to deal with those new challenges.

"Our data protection law also needs to be recognised as stacking up internationally. Good privacy practices are directly linked to good business both locally and globally. The Privacy (Cross-border Information) Amendment Bill, introduced to Parliament last year, is part of the picture in helping to open up more trading opportunities with Europe. The review of the Act will help promote further developments for New Zealand in the international trading environment," says Ms Shroff.

The Privacy Commissioner encourages the public as well as experts to comment on some of the interesting questions raised by the Law Commission. These include:

 should there be more privacy protection for young people; for genetic information and bodily samples; for information sent out of New Zealand; for information disclosed by the media?
 should government agencies have more power to share information about individuals; should government have to report publicly on any data mining activities?
 should business be subject to more controls such as mandatory audits of their holding and use of people's information?
 should businesses be required to correct unsatisfactory information handling practices?
 should direct marketing be more controlled; should there be a compulsory "do not call register"?

The Law Commission's Issues Paper on the review of the Privacy Act is on www.lawcom.govt.nz and www.talklaw.co.nz

ENDS

For more information contact Cathy Henry on 021 509 735.

NZ Doctor Series - Privacy Matters (# 18)

Wed, 03 Mar 2010 09:25:41 +1300

November 2009

Freedom of the press is one of the planks our democracy stands on. In the abstract this is an undeniable positive. As the saying goes, "sunlight is the best disinfectant". Dealing with press freedom directly, though, can be a little harrowing. What should you say to a reporter on the other end of the phone at 5.00 pm on a Friday?

One answer, of course, is ‘nothing' - but things are rarely that simple. What if you want to get your side of the story across, or to defend a colleague? What if you're being asked for information about a patient you genuinely feel poses a threat to others or who has been mistreated? How about Official Information Act requests - do you have to respond?

In fact, the law will only rarely require you to speak or remain silent when faced with enquiries from the media. Instead, you will generally have a space in which to exercise your discretion, in line with your own ethical obligation of confidentiality. Protecting the confidence of your patients must weigh heavily.

But, as always, there are exceptions. For instance the Health Information Privacy Code allows you to talk about a hospital patient's presence, location, condition and progress unless the patient or their representative has vetoed disclosure.

The answers to the other questions posed above are more equivocal.

Disclosing information about a patient to back up a colleague, or to defend yourself against allegations you think are unfair, will always present problems Unless you have the patient's permission, a polite ‘no comment' may be the best option. Naturally if the information is solely about you rather than your patient you can do as you like with it, and information that cannot identify a person can always be disclosed.

Also, while you can disclose information about a patient to prevent a serious and imminent threat to someone's safety, you need to be talking to someone who can do something about that threat. It's unlikely the media would fit that bill.

The situation is slightly different if you work for a public sector agency like a hospital or District Health Board, though you're also more likely to have a communications officer to help deal with difficult dilemmas. The Official Information Act means that anyone, including a reporter, can ask for access to publicly held information, including patient records. Requests can be refused where disclosure would breach someone's privacy and there is no significant public interest in disclosure. Nearly all the time, this will lead to a refusal of an OIA request for health information, but not always.

The bottom line is ‘don't be hasty', even when faced with a tight news deadline. When talking to the media, first find out who they are, what exactly they're looking for and who else they've spoken to. Then you'll be better placed to respond in a way that respects both the public's right to know and your patients' right to confidentiality.

Criminal use of social networking information on the rise: Media release

Mon, 01 Mar 2010 12:15:31 +1300

1 March 2010

Recent reports show that there has been a huge increase in social networking sites being used for identity theft, says Privacy Commissioner Marie Shroff at the beginning of Fraud Awareness Week 2010.

"With the wealth of personal information on sites such as Facebook and Twitter, criminals can have a field day. If someone gets enough personal information about you - like your name, address, date of birth, bank account number or employment details - they could apply for a credit card or loan in your name and ultimately steal from you. Also, your details could be sold to someone else," says Ms Shroff.

"People need to think about what personal information they are putting onto social networking sites and check their privacy settings," advises Ms Shroff.

The Privacy Commissioner also reminds people not to email information like bank account or password details to anyone. An email can appear to be from a friend when in fact it is from someone with criminal intentions. Check carefully who you are replying to and always check links in emails. If they look suspicious they may be taking you taken to an unsafe website, and it's best to delete the email.

"Your personal information has value - don't let someone else profit from it," says Ms Shroff.

Fraud Awareness Week is part of an international campaign to raise awareness about scams.

ENDS

For more information contact Cathy Henry on 021 509 735 or enquiries@privacy.org.nz

For more information about Fraud Awareness Week go to: www.scamwatch.govt.nz
See also Netsafe's Scam Machine at www.scammachine.org.nz

Media release: European Data Protection Day - "Think Privacy!"

Wed, 27 Jan 2010 09:31:16 +1300

27 January 2010

On 28 January, countries throughout Europe are celebrating "Data Protection Day", an initiative of the Council of Europe and the European Commission to raise awareness of risks to individual privacy and of citizens' rights under privacy law.

Data Protection Day is Europe's equivalent of the Asia Pacific Privacy Awareness Week, which the Privacy Commissioner announced is to be held on 2-8 May this year.

