Category: Privacy Commissioner

Source: Privacy Commissioner

When your organisation receives a privacy complaint from someone you need to act quickly and decisively. Individuals need to try and work with

organisations first to resolve their complaint before they can complain to the Privacy Commissioner, so its important that you have a process to deal with complaints.

Read more detailed guidance on handling privacy complaints in our Poupou Matatapo guidance. Step one: acknowledge the complaint

Your organisation should do this as quickly as possible. Outline your understanding of the issue and say who at your organisation will be looking into the complaint (who is your privacy officer). Provide clear, reasonable timeframes and provide regular updates on progress if you cant meet the timeframes. Its always better to under promise and over deliver. Step two: listen to complainant

Understand the complainants main concerns so that you can address the right issue.

Source: Privacy Commissioner

What is section 77?
Section 77 of the Privacy Act says that at any time after receiving a complaint, and before investigating, the Commissioner may decide to use best endeavours to try to resolve a complaint and seek a reassurance from the agency concerned that the issue that led to the complaint has now been rectified. Usually, we do this by way of a conciliation meeting between the parties, facilitated by an OPC staff member. Whats a conciliation?

Conciliation is a form of alternative dispute resolution. It’s similar to mediation, except the third party neutral has expertise in the issue in dispute. We use conciliation to explore settlement of complaints where it appears an investigation may not be necessary, but there is a privacy issue to be resolved.

Source: New Zealand Privacy Commissioner – Blog

Originally published on the New Zealand Herald 3 October 2024.

Beware the risk within

By Michael Webster, Privacy Commissioner

One of the greatest risks to privacy in the workplace could be sitting next to you – or it could even be you.

Employee browsing or the unauthorised access and misuse of personal information is one of the most common privacy breaches. I also believe it’s one of the least understood or reported on, as required by the Privacy Act.

New Zealand is a small place and there’s a good chance a familiar name will crop up in a database or on a file at work and it can prove very tempting to have a look.

However, a sneaky peek isn’t a harmless case of nosiness; it’s inappropriate and can be a breach of the principles underpinning the Privacy Act. In the cases I see it can have potentially serious consequences such as harassment and blackmail.

In one example, a person in a position of power looked up the details of a colleague’s partner then used their position to repeatedly sexually harass them via text message. The victim felt intimidated, scared, and fearful in their own home so contacted our Office.

In some circumstances employees look up information and then pass it on for the explicit purpose of causing harm – for example, finding the address of someone who owns expensive assets to be targeted for a burglary.

In other examples they do it because they think they’re helping a friend when they’re acting illegally. Like the employee working for a counsellor who had a friend in a custody dispute with their ex-partner. The employee looked up information about the wellbeing of their friend’s ex-partner and shared it with their friend who then used it in their custody dispute hearing.

Sometimes the temptation to ‘just have a quick look’ is a powerful force but employees need to be stronger. One story I’ve see was from a clinic doing STI and HIV testing. A new employee was being trained and decided to look up their own records while their trainer was in the room with them. That’s fine, it’s their information. However, when the trainer left the room, the new employee took the opportunity to look up the names of their ex-partner, current partner, and best friend – all in breach of the Privacy Act.

The Privacy Act protects the personal information of all New Zealanders, which means that as well as employees not snooping, we need managers and owners to be informing their staff that it’s wrong to snoop, and to act when it’s found out.

There’s a lot of information about us held in various databases, including contact details, bank accounts and financial records, and copies of identity documents. This material needs to be protected from internal threats from staff as well as external threats from third parties.

Employers have a responsibility to secure databases and to limit access only to the staff that need that information to do their job. Employers also have a responsibility to recognise the potential for serious harm if staff are misusing their access privileges.

The bottom line is organisations have an obligation to prevent their employees from inappropriately accessing and/or disclosing customer information. 

Building privacy safeguards into your databases enables you to have access controls in place to protect personal information, ideally supported by audit logs so you can monitor who’s doing what and follow up on any unusual activity.

