Multimedia Investments Ltd
Auto Added by WPeMatico
Source: Privacy Commissioner
October’s issue of Privacy News features a joint statement on data scraping fromOPC and several global privacy counterparts, new guidance about handling privacy complaints and conciliation, and an article by the Commissioner about employee browsing. You can also read about our popular camera concerned AskUs questions, and updated e-learning resources. Read the October issue.
Source: Privacy Commissioner
OPC and several global counterparts are highlighting how social media companies can better protect personal information, as concerns grow about mass scraping of personal information within social media platforms, including to support artificial intelligence systems.
Mass data scraping poses significant risks to individuals fundamental right to privacy, said Canadian Commissioner Philippe Dufresne. Personal information, even when it is publicly accessible, is subject to privacy laws and must be adequately protected. This initiative highlights the importance of collaboration between data protection authorities and with industry.
Commissioner Dufresne, New Zealand Privacy Commissioner Michael Webster and their counterparts engaged with some of the worlds largest social media companies after issuing a joint statement on data scraping last year. As a result of this engagement, they have now issued a follow-up statement laying out additional takeaways for industry.
Source: Privacy Commissioner
The increasing creep of cameras and concerns about the motivations of people using them is the top issue causing people to seek advice from the Office of the Privacy Commissioner.
“Can I record someone without telling them”, is the number one question people searched for in the Office of the Privacy Commissioner’s Ask Us database over the last year.
Given this, Privacy Commissioner, Michael Webster says it’s understandable that people are increasingly concerned about the implications of being filmed and the risks this could present.
“It’s good that people are checking the rules about recording people as it indicates increasing awareness of the privacy implications and the importance of people’s privacy rights. But on the flip side, it also reflects the increasing prevalence of people being filmed without their knowledge or consent.
“Personal information must be collected in a way that’s lawful and seen as fair and reasonable and covert filming could be unfair, as people may behave in a totally different way if they know they’re being recorded.
“Recording someone without telling them can intrude on their privacy and can cause real harm. Unfortunately, we see cases where people are being illegally filmed doing embarrassing or intimate acts and the images are then widely shared or used to blackmail and demean people.”
Under the Harmful Digital Communications Act it’s a criminal offence to post a digital communication with the intention that it cause harm to someone, or when a person has not consented to the posting of an intimate visual recording.
The growth in the number of cameras recording people and the locations they’re being used was also likely to be a factor.
“Cameras and recording devices are omnipresent on peoples’ phones, in shops, businesses, and on the street and its important people understand their privacy rights around their use in various locations.”
The growing use of cameras is also reflected in another frequently asked question – Is my neighbour allowed to film our property with a security camera.
Our advice is to respect the privacy of others by taking care how you position your CCTV or security cameras. That way you’ll be able to avoid a potential source of conflict and tension with your neighbours.
The top five questions people wanted to know about on our “Ask Us” function, between July 2023, and June 2024 were:
Source: Privacy Commissioner
Police have completed all but one of the original requirements that were set out in a Compliance Notice issued by OPC in December 2021.
The notice was issued to require Police to stop unlawfully collecting photographs and biometric prints from members of the public, particularly young people, and to delete unlawfully collected material stored on their systems, including mobile phones. Privacy Commissioner Michael Webster says, Id like to acknowledge the significant work Police has done in the past two years to complete most of the notice requirements. I know from their regular reporting that theyve improved training and now have procedures and policies that help officers understand how sensitive these photos are.
Source: Privacy Commissioner
When your organisation receives a privacy complaint from someone you need to act quickly and decisively. Individuals need to try and work with
organisations first to resolve their complaint before they can complain to the Privacy Commissioner, so its important that you have a process to deal with complaints.
Read more detailed guidance on handling privacy complaints in our Poupou Matatapo guidance. Step one: acknowledge the complaint
Your organisation should do this as quickly as possible. Outline your understanding of the issue and say who at your organisation will be looking into the complaint (who is your privacy officer). Provide clear, reasonable timeframes and provide regular updates on progress if you cant meet the timeframes. Its always better to under promise and over deliver. Step two: listen to complainant
Understand the complainants main concerns so that you can address the right issue.