The Privacy Commissioner, Marie Shroff, said:

"Europe's Data Protection Day is a good opportunity to reflect on the global risks to privacy and the need for global responses. In today's connected economy, what happens today in Nijmegen or Bratislava can impact a New Zealander in Ngaruawahia or Balcutha in a blink of an eye.

"The need for global cooperation has never been more obvious. In addition to the European institutions, both APEC and the OECD are taking major initiatives to enable cross-border enforcement of privacy law, and ISO is developing standards to promote privacy enhancing technologies. After all, privacy protection is vital to ensure that modern business can function efficiently: the clients and employees of those businesses need to know that their information will be appropriately treated, no matter where in the world it might be.

"But everyone has a part to play in protecting privacy.

"Individuals can do a lot to protect their personal information especially on-line. For instance, before starting the new work or school year it's a good time to check that your anti-virus and anti-spyware software is up to date.

"Businesses and government agencies have their part to play too. Poor data management practices put everyone at risk. How secure are those files that staff carry around on a memory stick? Take time to look closely at your company practices and ensure that data is properly protected - including encrypting personal information on memory sticks and laptops.

"2010 will be a particularly significant year in New Zealand as our Law Commission completes its 4 year review of privacy and offers its recommendations to ensure privacy protections for New Zealanders continue to be effective well into the 21st century.

"I encourage individuals and organisations to seek out more information about effectively protecting privacy from my website and other reliable sources."

ENDS

For further information contact Cathy Henry 021 509735 or 04 474 7610.

Further resources:

Online information available about:
• Europe Data Protection Day www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/Default_DP_Day_en.asp
• Asia Pacific Privacy Awareness Week 2010 www.privacyawarenessweek.org/
• Protecting individuals on-line www.netbasics.org.nz/
• Security of portable storage devices like memory sticks www.privacy.org.nz/guidance-note-on-the-use-of-portable-storage-devices/
• Law Commission Privacy Review www.lawcom.govt.nz/ProjectGeneral.aspx

General resources available from the Office of the Privacy Commissioner at www.privacy.org.nz

Festive folly could risk your privacy : media release

Mon, 14 Dec 2009 15:38:35 +1300

14 December 2009
_________________________________________________________________________________

"The holiday season means we can relax a bit, but don't drop your guard on your personal information. Protect your wallet, cell phone or lap top. It's easy to get caught up in the festive whirl and lose these items. In the wrong hands, your details can easily be misused," says Privacy Commissioner Marie Shroff.

"Whether face-to-face, on the phone, or online - don't pass on your personal details unless you know who will be using them and why," says Ms Shroff.

Here are some tips to keep your personal details safe during the holidays:

• Keep an eye on your wallet, cell phone, smart phone or laptop, for example, especially in busy shops, bars and holiday spots. Don't leave them unattended - thieves could have a field day with your information.

• Remove unnecessary credit cards or documents from your wallet or bag that could compromise your identity if you lose them. Don't keep nonessential details on your cell phone - do you need everyone's addresses and extra details on your phone? The more personal information an identity thief can get hold of, the easier their job becomes.

• If you are going on holiday, you can ask the Post Office to hold your mail (see www.nzpost.co.nz/Cultures/en-NZ/ProductsAndServices/H/HoldMyMail/HoldMyMail) or ask a neighbour to do so. Mail left in an unlocked letter box is a goldmine for identity thieves.

• Don't advertise on social networking sites that you will be away. This would be like putting a sign on your front door that says "I'm on holiday - burgle me!"

• When shopping online, only send personal or financial information using a secure transaction system, usually shown as a website address that begins with https://

• Check out a website's privacy policy before providing any personal information.

• After the holidays, check your credit and bank statements as soon as they arrive so that anything that doesn't look like your spending can be reported straight away.

• Be aware that some links in emails can take you to websites with malicious content, which could result in your information being used fraudulently. Before you click on a link, look at exactly where it will take you by running your mouse over the link to show the URL. If you are not certain that the website is legitimate and safe, do not click on the link. It's safer to type the URL into your internet browser.

• Don't give your details online to anyone you are not sure about. Even an email seemingly from a friend asking for your information or help could be malicious. Be certain you know who you are replying to - check that the return address is correct. If it's not and you reply, you could be replying to a scammer.

• Be wary about downloading holiday ringtones, Christmas carol lyrics or festive screensavers. They could infect your computer with spy or malware. Check that your own computer is secure with up-to-date firewall, anti-virus and anti-spyware protections.

• If using the internet in a cyber cafe or other public place, don't access or send sensitive information such as your banking details. Public computers are prime targets for hackers. Also, public internet services won't necessarily be encrypted, so your information on them may not be secure. Make sure you log off all your accounts before you leave.

• SMS-Spoofing, or sending fake texts, is increasing. Via the internet, someone can alter their identity so that a text appears to be from someone else such as a relative, your boss, or a company. Be cautious about replying to texts that ask for any personal details - make sure you are confident you know who is asking for your information, though it's much safer not to reply at all. A text might appear to be from your bank or a friend when in fact it's from a cyber-criminal.

• When using Wi-Fi, make sure you use at least https - the secure version of http. Https provides encryption and creates a reasonably secure channel over the internet, safeguarding your communications from cyber-spies or attacks. Also, use secure Wi-Fi hotspots for more confidence that your information will not be compromised.

ENDS

For further information contact Cathy Henry on 021 509735 or 04 4747610.

Note for Editors:

These tips have been gathered together from various sources.