Category: Privacy Commissioner

Source: Privacy Commissioner

New Zealand doesn’t yet have specific privacy rules for biometrics. We’ve outlined our proposal in an exposure draft biometrics code of practice under the Privacy Act 2020. Between 10 April – 8 May 2024 we asked New Zealanders to have their say on how that might work by reviewing our exposure draft and giving us feedback.There was generally strong support for the three fair processing limits, which would restrict some uses of biometric classification. Some agencies helpfully gave constructive comments about exceptions and definitions.Allowing for the fact that biometric processing is a technical topic, some submitters still thought the draft code it seemed overly complex. They thought it could be simplified and that we could revise the technical terms. This would make it clearer and more easily understood.There was support for somewhat stronger notification and transparency obligations, but agencies weren’t quite clear about the notice obligations as drafted. They also said that how we’d explained it seemed repetitive.Another major theme was that agencies want guidance so that they can understand how to apply and comply with the rules. They want to be super clear about:The private sector flagged risks around compliance burden and costs.

A note about guidance If the Commissioner decides to proceed with a code of practice, we’ll provide draft guidance with the proposed code when we next go out for consultation. Our intent will be to help people understand the proposed code and get people’s feedback on that and the accompanying guidance material.

We also need to reconsider some of our policy decisions

Your feedback told us where we need to review the policy proposals. We’ll do that alongside our other work. That will include:

• The broad exclusion for health agencies.
• The exclusion of heartbeat biometrics (and how wearable devices are treated).
• How long agencies are given to bring their activities into compliance with any new code.
• Whether the components in the proportionality assessment will work well in real life.
• Clearing up how notice requirements will work, what the benefit of them is, and a few other small matters.
• Checking whether more exceptions may be necessary to make sure that any rules would be targeted at the high risk uses of biometrics, rather than the low risk beneficial uses of biometrics.

Thanks to everyone’s feedback, we will continue working on the proposals informed by the we’ve got clear direction about what may need to be changed or reworked, which is what we’ll do now.

Next steps

• We will consider the detailed feedback in the submissions
• We’ll do further work on the proposals based on the constructive comments we received. This will include technical definitions and drafting points..
• We’ll develop draft guidance to help explain the technical nature of biometrics and the proposed privacy rules.

Read the full report on submissions we received about an exposure draft of a biometrics code.

The Privacy Commissioner expects to announce his decision on whether he will go ahead with issuing a biometrics code of practice for statutory consultation, later this year.

If you want to contact us about this work please email biometrics@privacy.org.nz

Source: Privacy Commissioner

New Zealanders have been having their say on possible new rules for biometric processing, which the Office of the Privacy Commissioner is now sharing. Biometric processing is the use of technologies, like facial recognition technology, to collect and process peoples biometric information to identify them or learn about them. The Office publicly released draft rules for using biometrics, for consultation, in May and received 250 submissions from members of the public, businesses, government agencies and advocacy organisations giving their view. Privacy Commissioner Michael Webster says, Almost every one of the submissions from members of the public told us that people were concerned about the use of biometrics in New Zealand. There was broad support for the proposals in the exposure draft code.

180 people and 70 agencies (totalling 250 submissions) had a month to make submissions.

Source: Privacy Commissioner

The European Commission has determined that New Zealand has an adequate level of protection for personal data transferred from the European Union. Essentially adequacy says that our legislation isnt the same as Europes, but its outcomes are similar and can be trusted. Read about how the EU determines if a non-EU country has an adequate level of data protection. Adequacy means that New Zealand is seen as a good place for the world to do business; we have strong privacy protections in our legislation and are an empowered regulator. Its good news for trade and ease-of-doing business in the digital age and helps ensure smooth cross-border data transfer. Why is it important?
Only a small number of countries have achieved EU adequacy status, and this recognition is important for New Zealand in a global business environment.

Source: Privacy Commissioner

Our website uses cookies so we can analyse our site usage and give you the best experience. Click “Accept” if you’re happy with this, or click “More” for information about cookies on our site, how to opt out, and how to disable cookies altogether.

Source: Privacy Commissioner

The Office of the Privacy Commissioner has launched a free online toolkit today to help businesses and organisations do privacy well. Privacy Commissioner Michael Webster says, “A strong privacy culture is increasingly a competitive advantage. “But we know that while businesses and organisations need to be good at privacy, thats sometimes a struggle. We wanted to make good privacy easier for New Zealand businesses to achieve, so their customers can reap the rewards of excellent privacy practices,” he says. The toolkit, called Poupou Matatapu, is free and online from today, Monday 15 July. Its designed to help with privacy management, but it also helps organisations and businesses to improve their data quality, innovation, customer and stakeholder trust, and decision-making processes. “We know that our countrys organisations and businesses are diverse and that they need solutions that are fit for purpose to help them meet their privacy obligations.

