The Office of the Privacy Commissioner has launched a free online toolkit today to help businesses and organisations do privacy well. Privacy Commissioner Michael Webster says, “A strong privacy culture is increasingly a competitive advantage. “But we know that while businesses and organisations need to be good at privacy, thats sometimes a struggle. We wanted to make good privacy easier for New Zealand businesses to achieve, so their customers can reap the rewards of excellent privacy practices,” he says. The toolkit, called Poupou Matatapu, is free and online from today, Monday 15 July. Its designed to help with privacy management, but it also helps organisations and businesses to improve their data quality, innovation, customer and stakeholder trust, and decision-making processes. “We know that our countrys organisations and businesses are diverse and that they need solutions that are fit for purpose to help them meet their privacy obligations.
Safeguarding personal information benefits all of New Zealand. For our people, protecting privacy reduces the privacy harms that may result, whether they are financial, reputational or emotional. For our companies and government agencies, soundly managing personal information enables the flow of goods and services through building the trust of customers and clients. For our society, privacy is a foundation underpinning the trust in the institutions of our democracy. Read how we’ll do that in OPC’s Statement of Performance Expectations 2024-2025.
In the course of their duties, Ministers may be provided with, or request, personal information held by the departments that they’re responsible for. On occasion, Ministers may also wish to disclose personal information received from their departments.
We have written guidance about the disclosure of personal information from government departments to Ministers and disclosure of such personal information by Ministers.
It is intended to help departments and Ministers to negotiate the interface between the requirements of the Privacy Act and the need to share information so Ministers can fulfil their portfolio responsibilities.
This guidance has been prepared by the Office of the Privacy Commissioner in conjunction with the Crown Law Office. The Cabinet Office, the Public Service Commission, and the Office of the Clerk of the House of Representatives have also been consulted about the contents of the guidance.
Read the full Departmental disclosure of personal information to Ministers and further disclosure of such information by Ministers: Privacy Act considerations.
This summary was written by Rachel Levinson-Waldman, who served with OPC as a 2024 Ian Axford Fellow in Public Policy. Read her in-depth report.
What is social media monitoring? Social media monitoring in this context means just about any use of social media that isn’t for public education or outreach. It covers government agencies and public servants obtaining information about individuals or groups for law enforcement, intelligence, public safety, criminal investigations, regulatory enforcement, risk or threat assessment, or fraud detection.
What are the different ways that government agencies might access social media?
Broadly, there are five categories. Most agencies don’t use every one of these, and some may use methods that vary somewhat. Google or other general web searches that turn up publicly-available social media information – for instance, a public Facebook profile.
Searches on social media sites for people, groups, hashtags, etc. Depending on the needs of the agency and the potential risk to employees, that could be through an account visibly affiliated with the agency or an alias (an account showing a different name and identity from the person operating it). Mostly this activity doesn’t involve interacting directly with other people on the platform, but in some situations could involve viewing or joining a group.
Connecting directly with people on social media, via messaging, “likes”, etc. This typically involves the use of an alias account.
Using third party tools for data collection and analysis.
Taking over an account with the consent of the individual. This appears to be used mostly – perhaps solely – by Police and is carried out through specific forms that enable either temporary or permanent takeover. Note: the forms are included in the appendices of Rachel’s report.
What agencies in Aotearoa New Zealand use social media and do they have policies in place?
Has the government said anything about developing and publishing policies on social media monitoring? Yes. A 2017 joint report, by the Law Commission and Ministry of Justice, recommended that heads of enforcement agencies be required to issue policy statements addressing social media monitoring. In 2018, the Public Service Commission released model standards requiring agencies to establish a policy framework for information collection, which would also support the publication of policies addressing use of social media.
What does it matter if the government is looking at social media? Isn’t it just dog pictures and whatever people have chosen to put online? Use of social media by government agencies to make decisions about investigations, prosecutions, risk monitoring, welfare benefits and other activities brings a variety of potential risks.
Social media data can help create a surprisingly comprehensive picture of a person or group. Social media platforms host vast quantities of data from posts to likes to pictures, as well as a wealth of information about people’s friends, family, and other networks. Social media also makes it much cheaper and easier to assemble this information than older, analogue methods of information collection.
Social media can be difficult to interpret. It’s highly dependent on cultural and language references, tone, in-group speak, and memes. Examples include British travellers who were barred from the United States after one tweeted out a joke that was misinterpreted and a high-ranking state official in the U.S. who lost his job after posting a picture from the rap group Public Enemy’s album that was interpreted as a threat to police. People also communicate in intentionally misleading ways on social media, as with white supremacist groups who use jokes to draw people in and try to obscure their intent.
