Category: Privacy Commissioner

Source: Privacy Commissioner

24 Aug 2023, 16:00

The privacy of people online is being put first by international data authorities.

Today, the privacy protection authorities of New Zealand, Canada, Australia, the United Kingdom, Hong Kong, Switzerland, Norway, Columbia, Morocco, Argentina, Mexico and Jersey are issuing statements on data scraping, and how the public can protect their privacy.

The Office of the Privacy Commissioner (OPC) is part of that global effort to highlight the illegal scraping of personal information belonging to members of the public as well as the need for protections.

Privacy Commissioner Michael Webster says social media platforms and commercial websites must protect consumers from data scraping.

Data scraping, or web scraping, is a process where an entity hoovers up the data and uses it for their own purposes. It has become a key source of training data for generative AI (Artificial Intelligence) technologies, which in turn allow data scraping to happen at a faster rate, sometimes with malicious intent.

Social media companies and website hosts have obligations under the law to protect the personal information on their platforms from data scraping. Mass data scraping incidents that take personal information can constitute reportable data breaches in many jurisdictions.

“From a consumer perspective, people use online services as part of everyday life, and don’t expect their personal information to be hoovered up by other agencies, private or public, when they go online.

“From a privacy point of view, agencies collecting publicly available data need to understand that just because people are putting things out on the internet doesn’t mean that the Privacy Act’s safeguards don’t apply.

“Any platforms hosting or collecting data need to ask themselves what individuals would have expected in terms of the use of their data when they originally shared it, “says the Commissioner.

“I would also urge the public to consider that every time they use the internet, they are leaving digital footprints. If money can be made from those footprints, there’s every chance someone is going to take that opportunity.”

The joint international statement from data protection authorities has also been sent directly to big tech companies such as Alphabet Inc, who own Google, Microsoft Corporation, who runs LinkedIn, and Sina Corp who run Weibo.

The capacity of data scraping technologies to collect and process vast amounts of individuals’ personal information from the internet raises significant privacy concerns, even when the information being scraped is publicly accessible anyway.

“And while not all AI is producing accurate work, it’s still producing work from the personal information it has collected. Inaccurate personal information about an identifiable individual is still personal information under the Privacy Act,” says Mr Webster. The joint statement can be found here.

Source: Privacy Commissioner

Professor Nicole Moreham will deliver the 2023 Sir Bruce Slane Memorial Lecture on the topic of, Balancing privacy and other interests in the social media age. The lecture is a key event for the Office of the Privacy Commissioner, and is named for the first Privacy Commissioner, Sir Bruce Slane. It is run in partnership with the Privacy Foundation. Privacy Commissioner Michael Webster hosts the evening, bringing together guests who have a keen interest in privacy and privacy law. Im looking forward to an interesting and insightful lecture as well as engaging discussions about privacy. Professor Moreham is an accomplished speaker and thinker, and we are very pleased to have her deliver this important lecture, says the Commissioner. The free event will run on:

Tuesday 29 August

6. 15 lecture

Victoria University Law School, Lecture Theatre 1 (behind the main building),Government Buildings, 55 Lambton Quay, Pipitea.

Source: Privacy Commissioner

23 Aug 2023, 09:00

The manipulation of data from two different government data sets has created an educational opportunity for the wider community. 

The creators of the website, whatdoesmylandlordown.org (WDMLO), a site that listed property owners and their address, built their web platform by merging two different data sets sourced from publicly available information held by Toitū Te Whenua Land Information New Zealand (LINZ). 

“The WDMLO algorithm used to manipulate the data for publishing on the website created information that was inaccurate. As a result, people were identified as owners of properties that they did not own. Our office received complaints from people reporting emotional and reputational harm”, says Deputy Privacy Commissioner Liz MacPherson. 

“This is an example of the perils of merging data without taking into consideration that what you end up with might no longer represent facts. Two data sets don’t always add up to what you think they should.” 

Launched early in February, whatdoesmylandlordown.org quickly garnered attention from the public.  

“My Office started receiving complaints about information on the WDMLO website identifying individuals as owners of properties soon after,” says the Deputy Commissioner.  

“The key message here for anyone using data from other providers is that they’re responsible for ensuring the data they’re creating is accurate.” 

“While the source agency for the information you use has responsibilities, you must take care to ensure any data manipulation you may complete to get the data ready for your own use, doesn’t then alter the accuracy of the data.,” says the Deputy Commissioner. 

The problem in this case is in the algorithm WDMLO used to combine the data sets. It identified people as owners of properties when they weren’t. 

“The accuracy issues arose when people shared common names. The way the information was presented did not differentiate between them.  

“We note WDMLO did try and remedy the situation, but we were not satisfied that the steps taken were enough to address this problem They have been found in breach of the Privacy Act.” 

The Privacy Commissioner made the decision to provide public comment on the details of this case, because it provides a cautionary example in an increasingly data-driven world.

The decision was made in the context of our Compliance and Regulatory Action Framework and Naming Policy.  

“This is a valuable lesson for everyone who uses data,” says Liz. 

