Category: Privacy Commissioner

Source: Privacy Commissioner

The Privacy Commissioner has today issued a compliance notice to the Reserve Bank of New Zealand, triggered by a cyber-attack in December 2020. This is the first time the Privacy Commissioner has issued a compliance notice since receiving these new powers in the Privacy Act 2020. Privacy Commissioner John Edwards says, The cyber-attack was a significant breach of one of the Banks security systems and raised the possibility of systemic weakness in the Banks systems and processes for protecting personal information.

As part of the investigation into the breach the Bank engaged KPMG to undertake an independent review of its systems and processes. The review revealed multiple areas of non-compliance with Privacy Principle 5. Mr Edwards says, We are heartened by the speed and thoroughness of the Banks response.

Source: Privacy Commissioner

Privacy Commissioner Michael Webster says agencies using data anonymisation and de-identification techniques are accountable for making sure they protect peoples privacy. The Privacy Act allows anonymised information to be disclosed if it doesnt risk revealing personal details about identifiable people. The Commissioners expectation is that information would be successfully anonymised and there be no reasonable likelihood of re-identification. Care is needed because the inadvertent release of personal information through re-identification may result in serious harm to individuals. Protective steps that can be taken include:

Ensuring a Privacy Impact Assessment (PIA) is done for any significant project that uses peoples personal information to fully understand the scope of how personal information could be re-identified. Removing any information that could potentially be used to re-identify an individual. Where information is being provided to a third party, ensure you and they understand and comply with their privacy obligations.

Source: Privacy Commissioner

AskUs is our database of questions and short answers about popular privacy topics. Weve recently made some updates to keep it being a useful resource. We added these new questions because theyre frequently asked of our enquiries team. Can I complain straight to the Privacy Commissioner first?
Can I complain to you that an agency didnt do a good job when I asked for access (or correction) to my personal information?
How long does an agency have to respond if I complain to it?

These Ask Us questions were updated to better reference Poupou Matatapu and the information we shared there.

Source: Privacy Commissioner

Do you know you have privacy rights?
Download our bilingual privacy brochure (images below). Our brochure covers New Zealanders privacy rights, what to do if your personal information is taken, and how to make a complaint to us. It also includes our contact details. Email us at CommsTeam@privacy. org. nz if youd like to request free professionally printed brochures be sent to you. We find these are popular with GP clinics, Citizens Advice Bureau outlets, and libraries. Other resources:printable posters
Youll need to print these three posters out yourself; they cover three different privacy responsibility scenarios. You can also watch our accompanying below, or link to it on our YouTube channel.

Source: Privacy Commissioner

20 Aug 2024, 09:00A video of an upset minor went viral on social media after it was uploaded without their consent. The minor’s family took steps to remove the video from major social media platforms. However, the video was not able to be completely removed and copies continued to circulate after the original was taken down.We investigated the complaint under the following principles.As the image was publicly available at the time of collection, we found the organisation did not breach principle 4. Therefore, the focus of our investigation was on the subsequent disclosure of the image in the social media posts.Extra care needs to be taken with young people’s personal information. Age is an important factor when considering fairness and reasonableness under the Privacy Act. We encourage agencies to remember that these are real people in these videos or online memes.

This is a David vs Goliath case, where the onus and due diligence was on the organisation with a team of professional communication experts. Ignorance of the situation is not an argument to decision making which ultimately causes harm.

Just because information is publicly available, does not make it automatically ok to reuse or republish for your own purposes. There can be significant impacts on all individuals, and particularly those who are more vulnerable such as minors. Online tools make it easy to share information without thinking, but agencies still have obligations to take care with personal information collected.

A good way to avoid negative outcomes is to stop and think before sharing the information. Would the individual be surprised to find you are using or sharing their information in this way? Are their any factors which make them vulnerable, or you suspect they would not want the information shared? If the answer is ‘maybe’ or ‘yes’, that might be a good time to reassess what you’re using the information for.

The agency apologised for the harm caused, and a financial settlement agreement was reached between the parties.

Source: New Zealand Privacy Commissioner – Blog

By Michael Webster, Privacy Commissioner. This article was first published in The Post.

OPINION: Should you have to disclose to your insurance company if you’ve taken a genetic test and learnt you have the gene for a medical condition? Should they be able to require you to test?

Without adequate safeguards, a person’s genetic test could be used by an insurer to assume things about them and their whānau, including future children. This could affect insurance cover for people before they’re even born.

If insurance companies require predictive testing to be done before they insure an individual, the results could show a greater risk of a condition developing later in life, but that condition may never actually develop.

But the risk factor means people could be refused cover, or subject to exclusions or higher premiums. This risk could also result in fewer people getting tested or participating in genetic trials, leading to poorer health outcomes.

You might say, for some types of insurance, I already need to disclose a pre-existing medical condition anyway, so what’s the issue? Genetic information is not just highly sensitive personal information about you. It is you. But it also reveals information about people who are related to you – past, present and future.

There is a big difference between disclosing your own personal medical history and disclosing the information of family and relatives for insurance purposes.

What’s more, a person’s medical history shows specific current and past diagnoses and treatments based on assessments by health professionals. Compare this to predictive testing which can tell an insurer what conditions a person may have, but also what their likelihood of developing a condition in the future may be.