Social media monitoring can chill personal and political expression and other core democratic rights. As Dame Helen Winkelmann, now the chief justice of the New Zealand Supreme Court, has observed, privacy lies at the “heart of freedom of thought”. It is nearly impossible to dissent or to develop views outside the mainstream if you feel that you’re under surveillance. This risk is not merely hypothetical; there is a history both within New Zealand and around the world of state surveillance of activists and dissenters, and activists who identify as members of a marginalised group, including Māori and LGBTQ+, are at particular risk.
There may be other impacts on marginalised or vulnerable groups. In addition to the targeting of activists, there’s a risk that governmental social media monitoring, even to detect threats, will be securitised. Muslim communities, for instance, have spoken out about the fact that security agencies were surveilling them prior to the Christchurch attacks rather than monitoring threats from white supremacists; LGBTQI+ groups have pushed back against coercive police activity; and Māori advocates have suggested (Tina Ngata, page 8) that the state is not equipped to provide protection through threat monitoring in light of its own history of harm to Māori. At same time, a significant amount of hate speech is directed against marginalised groups. This highlights the need for governmental agencies to act in close consultation with marginalised groups to determine what would most effectively support their safety, taking the groups’ lead as much as possible. Agencies should also pay close attention to the impact on tamariki and rangatahi, who are particularly vulnerable and are entitled to special protections under the Privacy Act.
The increase of AI-driven tools supercharges many of these concerns, from facilitating lightning-fast data analysis that could create a holistic picture of an individual to being deployed in ways that – even inadvertently – are strongly biased against marginalised groups. These tools are typically developed using training data that is unlikely to adequately reflect the range of languages or cultural backgrounds in Aotearoa New Zealand. They often promise more than they can deliver. And it’s hard for AI to interpret nuance or context.
Finally, the use of undercover social media accounts to engage directly with people poses special risks. A public servant could choose an online persona that has a different race, gender, or age from their real identity – something that would be impossible in person. They could even set up multiple personas, given enough time and technological capacity. This makes it particularly important that these practices are subject to stringent oversight and accountability measures. The 2017 joint report from the Law Commission and Ministry of Justice recommended that any agency undertaking covert operations – defined as an operation in which an enforcement officer develops a relationship with someone to obtain information – online or in person publish a policy statement and, in many circumstances, obtain a warrant.
Does New Zealand law prohibit social media monitoring? No. The main relevant laws are the Bill of Rights Act 1990, the Search and Surveillance Act 2012, and the Privacy Act 2020. They all contain important safeguards but also leave critical gaps.
The Bill of Rights Act 1990 provides important protections for democratic and human rights and prohibits unreasonable searches and seizures, but it does not mention privacy and it can be overridden by other laws.
The Search and Surveillance Act 2012 governs Police’s search and surveillance authority and, by extension, agents of other enforcement agencies. However, it does not address social media, and in their 2017 joint report, the Law Commission and Ministry of Justice concluded that it had “not kept pace with developments in technology”. The report recommended that the Act be amended to require heads of enforcement agencies to issue policy statements addressing social media monitoring.
The Privacy Act 2020 requires that government agencies and private parties collecting personal information must have a lawful purpose for doing so and the collection must be necessary for that purpose. “Personal information” includes publicly available information, including on social media. But the Act has several carve-outs for publicly available information, and the 2017 joint report concluded that “we do not consider the principles in the Privacy Act provide sufficient protection against unjustified public surveillance”.
Do the major social media platforms have any relevant policies?
Yes. Facebook’s terms and conditions prohibit any user – including police officers and other law enforcement agents – from having an account under a false name. In addition, Facebook and Instagram (which are both owned by Meta), along with Twitter, all prohibit the use of their customer data for surveillance.
Our Office values working with New Zealanders to get their privacy queries and complaints sorted quickly and fairly. Before you complain to us, you need to complain directly to the business or organisation that has breached your privacy. How complaining to us works
If you havent been able to work out your privacy issue with the business or organisation you complained to, then you can complain to us. First, well decide whether we need to investigate. To get the full story well talk to you, and sometimes to the agencyyoure complaining about. Read our decision guide. We will try to accommodate any accessibility needs you have when contacting us in accordance with theHuman Rights Act 1993.