Significant personal information is held in various databases across New Zealand. A good example is around driver licences and car registration details. Businesses and organisations like insurance providers, vehicle importers, or sellers can be granted access to the motor vehicle register for lawful purposes. However, when staff at those types of agencies access the database for their own reasons or interests then it’s a problem, which often leads to employee dismissal as well as the agency needing to report a privacy breach.

Businesses have an obligation to ensure their staff have privacy training and a general awareness about the risks of employee browsing. They also need to take steps to make sure staff know they can only access information for work purposes.

This can be reinforced by having clear policies about employee browsing in your agency’s code of conduct, including consequences for being caught inappropriately accessing personal information about customers and clients.

Staff access to personal information comes with serious accountabilities about appropriate and lawful behaviour. We all need to treat it with respect. Organisations need to ensure there are consequences for employee browsing and treat any breaches of trust as serious compliance incidents.

Back

Source: Privacy Commissioner

10 Oct 2024, 00:10

Board of Trustees and schools often deal with highly sensitive information about staff, students, and families, so it’s important to know what you can do to help safeguard people’s privacy.

Five steps to help boost privacy

• Be aware so you can model the kind of leadership required to ensure privacy is treated as taonga
• Make sure your staff are using school email addresses and not their own accounts
• Implement two factor authentication
• Ask “why am I collecting this?” Does your school really need to collect this piece of information about your students?
• Make sure students are asked before they get photos taken and respect their right to say no

Five good questions to ask to help promote good privacy practices

• Is the information of the children and young people under your care treated as precious?
• Are your IT systems fit for purpose?
• Does your privacy officer (and every school needs one) have adequate training?
• Is there good understanding about breach management, in order to prevent privacy breaches?
• Do you have document retention and destruction policies in place?

Adding new technology?

If you’re thinking about changing how you’re collecting personal information, or implementing new technology at school, or even adding new software, then we recommend you take a few simple steps to understand possible privacy risks.

Need some help?

Our free online toolkit Poupou Matatapu sets out our expectations about what good privacy practice looks like and then helps you work towards that.

Our Ask Us function has a database of answers to questions like, ‘can a school monitor a student’s Wi-Fi usage?’, ‘can a school put parent details in a school directory?’, and ‘can I post photos or videos of my students to Instagram?

There’s also privacy support and advice available from Ministry of Education to help you, including items in Education Gazette.

Source: Privacy Commissioner

4 Oct 2024, 09:00

Background

A woman applied to her local council for a necessary resource consent for her property. As part of this process, there were several emails between the woman and the Council containing her personal information, including the fact she was on a disability benefit. The council uploaded all the email correspondence alongside her resource consent application to its website.

The woman discovered her information was online and had been accessed by another person, who used that information to complain about her in court proceedings. The woman complained to our Office about the collection and disclosure of her personal information.

The principles applying to this case

This complaint raised issues under principles 3 and 11 of the Privacy Act. Principle 3 requires agencies to be open about the collection of personal information, telling people at the time of collection why it is being collected and how it will be used. Principle 11 prevents agencies from disclosing personal information unless one of the exceptions are operating.

Also relevant is section 24 of the Act. This section says that where another law allows or prevents personal information from being used or disclosed in a particular way, this will override any obligations under the Privacy Act to the extent they conflict.

OPC’s investigation

OPC’s investigation found the Council had breached principles 3 and 11 of the Privacy Act.

The Council said section 35(5)(g) of the Resource Management Act (RMA) required it to publish information relating to resource consent application. It also advised the application form advised the information “on the form” will be stored on a public register, and details about consents that have been applied for and issued by Council would be made available to the public.

We did not consider the notice on the resource consent application was sufficient to inform the public that all email correspondence above and beyond the application itself would be published, and therefore had breached principle 3. In any case, the application was submitted by the woman’s agent three months after the Council had published the email correspondence online, meaning the notice reasonably could not apply to information collected outside of the application.

We also found while there was an override in the RMA for the Council to publish the application itself, along with the associated evidence documents, we did not consider the override extended to the email correspondence with sensitive details. The Council was not able to rely on any of the exceptions in principle 11 for the publication of the email correspondence.