Clearly, protections need to be put in place to empower consumer choice and to prevent discrimination in insurance cover based on a person’s predictive genetic information.

The key point relating to privacy and human rights is, it’s the choice of the individual to have this testing done and to share any information it reveals as they choose. They will, hopefully, have made an informed decision to be tested in consultation with a health professional.

The collection, use, disclosure and storage of genetic information are all subject to the Privacy Act. But the act cannot stop insurers from requiring genetic tests are taken or disclosed as a condition of their insurance cover.

Most OECD countries have protections against genetic discrimination; in New Zealand, there have been submissions made to Parliament and recommended changes to the Contracts of Insurance Bill.

I support adding specific targeted protections to manage the privacy risks of using genetic tests in the insurance context. This includes prohibiting insurance companies from requiring an individual to take a genetic test or disclose genetic test results.

There is also merit in exploring amendments to the Privacy Act or stand-alone legislation to better protect against genetic discrimination while providing the safe privacy enhancing use of genetic testing, which could help benefit New Zealanders.

Emerging technologies like genetic testing have great potential and my office supports their use when it’s done safely and in a way that ensures adequate protection of personal privacy.

Predictive genetic testing clearly has a place in New Zealand’s future, but this should be balanced with the right safeguards protecting individual choice about whether to be genetically tested or not.

Source: Privacy Commissioner

New Zealand doesn’t yet have specific privacy rules for biometrics. We’ve outlined our proposal in an exposure draft biometrics code of practice under the Privacy Act 2020. Between 10 April – 8 May 2024 we asked New Zealanders to have their say on how that might work by reviewing our exposure draft and giving us feedback.There was generally strong support for the three fair processing limits, which would restrict some uses of biometric classification. Some agencies helpfully gave constructive comments about exceptions and definitions.Allowing for the fact that biometric processing is a technical topic, some submitters still thought the draft code it seemed overly complex. They thought it could be simplified and that we could revise the technical terms. This would make it clearer and more easily understood.There was support for somewhat stronger notification and transparency obligations, but agencies weren’t quite clear about the notice obligations as drafted. They also said that how we’d explained it seemed repetitive.Another major theme was that agencies want guidance so that they can understand how to apply and comply with the rules. They want to be super clear about:The private sector flagged risks around compliance burden and costs.

A note about guidance If the Commissioner decides to proceed with a code of practice, we’ll provide draft guidance with the proposed code when we next go out for consultation. Our intent will be to help people understand the proposed code and get people’s feedback on that and the accompanying guidance material.

We also need to reconsider some of our policy decisions

Your feedback told us where we need to review the policy proposals. We’ll do that alongside our other work. That will include:

• The broad exclusion for health agencies.
• The exclusion of heartbeat biometrics (and how wearable devices are treated).
• How long agencies are given to bring their activities into compliance with any new code.
• Whether the components in the proportionality assessment will work well in real life.
• Clearing up how notice requirements will work, what the benefit of them is, and a few other small matters.
• Checking whether more exceptions may be necessary to make sure that any rules would be targeted at the high risk uses of biometrics, rather than the low risk beneficial uses of biometrics.

Thanks to everyone’s feedback, we will continue working on the proposals informed by the we’ve got clear direction about what may need to be changed or reworked, which is what we’ll do now.

Next steps

• We will consider the detailed feedback in the submissions
• We’ll do further work on the proposals based on the constructive comments we received. This will include technical definitions and drafting points..
• We’ll develop draft guidance to help explain the technical nature of biometrics and the proposed privacy rules.

Read the full report on submissions we received about an exposure draft of a biometrics code.

The Privacy Commissioner expects to announce his decision on whether he will go ahead with issuing a biometrics code of practice for statutory consultation, later this year.

If you want to contact us about this work please email biometrics@privacy.org.nz

Source: Privacy Commissioner

New Zealanders have been having their say on possible new rules for biometric processing, which the Office of the Privacy Commissioner is now sharing. Biometric processing is the use of technologies, like facial recognition technology, to collect and process peoples biometric information to identify them or learn about them. The Office publicly released draft rules for using biometrics, for consultation, in May and received 250 submissions from members of the public, businesses, government agencies and advocacy organisations giving their view. Privacy Commissioner Michael Webster says, Almost every one of the submissions from members of the public told us that people were concerned about the use of biometrics in New Zealand. There was broad support for the proposals in the exposure draft code.

180 people and 70 agencies (totalling 250 submissions) had a month to make submissions.

Source: Privacy Commissioner

The European Commission has determined that New Zealand has an adequate level of protection for personal data transferred from the European Union. Essentially adequacy says that our legislation isnt the same as Europes, but its outcomes are similar and can be trusted. Read about how the EU determines if a non-EU country has an adequate level of data protection. Adequacy means that New Zealand is seen as a good place for the world to do business; we have strong privacy protections in our legislation and are an empowered regulator. Its good news for trade and ease-of-doing business in the digital age and helps ensure smooth cross-border data transfer. Why is it important?
Only a small number of countries have achieved EU adequacy status, and this recognition is important for New Zealand in a global business environment.

Source: Privacy Commissioner

Our website uses cookies so we can analyse our site usage and give you the best experience. Click “Accept” if you’re happy with this, or click “More” for information about cookies on our site, how to opt out, and how to disable cookies altogether.