Category: Privacy Commissioner

Source: Privacy Commissioner

From our experience, putting up a CCTV or surveillance camera can get a strong reaction from the public. OurPrivacy Concerns and Sharing Data 2020 survey found 41 percent of people over 18 years old were concerned about the use of surveillance cameras. Because CCTV captures images of people, which can be used, stored, manipulated, and disseminated, those who operate the systems need to be aware of how to manage privacy issues. Good management of personal information is essential to the effective running of CCTV systems. Businesses can only take advantage of the full benefits available from CCTV technology if they manage their system with privacy in mind. All organisations considering using CCTV need to be mindful of their obligations under the Privacy Act 2020.

Source: Privacy Commissioner

Privacy Commissioner, Michael Webster says its always better to notify his office about a privacy breach than ignore it. His message comes as he names Ultimate Care Group Limited as consistently ignoring their notification requirements, after it was found that theyd lost part of a patients medical records. Mr Webster said, My recommendation is for agencies to notify us and do it early, even if they’re not 100 percent sure a privacy breach has occurred, or dont yet have all the details. It’s always better to talk to us than ignore the problem.

The decision to name Ultimate Care Group was made so they could become an example for others. Ultimate Care had several instances where they should have made an earlier notification.

Source: Privacy Commissioner

Privacy Commissioner Michael Webster is now evaluating the results of Foodstuff North Islands trial of Facial Recognition Technology (FRT) to better understand its privacy impacts and compliance with the Privacy Act. The Commissioner announced his Inquiry into FRT use in 25 supermarkets in April this year after Foodstuffs North Island sought to use FRT to help reduce retail crime. The inquiry has involved working with Foodstuffs staff in head office, as well as visits to 10 stores by Office of the Privacy Commissioner staff. The visits helped clarify how this technology practically works in stores, and what results are being seen. Like everyone, we want people to be safe as they shop or work. My interest is also ensuring that customers can shop with a clear understanding of how and when their personal information is being collected and used, so they can make choices based on that.

Source: Privacy Commissioner

24 Sep 2024, 09:00Where health information is held by a health agency, the individual’s representative has the right to request access to that health information, and to have their request dealt with in accordance with the law. The relevant authority is Rule 11(5) of the Health Information Privacy Code 2020 and section 22F of the Health Act 1956.Ultimate Care had several instances where they should have made an earlier notification to OPC:The decision to name Ultimate Care Group in this note is done with the intention of highlighting the importance of compliance with the Act for the benefit of the agency and the individuals they serve.

Resources available

Source: Privacy Commissioner

The Privacy Commissioner has today issued a compliance notice to the Reserve Bank of New Zealand, triggered by a cyber-attack in December 2020. This is the first time the Privacy Commissioner has issued a compliance notice since receiving these new powers in the Privacy Act 2020. Privacy Commissioner John Edwards says, The cyber-attack was a significant breach of one of the Banks security systems and raised the possibility of systemic weakness in the Banks systems and processes for protecting personal information.

As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes. The review revealed multiple areas of non-compliance with Privacy Principle 5. Mr Edwards says, We are heartened by the speed and thoroughness of the Banks response.

Source: Privacy Commissioner

Privacy Commissioner Michael Webster says agencies using data anonymisation and de-identification techniques are accountable for making sure they protect peoples privacy. The Privacy Act allows anonymised information to be disclosed if it doesnt risk revealing personal details about identifiable people. The Commissioners expectation is that information would be successfully anonymised and there be no reasonable likelihood of re-identification. Care is needed because the inadvertent release of personal information through re-identification may result in serious harm to individuals. Protective steps that can be taken include:

Ensuring a Privacy Impact Assessment (PIA) is done for any significant project that uses peoples personal information to fully understand the scope of how personal information could be re-identified. Removing any information that could potentially be used to re-identify an individual. Where information is being provided to a third party, ensure you and they understand and comply with their privacy obligations.

Source: Privacy Commissioner

AskUs is our database of questions and short answers about popular privacy topics. Weve recently made some updates to keep it being a useful resource. We added these new questions because theyre frequently asked of our enquiries team. Can I complain straight to the Privacy Commissioner first?
Can I complain to you that an agency didnt do a good job when I asked for access (or correction) to my personal information?
How long does an agency have to respond if I complain to it?

These Ask Us questions were updated to better reference Poupou Matatapu and the information we shared there.