For more information, please read the case note. 

Source: Privacy Commissioner

Latitude Financial customers affected by the recent cyber breach should contact Latitude Financial and ID Care for support first. If you complain to Latitude and you haven’t heard back from them within 30 working days we encourage you to make a complaint to us.

While we will not be able assign an investigator immediately, having a sense of the number of complaints and the issues you are facing will allow us to plan to meet your needs and will be a useful source of information for any potential compliance action.

Please provide us with a copy of your correspondence with Latitude for us to assess, including what information of yours was caught up in the breach. It would also be useful if you could let us know what harm you have suffered as a result of the breach.

For more information on this situation, please visit our Information for Latitude Financial customers page.

Source: Privacy Commissioner

The Privacy Commissioner is frustrated by the New Zealand Polices recent serious privacy breach. The breach involved the inadvertent disclosure of 147 firearm owners email addresses by Te Tari Preke, the polices new firearms safety authority on Wednesday, 26 July, 2023. This is frustrating, given the significant known risk of email address errors and the opportunity the new authority had to design in system guardrails, says Privacy Commissioner Michael Webster. This is the fourth breach of firearm owners personal information by the police in under four years. We found out about this privacy breach via the media. We had to ask the police to notify us, said the Commissioner. The Office of the Privacy Commissioner was formally notified by the police at 10. 28pm on July 27 of the serious breach.

Source: Privacy Commissioner – Press Release/Statement:

Headline: Working with Industry 2: Are you ready for the GDPR?

This guest post was contributed by Nicola Hermansson, APAC Data Protection & Privacy Leader at EY. It is the second in our Working with Industry series of guest posts. The Working with Industry series do not necessarily reflect the views of our office and are published to inform and stimulate debate on topical privacy issues and developments.

—

Source: Privacy Commissioner – Press Release/Statement:

Headline: Advice for doctors when there’s a complaint

If you work in a small practice or medical centre, there’s every chance you may not have received many requests for personal information from patients. The starting point is to know that the Privacy Act gives people the right to make a request for information that is about them.

Under the Privacy Act, your practice is legally obligated to respond to that request within 20 working days and to provide the information requested, although the law does allow reasons for withholding the information.

Giving access to information can take several forms. It can mean giving a copy of a document; giving a reasonable opportunity to look at a document, or listen to or view a recording; giving a summary of the information; providing a transcript; or giving the information orally – depending on the requester’s preference.

Pointers for responding to a complaint

But here’s the thing. Failing to respond to a request for personal information can result in a complaint from the requester to the Privacy Commissioner. We hope this never happens to you but in case it does, here are some pointers on how best to engage with us.

1. The first thing to do is talk to us and to tell us what you know about the complaint and the information that’s requested. Our aim is to try and resolve the matter to the satisfaction of both parties – the complainant and the respondent (your practice). Be nice to us because we’re only doing our jobs. We are not advocates for the complainant.
2. The second thing to observe is timeliness. Respond as promptly as you can to our requests for information. No one wins in a protracted complaints dispute. If a complaint drags on, it can become stressful, tiring and expensive for your practice and the complainant. There are many benefits in resolving a complaint to prevent it becoming a case before the Human Rights Review Tribunal. This can be an even longer and more costly process and, in the end, the Tribunal could well decide in favour of the complainant and against your practice.
3. The third point is to remember that our goal is to resolve, not to punish. We’re here to mediate and we do this in a number of ways. One of the techniques we use is to call conferences between both parties, but we’d rather keep things less formal  and resolve them quickly, without a situation escalating.

Tell us in confidence

1. In order for us to review your decision to withhold information from a requester, we will almost always need to see the information.
2. When you send us the information, what we are doing is reviewing it to see if we agree with your reasons for not handing it over to the requester.
3. We are not allowed to disclose the information that is being reviewed and we do not disclose the information.

However, when you give us information to review, it will help us if you can tell us clearly what information is being withheld and the reasons why your practice wants to withhold it.

One example is whether to disclose information about a child to a non-custodial parent. While section 22 of the Health Act permits parents and guardians to request their child’s health information, a health agency, such as a GP, can withhold health information where:

• the child does not want the information to be disclosed;
• it would not be in the child’s best interests to disclose the information; or
• one of the other withholding grounds in the Privacy Act applies.

Looking ahead

We have many resources to help medical practices comply with the Privacy Act. Our website has tools such as AskUs – our online privacy FAQs, the Priv-o-matic privacy statement generator, as well as our free online privacy training modules. We have a range of health brochures (in English and Te Reo). All of these are designed to be used to help make privacy easy.

A starting point is to familiarise yourself with our Quick Tour of the Privacy Principles. It may also be a good idea to display it in the administrative area of your practice to help colleagues and employees understand the obligations and responsibilities that come with holding personal information. This way, when you have an encounter with a privacy issue, you’ll know where to start. And if you need to know more, ask us.

Originally published in NZ Doctor (31 January 2018)

Image credit: Blue and silver stethoscope via Pexels

0 comments