Source: Privacy Commissioner

Safeguarding personal information benefits all of New Zealand. For our people, protecting privacy reduces the privacy harms that may result, whether they are financial, reputational or emotional. For our companies and government agencies, soundly managing personal information enables the flow of goods and services through building the trust of customers and clients. For our society, privacy is a foundation underpinning the trust in the institutions of our democracy. Read how we’ll do that in OPC’s Statement of Performance Expectations 2024-2025.

Source: Privacy Commissioner

24 Jun 2024, 15:03

In the course of their duties, Ministers may be provided with, or request, personal information held by the departments that they’re responsible for. On occasion, Ministers may also wish to disclose personal information received from their departments.

We have written guidance about the disclosure of personal information from government departments to Ministers and disclosure of such personal information by Ministers.

It is intended to help departments and Ministers to negotiate the interface between the requirements of the Privacy Act and the need to share information so Ministers can fulfil their portfolio responsibilities.

This guidance has been prepared by the Office of the Privacy Commissioner in conjunction with the Crown Law Office. The Cabinet Office, the Public Service Commission, and the Office of the Clerk of the House of Representatives have also been consulted about the contents of the guidance.

Read the full Departmental disclosure of personal information to Ministers and further disclosure of such information by Ministers: Privacy Act considerations.

Source: New Zealand Privacy Commissioner – Blog

This summary was written by Rachel Levinson-Waldman, who served with OPC as a 2024 Ian Axford Fellow in Public Policy. Read her in-depth report.

What is social media monitoring?
Social media monitoring in this context means just about any use of social media that isn’t for public education or outreach. It covers government agencies and public servants obtaining information about individuals or groups for law enforcement, intelligence, public safety, criminal investigations, regulatory enforcement, risk or threat assessment, or fraud detection.

What are the different ways that government agencies might access social media?

1. Broadly, there are five categories. Most agencies don’t use every one of these, and some may use methods that vary somewhat.
   Google or other general web searches that turn up publicly-available social media information – for instance, a public Facebook profile.
2. Searches on social media sites for people, groups, hashtags, etc. Depending on the needs of the agency and the potential risk to employees, that could be through an account visibly affiliated with the agency or an alias (an account showing a different name and identity from the person operating it). Mostly this activity doesn’t involve interacting directly with other people on the platform, but in some situations could involve viewing or joining a group.
3. Connecting directly with people on social media, via messaging, “likes”, etc. This typically involves the use of an alias account.
4. Using third party tools for data collection and analysis.
5. Taking over an account with the consent of the individual. This appears to be used mostly – perhaps solely – by Police and is carried out through specific forms that enable either temporary or permanent takeover. Note: the forms are included in the appendices of Rachel’s report.

What agencies in Aotearoa New Zealand use social media and do they have policies in place?

Has the government said anything about developing and publishing policies on social media monitoring?
Yes. A 2017 joint report, by the Law Commission and Ministry of Justice, recommended that heads of enforcement agencies be required to issue policy statements addressing social media monitoring. In 2018, the Public Service Commission released model standards requiring agencies to establish a policy framework for information collection, which would also support the publication of policies addressing use of social media.

What does it matter if the government is looking at social media? Isn’t it just dog pictures and whatever people have chosen to put online?
Use of social media by government agencies to make decisions about investigations, prosecutions, risk monitoring, welfare benefits and other activities brings a variety of potential risks. 