Source: Privacy Commissioner

Do you know you have privacy rights?
Download our bilingual privacy brochure (images below). Our brochure covers New Zealanders privacy rights, what to do if your personal information is taken, and how to make a complaint to us. It also includes our contact details. Email us at CommsTeam@privacy. org. nz if youd like to request free professionally printed brochures be sent to you. We find these are popular with GP clinics, Citizens Advice Bureau outlets, and libraries. Other resources:printable posters
Youll need to print these three posters out yourself; they cover three different privacy responsibility scenarios. You can also watch our accompanying below, or link to it on our YouTube channel.

Source: Privacy Commissioner

20 Aug 2024, 09:00A video of an upset minor went viral on social media after it was uploaded without their consent. The minor’s family took steps to remove the video from major social media platforms. However, the video was not able to be completely removed and copies continued to circulate after the original was taken down.We investigated the complaint under the following principles.As the image was publicly available at the time of collection, we found the organisation did not breach principle 4. Therefore, the focus of our investigation was on the subsequent disclosure of the image in the social media posts.Extra care needs to be taken with young people’s personal information. Age is an important factor when considering fairness and reasonableness under the Privacy Act. We encourage agencies to remember that these are real people in these videos or online memes.

This is a David vs Goliath case, where the onus and due diligence was on the organisation with a team of professional communication experts. Ignorance of the situation is not an argument to decision making which ultimately causes harm.

Just because information is publicly available, does not make it automatically ok to reuse or republish for your own purposes. There can be significant impacts on all individuals, and particularly those who are more vulnerable such as minors. Online tools make it easy to share information without thinking, but agencies still have obligations to take care with personal information collected.

A good way to avoid negative outcomes is to stop and think before sharing the information. Would the individual be surprised to find you are using or sharing their information in this way? Are their any factors which make them vulnerable, or you suspect they would not want the information shared? If the answer is ‘maybe’ or ‘yes’, that might be a good time to reassess what you’re using the information for.

The agency apologised for the harm caused, and a financial settlement agreement was reached between the parties.

Source: New Zealand Privacy Commissioner – Blog

By Michael Webster, Privacy Commissioner. This article was first published in The Post.

OPINION: Should you have to disclose to your insurance company if you’ve taken a genetic test and learnt you have the gene for a medical condition? Should they be able to require you to test?

Without adequate safeguards, a person’s genetic test could be used by an insurer to assume things about them and their whānau, including future children. This could affect insurance cover for people before they’re even born.

If insurance companies require predictive testing to be done before they insure an individual, the results could show a greater risk of a condition developing later in life, but that condition may never actually develop.

But the risk factor means people could be refused cover, or subject to exclusions or higher premiums. This risk could also result in fewer people getting tested or participating in genetic trials, leading to poorer health outcomes.

You might say, for some types of insurance, I already need to disclose a pre-existing medical condition anyway, so what’s the issue? Genetic information is not just highly sensitive personal information about you. It is you. But it also reveals information about people who are related to you – past, present and future.

There is a big difference between disclosing your own personal medical history and disclosing the information of family and relatives for insurance purposes.

What’s more, a person’s medical history shows specific current and past diagnoses and treatments based on assessments by health professionals. Compare this to predictive testing which can tell an insurer what conditions a person may have, but also what their likelihood of developing a condition in the future may be.

Clearly, protections need to be put in place to empower consumer choice and to prevent discrimination in insurance cover based on a person’s predictive genetic information.

The key point relating to privacy and human rights is, it’s the choice of the individual to have this testing done and to share any information it reveals as they choose. They will, hopefully, have made an informed decision to be tested in consultation with a health professional.

The collection, use, disclosure and storage of genetic information are all subject to the Privacy Act. But the act cannot stop insurers from requiring genetic tests are taken or disclosed as a condition of their insurance cover.

Most OECD countries have protections against genetic discrimination; in New Zealand, there have been submissions made to Parliament and recommended changes to the Contracts of Insurance Bill.

I support adding specific targeted protections to manage the privacy risks of using genetic tests in the insurance context. This includes prohibiting insurance companies from requiring an individual to take a genetic test or disclose genetic test results.

There is also merit in exploring amendments to the Privacy Act or stand-alone legislation to better protect against genetic discrimination while providing the safe privacy enhancing use of genetic testing, which could help benefit New Zealanders.

Emerging technologies like genetic testing have great potential and my office supports their use when it’s done safely and in a way that ensures adequate protection of personal privacy.

Predictive genetic testing clearly has a place in New Zealand’s future, but this should be balanced with the right safeguards protecting individual choice about whether to be genetically tested or not.