Before you can take a privacy case to the Human Rights Review Tribunal, the Privacy Commissioners office must have investigated the aspects of your complaint that you want the Tribunal to consider. Under the Privacy Act 2020, you have 6 months to file a claim in the Human Rights Review Tribunal. On 1 December 2020, the new Privacy Act came into force, replacing the Privacy Act 1993. Read our guide on the requirements for filing a claim: Filing a privacy claim in the Human Rights Review Tribunal. For more information about the Human Rights Review Tribunal, visitthe Ministry of Justicewebsite.
A recent study of New Zealander’s attitudes to privacy shows higher levels of concern among Māori.
The biennial privacy survey of nearly 1200 New Zealanders (including over 320 Māori) was released last week to mark Privacy Week 2024.
Pou Ārahi at the Office of the Privacy Commissioner, Shane Heremaia (Ngati Tūwharetoa, Te Arawa), says the survey showed Māori are more concerned about privacy in every way.
“Total concern for individual privacy was higher across Māori respondents, as was the rate who had become more concerned about these issues over the last few years.
“Privacy concerns drive behaviour. A standout example among Māori is that one in three (33%) stated that in the past 12 months they’ve avoided contacting a government department due to privacy concerns. For non-Māori that figure is one in seven (14%).”
Māori are more likely to also have avoided doing a range of other activities due to privacy concerns, including using social media (44% v 32% non-Māori), online shopping (43% to 26%), online dating (41% v 26%), signing up for loyalty cards (36% v 22%) or visiting a particular place due to surveillance concerns (30% v 14%).
“Māori were also more likely to express concern about bias in facial recognition. This included being concerned about it being used without people being told or agreeing to it, its use in retail stores to identify individuals and its use by law enforcement to identify individuals in public spaces.
“Facial recognition is clearly an issue for Māori. This reflects concerns expressed by the Privacy Commissioner about bias and accuracy in the use of facial recognition technology and how he’s worried about what this means for Māori, Pasifika, Indian, and Asian shoppers, especially when the software is not trained on New Zealand’s population.”
The survey also shows that Māori are more concerned about children’s privacy, with 88% wanting the government to pass more legislation that protects children’s privacy, while 80% said that protecting children’s information was a major concern in their life, which is significantly higher than the 59% figure for non-Māori.
One positive development was that 54% of Māori are aware that the Privacy Act gives them rights to a copy of any personal information an organisation holds about them. While this is an increase from 50% in 2022, there is still a lot of room to make people more aware of their privacy rights and what they can do if their rights are breached.
“It’s clear Māori are increasingly aware of the importance of privacy and are wanting greater control of their personal privacy. There’s also greater understanding of the possible negative consequences new technology like facial recognition technology might have and it’s important Māori views regarding privacy are represented and understood”.
During Privacy Week when we talked about notifying individuals about privacy breaches, we got asked a lot of questions about our guideline around 72 hours. Heres what we mean when we say 72 hours
You must inform the Privacy Commissioner of serious privacy breaches as soon as you practically can after becoming aware of them. Our expectation is that you will do this within 72 hours of becoming aware that its a notifiable breach. This timeframe is a guide only and is intended to initiate prompt notification to us. In some cases, it will be clear from the outset that a breach has occurred and that it is notifiable.
People are not just aware but they’re also acting. In our survey, 70% declared that they were likely to consider changing service providers in response to poor privacy and security practices.
“Our survey also showed Māori are more concerned about privacy in every way. A standout example of the privacy concerns expressed by Māori is that 32% stated that in the past 12 months they have avoided contacting a government department due to privacy concerns. For non-Māori that figure is 14%.”
“It’s fitting these results come out in Privacy Week as it shows that people value privacy and are increasingly willing to speak up about things they think are going to have a detrimental impact on their personal privacy,” says Mr Webster.
The survey had nearly 1200 participants.
Privacy Week runs from 13-17 May and we’re running a series of free online talks and conversations covering a range of topics.
The Privacy Commissioner has released the annual compliance assurance reports submitted by the three national credit reporting companies for the 2022/2023 year.
Credit reporting agencies send us reports each year so we can check they are meeting their obligations under the Credit Reporting Privacy Code, Privacy Commissioner, Michael Webster said.
“My office has completed our annual assurance round of Equifax; illion and Centrix’s compliance with the Credit Reporting Code and no issues have been raised.”
These assurances are focused on making sure the agencies keep credit information safe and secure and take reasonable steps to check credit information is accurate before using or disclosing it.
We also make sure there are processes for individuals to request access to and correction of their credit information and confirm there is information on the agency’s complaint process available on its website.