We issued our preliminary view to the Council and asked it what steps it would be willing to take to resolve this matter.

The Council apologised to the woman. It agreed to remove all the irrelevant email correspondence from its website, and to redact any unnecessary personal information in the information which needed to remain online, including the woman’s contact details. The woman advised she was seeking financial compensation for the harm she had experienced. OPC used shuttle negotiation to reach a financial settlement between the parties.

The Council also agreed to review its processes and update its privacy statement around the publication of resource consent applications, so future applicants would be aware of the public nature of these documents.

Commentary

Where agencies are relying on statutory overrides to publish information online, we caution them to carefully understand the scope of what is required by that Act. In this case, the Council had published sensitive personal information online without considering whether the RMA actually required this. If the use or disclosure of personal information is not covered by the other legislation, an agency must then comply with its obligations under the Privacy Act.

Agencies must also meet their obligations under principle 3, even where an override may be operating. Being transparent about what information is going to be made publicly available, means that individuals can choose what information they want to provide, and can choose, for example, to use an agent to submit the application so their personal contact details would not be public. This autonomy is crucial to allowing individuals to retain control of their personal information.

Source: Privacy Commissioner

30 Sep 2024, 09:00

An update on Foodstuffs North Island’s trial of facial recognition technology (FRT), a warning about data anonymisation tecniques, and a privacy breach that was reported two years after the fact. We also cover off some new and updated Ask Us questions as well as tell you how to opt-out of LinkedIn’s AI by default. Read the September issue.

Source: Privacy Commissioner

From our experience, putting up a CCTV or surveillance camera can get a strong reaction from the public. OurPrivacy Concerns and Sharing Data 2020 survey found 41 percent of people over 18 years old were concerned about the use of surveillance cameras. Because CCTV captures images of people, which can be used, stored, manipulated, and disseminated, those who operate the systems need to be aware of how to manage privacy issues. Good management of personal information is essential to the effective running of CCTV systems. Businesses can only take advantage of the full benefits available from CCTV technology if they manage their system with privacy in mind. All organisations considering using CCTV need to be mindful of their obligations under the Privacy Act 2020.

Source: Privacy Commissioner

Privacy Commissioner, Michael Webster says its always better to notify his office about a privacy breach than ignore it. His message comes as he names Ultimate Care Group Limited as consistently ignoring their notification requirements, after it was found that theyd lost part of a patients medical records. Mr Webster said, My recommendation is for agencies to notify us and do it early, even if they’re not 100 percent sure a privacy breach has occurred, or dont yet have all the details. It’s always better to talk to us than ignore the problem.

The decision to name Ultimate Care Group was made so they could become an example for others. Ultimate Care had several instances where they should have made an earlier notification.

Source: Privacy Commissioner

Privacy Commissioner Michael Webster is now evaluating the results of Foodstuff North Islands trial of Facial Recognition Technology (FRT) to better understand its privacy impacts and compliance with the Privacy Act. The Commissioner announced his Inquiry into FRT use in 25 supermarkets in April this year after Foodstuffs North Island sought to use FRT to help reduce retail crime. The inquiry has involved working with Foodstuffs staff in head office, as well as visits to 10 stores by Office of the Privacy Commissioner staff. The visits helped clarify how this technology practically works in stores, and what results are being seen. Like everyone, we want people to be safe as they shop or work. My interest is also ensuring that customers can shop with a clear understanding of how and when their personal information is being collected and used, so they can make choices based on that.

Source: Privacy Commissioner

24 Sep 2024, 09:00Where health information is held by a health agency, the individual’s representative has the right to request access to that health information, and to have their request dealt with in accordance with the law. The relevant authority is Rule 11(5) of the Health Information Privacy Code 2020 and section 22F of the Health Act 1956.Ultimate Care had several instances where they should have made an earlier notification to OPC:The decision to name Ultimate Care Group in this note is done with the intention of highlighting the importance of compliance with the Act for the benefit of the agency and the individuals they serve.

Resources available