If you find a security problem in the Officer of the Privacy Commissioners website, Privacy Commissioner John Edwards wants you to tell him about it. Mr Edwards has launched his offices Vulnerability Disclosure Policy in time for the New Zealand Internet Task Force (NZITF) conference in Wellington today. A vulnerability disclosure policy demonstrates the commitment we have to security. The policy publicly commits our office to responding promptly when advised of any vulnerability, he said. A vulnerability disclosure policy encourages people who find vulnerabilities in the Office of the Privacy Commissioners website to report them responsibly. The policy also gives a reassurance that the Privacy Commissioner will not seek to prosecute people who find vulnerabilities and follow the policy in reporting those. Mr Edwards hopes publishing his offices policy will encourage other agencies to follow the NZITFs guidelines on responsible disclosure.
Concern about social media use was one of the three themes raised by experts and agencies working directly with children. The three key themes were:
– Social media is a major concern, and a combination of guidance and regulatory changes are needed to manage this risk to childrens privacy. – More guidance is needed to help professionals, parents and children better understand privacy risks. – Some regulatory changes could better protect childrens privacy, including changing the Privacy Act to include a right to be forgotten, introducing a requirement to consider the best interests of the child, or creating a code of practice. Privacy Commissioner Michael Webster said the sorts of concerns raised in the survey were well summed up by one respondent, “Young people dont have the capacity to make fully informed decisions about their digital footprint and the long-lasting implications of having an online presence.
In April 2024, we released our report summarising the themes and messages we heard during our Children and Young Peoples Privacy project. Read the short report. Read the full report. About the project
In September 2023 we launched the Children and Young Peoples Privacy project, which looked at how childrens privacy is being protected and ultimately considered whether the rules protecting childrens privacy rights are working. There are some unique challenges and opportunities that relate to the privacy of children and young people as they interact with health and education services and the online world. To understand these challenges, in late 2023 we consulted with government agencies, professionals who work with children (teachers, doctors, nurses, etc), and non-governmental organisations who advocate for children and young people. We asked them for their thoughts on how to improve childrens privacy in New Zealand.
The Office of the Privacy Commissioner has developed draft rules for the use of biometric technologies and is now asking what people think of those. Biometrics is the automated processing of physical and behavioural characteristics (face scans, fingerprint scans, voice recordings) that can be used to identify individuals or work out things about them. New Zealand doesnt currently have special rules for biometric technologies. Privacy Commissioner Michael Webster says, The Privacy Act 2020 regulates the use of personal information in New Zealand (and therefore biometrics), but we think biometrics need special protections especially in specific circumstances. Biometrics are fundamental to who a person is; theyre a very special type of personal information, says Mr Webster. Biometrics can be used to surveil and monitor large numbers of people or identify people on a watchlist and some of their uses are so highly intrusive that they shouldnt be used lightly.
Privacy Commissioner Michael Webster has today started his Inquiry into Foodstuffs North Islands trial of facial recognition technology (FRT) in 25 of its supermarkets. The Inquiry is designed to monitor the way stores are running the trial to ensure that it is compliant with the Privacy Act. It will also inform the Commissioners assessment of the effectiveness of the use of FRT in reducing harmful behaviour in Foodstuffs North Island supermarkets once the trial is completed. Privacy Commissioner Michael Webster says: At the end of the six-month trial I will be assessing the evidence that the use of FRT is justified. Has it made a practical and statistically significant difference to the incidence of retail crime in Foodstuffs North Island supermarkets relative to other less intrusive options?
Using facial recognition technology to reduce harmful behaviour in supermarkets raises significant privacy risks and the trial is itself not without risk.
BIMs are produced following a general election or change in minister. They provide an introduction to OPCs portfolio and summarise key areas of policy and policy issues.
Webinar detailsDate Monday 25 March
Time 2. 30-3. 30pm
Register now using the Zoom link to be reminded. Join Michael Webster, Privacy Commissioner, Rachel Levinson-Waldman, Ian Axford Fellow, and Liz MacPherson, Deputy Privacy Commissioner in conversation. Rachel is hosted at the Office of the Privacy Commissioner (OPC) as an Ian Axford Fellow where she is working in the realm of privacy, social media, and artificial intelligence. Rachels area of focus has been state use of surveillance programmes and tools like license plate readers, cell phone trackers and social media technologies. At home in the United States shes the managing director of the Brennan Center’s Liberty & National Security Program. To prepare for this session you might like to read some of Rachel’s work.
The Privacy Commissioner, speaking at today’s National Cyber Security Summit in Wellington, has called for greater penalties for data breaches.
This comes on the back of two major research studies that indicate widespread support, including from businesses, for higher penalties for breaches.
Michael Webster, Privacy Commissioner says, “Most of the serious privacy breaches reported to my Office are happening in the digital world.
“I am concerned that businesses and other organisations rely on digital environments but aren’t well set up to run them safely. The degree of privacy maturity and cyber security practice is not as developed as I would have expected, which says to me that people aren’t always motivated to comply with legislation that protects data, like the Privacy Act.
“The maximum fine I can issue to an organisation for not adhering to a compliance order is $10,000.
“Compare that to Australia where their maximum fine for serious interference with privacy is $50 million and you begin to see the issue,” says Mr Webster.
New Zealand business leaders agree. Kordia released its New Zealand Business Cyber Security Report 2023 this week, which showed that one in five businesses have no plan to deal with a cyber-attack. This was despite half (55%) of businesses surveyed with 100 or more employees suffering a cyber-attack or incident in the last year.
The Kordia survey showed that business leaders are generally in favour of more legislation. 58% say an increase in legislation and regulatory guidance will improve cyber security, while almost three quarters think New Zealand should introduce harsher penalties for businesses that fail to protect personal data.
In a separate survey of individuals, Talbot Mills Research asked about fines, with 60 percent of those surveyed saying the current level of fines in the NZ Privacy Act were not high enough.
“We live in dynamic times with significant technological advancements, yet we’re operating on a Privacy Act that is based on policies agreed in 2013,” says Mr Webster.
“We need to ensure our Privacy Act keeps up with global privacy standards or risk that we may no longer be one of the safest places in the world to process personal information.
“That will have a real impact for businesses – not just the direct losses from a breach, but the loss of confidence of our trading partners who expect us to keep up on data protection,” he says.
The Commissioner recommends the following developments to the Privacy Act 2020:
A civil penalty regime for major non-compliance alongside new privacy rights for New Zealanders to better protect themselves.
A set of specific amendments to make the Privacy Act fit-for-purpose in the digital age.
Stronger requirements for automated decision making and agencies demonstrating how they meet privacy requirements.
Media releasePrivacy Commissioner Michael Webster will use his inquiry powers to keep a close eye on the facial recognition technology (FRT) trial that Foodstuffs North Island is starting on Thursday 8 February. The use of biometric technologies (which FRT is) is something he thinks all New Zealanders should care about because its a significant step in this technology becoming more commonplace and it has privacy implications. The trial is happening because the Privacy Commissioner asked Foodstuffs North Island to provide evidence that FRT was a justified way to reduce retail crime given the privacy impacts of using shoppers biometric information. Foodstuffs North Island will use the data from the trial, which is across 25 stores, to decide whether to roll-out the technology further. The Commissioners concern is that FRT isnt a proven tool in efforts to reduce harmful behaviour in supermarkets, especially violent harmful behaviour.