• Social media data can help create a surprisingly comprehensive picture of a person or group. Social media platforms host vast quantities of data from posts to likes to pictures, as well as a wealth of information about people’s friends, family, and other networks. Social media also makes it much cheaper and easier to assemble this information than older, analogue methods of information collection.
• Social media can be difficult to interpret. It’s highly dependent on cultural and language references, tone, in-group speak, and memes. Examples include British travellers who were barred from the United States after one tweeted out a joke that was misinterpreted and a high-ranking state official in the U.S. who lost his job after posting a picture from the rap group Public Enemy’s album that was interpreted as a threat to police. People also communicate in intentionally misleading ways on social media, as with white supremacist groups who use jokes to draw people in and try to obscure their intent.
• Social media monitoring can chill personal and political expression and other core democratic rights. As Dame Helen Winkelmann, now the chief justice of the New Zealand Supreme Court, has observed, privacy lies at the “heart of freedom of thought”. It is nearly impossible to dissent or to develop views outside the mainstream if you feel that you’re under surveillance. This risk is not merely hypothetical; there is a history both within New Zealand and around the world of state surveillance of activists and dissenters, and activists who identify as members of a marginalised group, including Māori and LGBTQ+, are at particular risk.
• There may be other impacts on marginalised or vulnerable groups. In addition to the targeting of activists, there’s a risk that governmental social media monitoring, even to detect threats, will be securitised. Muslim communities, for instance, have spoken out about the fact that security agencies were surveilling them prior to the Christchurch attacks rather than monitoring threats from white supremacists; LGBTQI+ groups have pushed back against coercive police activity; and Māori advocates have suggested (Tina Ngata, page 8) that the state is not equipped to provide protection through threat monitoring in light of its own history of harm to Māori. At same time, a significant amount of hate speech is directed against marginalised groups. This highlights the need for governmental agencies to act in close consultation with marginalised groups to determine what would most effectively support their safety, taking the groups’ lead as much as possible. Agencies should also pay close attention to the impact on tamariki and rangatahi, who are particularly vulnerable and are entitled to special protections under the Privacy Act.
• The increase of AI-driven tools supercharges many of these concerns, from facilitating lightning-fast data analysis that could create a holistic picture of an individual to being deployed in ways that – even inadvertently – are strongly biased against marginalised groups. These tools are typically developed using training data that is unlikely to adequately reflect the range of languages or cultural backgrounds in Aotearoa New Zealand. They often promise more than they can deliver. And it’s hard for AI to interpret nuance or context.
• Finally, the use of undercover social media accounts to engage directly with people poses special risks. A public servant could choose an online persona that has a different race, gender, or age from their real identity – something that would be impossible in person. They could even set up multiple personas, given enough time and technological capacity. This makes it particularly important that these practices are subject to stringent oversight and accountability measures. The 2017 joint report from the Law Commission and Ministry of Justice recommended that any agency undertaking covert operations – defined as an operation in which an enforcement officer develops a relationship with someone to obtain information – online or in person publish a policy statement and, in many circumstances, obtain a warrant.

Does New Zealand law prohibit social media monitoring?
No. The main relevant laws are the Bill of Rights Act 1990, the Search and Surveillance Act 2012, and the Privacy Act 2020. They all contain important safeguards but also leave critical gaps.

• The Bill of Rights Act 1990 provides important protections for democratic and human rights and prohibits unreasonable searches and seizures, but it does not mention privacy and it can be overridden by other laws.
• The Search and Surveillance Act 2012 governs Police’s search and surveillance authority and, by extension, agents of other enforcement agencies. However, it does not address social media, and in their 2017 joint report, the Law Commission and Ministry of Justice concluded that it had “not kept pace with developments in technology”. The report recommended that the Act be amended to require heads of enforcement agencies to issue policy statements addressing social media monitoring.
• The Privacy Act 2020 requires that government agencies and private parties collecting personal information must have a lawful purpose for doing so and the collection must be necessary for that purpose. “Personal information” includes publicly available information, including on social media. But the Act has several carve-outs for publicly available information, and the 2017 joint report concluded that “we do not consider the principles in the Privacy Act provide sufficient protection against unjustified public surveillance”.

Do the major social media platforms have any relevant policies?

Yes. Facebook’s terms and conditions prohibit any user – including police officers and other law enforcement agents – from having an account under a false name. In addition, Facebook and Instagram (which are both owned by Meta), along with Twitter, all prohibit the use of their customer data for surveillance.

Other information

• Download a copy of the information on this page as a PDF.
• Read Rachel Levinson-Waldman’s full report. 

Source: Privacy Commissioner

Read information for Latitude Financial customers

Our Office values working with New Zealanders to get their privacy queries and complaints sorted quickly and fairly. Before you complain to us, you need to complain directly to the business or organisation that has breached your privacy. How complaining to us works
If you havent been able to work out your privacy issue with the business or organisation you complained to, then you can complain to us. First, well decide whether we need to investigate. To get the full story well talk to you, and sometimes to the agencyyoure complaining about. Read our decision guide. We will try to accommodate any accessibility needs you have when contacting us in accordance with theHuman Rights Act 1993.

Source: Privacy Commissioner

Before you can take a privacy case to the Human Rights Review Tribunal, the Privacy Commissioners office must have investigated the aspects of your complaint that you want the Tribunal to consider. Under the Privacy Act 2020, you have 6 months to file a claim in the Human Rights Review Tribunal. On 1 December 2020, the new Privacy Act came into force, replacing the Privacy Act 1993. Read our guide on the requirements for filing a claim: Filing a privacy claim in the Human Rights Review Tribunal. For more information about the Human Rights Review Tribunal, visitthe Ministry of Justicewebsite.