Source: Privacy Commissioner
What is section 77?
Section 77 of the Privacy Act says that at any time after receiving a complaint, and before investigating, the Commissioner may decide to use best endeavours to try to resolve a complaint and seek a reassurance from the agency concerned that the issue that led to the complaint has now been rectified. Usually, we do this by way of a conciliation meeting between the parties, facilitated by an OPC staff member. Whats a conciliation?
Conciliation is a form of alternative dispute resolution. It’s similar to mediation, except the third party neutral has expertise in the issue in dispute. We use conciliation to explore settlement of complaints where it appears an investigation may not be necessary, but there is a privacy issue to be resolved.
Source: New Zealand Privacy Commissioner – Blog
Originally published on the New Zealand Herald 3 October 2024.
Beware the risk within
By Michael Webster, Privacy Commissioner
One of the greatest risks to privacy in the workplace could be sitting next to you – or it could even be you.
Employee browsing or the unauthorised access and misuse of personal information is one of the most common privacy breaches. I also believe it’s one of the least understood or reported on, as required by the Privacy Act.
New Zealand is a small place and there’s a good chance a familiar name will crop up in a database or on a file at work and it can prove very tempting to have a look.
However, a sneaky peek isn’t a harmless case of nosiness; it’s inappropriate and can be a breach of the principles underpinning the Privacy Act. In the cases I see it can have potentially serious consequences such as harassment and blackmail.
In one example, a person in a position of power looked up the details of a colleague’s partner then used their position to repeatedly sexually harass them via text message. The victim felt intimidated, scared, and fearful in their own home so contacted our Office.
In some circumstances employees look up information and then pass it on for the explicit purpose of causing harm – for example, finding the address of someone who owns expensive assets to be targeted for a burglary.
In other examples they do it because they think they’re helping a friend when they’re acting illegally. Like the employee working for a counsellor who had a friend in a custody dispute with their ex-partner. The employee looked up information about the wellbeing of their friend’s ex-partner and shared it with their friend who then used it in their custody dispute hearing.
Sometimes the temptation to ‘just have a quick look’ is a powerful force but employees need to be stronger. One story I’ve see was from a clinic doing STI and HIV testing. A new employee was being trained and decided to look up their own records while their trainer was in the room with them. That’s fine, it’s their information. However, when the trainer left the room, the new employee took the opportunity to look up the names of their ex-partner, current partner, and best friend – all in breach of the Privacy Act.
The Privacy Act protects the personal information of all New Zealanders, which means that as well as employees not snooping, we need managers and owners to be informing their staff that it’s wrong to snoop, and to act when it’s found out.
There’s a lot of information about us held in various databases, including contact details, bank accounts and financial records, and copies of identity documents. This material needs to be protected from internal threats from staff as well as external threats from third parties.
Employers have a responsibility to secure databases and to limit access only to the staff that need that information to do their job. Employers also have a responsibility to recognise the potential for serious harm if staff are misusing their access privileges.
The bottom line is organisations have an obligation to prevent their employees from inappropriately accessing and/or disclosing customer information.
Building privacy safeguards into your databases enables you to have access controls in place to protect personal information, ideally supported by audit logs so you can monitor who’s doing what and follow up on any unusual activity.
Significant personal information is held in various databases across New Zealand. A good example is around driver licences and car registration details. Businesses and organisations like insurance providers, vehicle importers, or sellers can be granted access to the motor vehicle register for lawful purposes. However, when staff at those types of agencies access the database for their own reasons or interests then it’s a problem, which often leads to employee dismissal as well as the agency needing to report a privacy breach.
Businesses have an obligation to ensure their staff have privacy training and a general awareness about the risks of employee browsing. They also need to take steps to make sure staff know they can only access information for work purposes.
This can be reinforced by having clear policies about employee browsing in your agency’s code of conduct, including consequences for being caught inappropriately accessing personal information about customers and clients.
Staff access to personal information comes with serious accountabilities about appropriate and lawful behaviour. We all need to treat it with respect. Organisations need to ensure there are consequences for employee browsing and treat any breaches of trust as serious compliance incidents.
Source: Privacy Commissioner
Board of Trustees and schools often deal with highly sensitive information about staff, students, and families, so it’s important to know what you can do to help safeguard people’s privacy.
If you’re thinking about changing how you’re collecting personal information, or implementing new technology at school, or even adding new software, then we recommend you take a few simple steps to understand possible privacy risks.
Our free online toolkit Poupou Matatapu sets out our expectations about what good privacy practice looks like and then helps you work towards that.
Our Ask Us function has a database of answers to questions like, ‘can a school monitor a student’s Wi-Fi usage?’, ‘can a school put parent details in a school directory?’, and ‘can I post photos or videos of my students to Instagram?
There’s also privacy support and advice available from Ministry of Education to help you, including items in Education Gazette.
Source: Privacy Commissioner
A woman applied to her local council for a necessary resource consent for her property. As part of this process, there were several emails between the woman and the Council containing her personal information, including the fact she was on a disability benefit. The council uploaded all the email correspondence alongside her resource consent application to its website.
The woman discovered her information was online and had been accessed by another person, who used that information to complain about her in court proceedings. The woman complained to our Office about the collection and disclosure of her personal information.
This complaint raised issues under principles 3 and 11 of the Privacy Act. Principle 3 requires agencies to be open about the collection of personal information, telling people at the time of collection why it is being collected and how it will be used. Principle 11 prevents agencies from disclosing personal information unless one of the exceptions are operating.
Also relevant is section 24 of the Act. This section says that where another law allows or prevents personal information from being used or disclosed in a particular way, this will override any obligations under the Privacy Act to the extent they conflict.
OPC’s investigation found the Council had breached principles 3 and 11 of the Privacy Act.
The Council said section 35(5)(g) of the Resource Management Act (RMA) required it to publish information relating to resource consent application. It also advised the application form advised the information “on the form” will be stored on a public register, and details about consents that have been applied for and issued by Council would be made available to the public.
We did not consider the notice on the resource consent application was sufficient to inform the public that all email correspondence above and beyond the application itself would be published, and therefore had breached principle 3. In any case, the application was submitted by the woman’s agent three months after the Council had published the email correspondence online, meaning the notice reasonably could not apply to information collected outside of the application.
We also found while there was an override in the RMA for the Council to publish the application itself, along with the associated evidence documents, we did not consider the override extended to the email correspondence with sensitive details. The Council was not able to rely on any of the exceptions in principle 11 for the publication of the email correspondence.
We issued our preliminary view to the Council and asked it what steps it would be willing to take to resolve this matter.
The Council apologised to the woman. It agreed to remove all the irrelevant email correspondence from its website, and to redact any unnecessary personal information in the information which needed to remain online, including the woman’s contact details. The woman advised she was seeking financial compensation for the harm she had experienced. OPC used shuttle negotiation to reach a financial settlement between the parties.
The Council also agreed to review its processes and update its privacy statement around the publication of resource consent applications, so future applicants would be aware of the public nature of these documents.
Where agencies are relying on statutory overrides to publish information online, we caution them to carefully understand the scope of what is required by that Act. In this case, the Council had published sensitive personal information online without considering whether the RMA actually required this. If the use or disclosure of personal information is not covered by the other legislation, an agency must then comply with its obligations under the Privacy Act.
Agencies must also meet their obligations under principle 3, even where an override may be operating. Being transparent about what information is going to be made publicly available, means that individuals can choose what information they want to provide, and can choose, for example, to use an agent to submit the application so their personal contact details would not be public. This autonomy is crucial to allowing individuals to retain control of their personal information.
Source: Privacy Commissioner
An update on Foodstuffs North Island’s trial of facial recognition technology (FRT), a warning about data anonymisation tecniques, and a privacy breach that was reported two years after the fact. We also cover off some new and updated Ask Us questions as well as tell you how to opt-out of LinkedIn’s AI by default. Read the September issue.