The Nexus between Technology and Privacy
Friday 28th November 2014
Recently I had the opportunity to meet with Daimhin Warner, Team Leader, Investigations and Dispute Resolution, from the Office of the Privacy Commissioner (“OPC”) to discuss New Zealand’s privacy laws in the context of technology and the much anticipated Privacy Bill expected to be released in mid-2015.
The Privacy Act 1993 (“the Act”) is a principles-based piece of legislation which is deliberately technology-neutral. This allows the Act to be flexible and, it is hoped, to keep pace with the rapid advances which occur in the ever-changing technology landscape.
Technology which assists businesses and ensures that consumers have what they want when they want it with little effort required on their part is expected. With the advantages that technology brings both business and consumers inevitably comes increased risks and vulnerabilities to misuse and harm.
In the context of employment, technology opens up employers to certain vulnerabilities. Social media; employee-owned devices such as iPads, laptops; private clouds; biometrics; GPS tracking bring with them the potential for user error, blurred boundaries and increased scale of harm. For example, social media is used by employees in both a work capacity and a private capacity, often the boundaries between the two become blurred. Employees need to expressly know what they can and cannot comment on in a social media context.
Businesses need to adopt a privacy culture which sits at a senior executive level to ensure privacy obligations are clear and adequate training is provided to render breaches of privacy through user error and data breaches less likely.
Cloud computing, that is, storage of personal information with a third party provided inside or outside New Zealand, is prolific as it has obvious advantages for businesses. From a privacy perspective, there is an inherent risk in this approach to data storage which needs to be carefully managed by businesses utilising the services of a third party cloud provider. The OPC has put together a useful cloud computing checklist for small businesses considering shifting to a cloud to ensure they meet their legal obligations in protecting the personal information which will be stored by their cloud provider. Responsibility for the protection of the information stored ultimately resides with the business/employer.
Privacy by Design is a Canadian concept that has 7 foundational principles. Essentially, the concept involves taking privacy into consideration throughout the systems engineering process. For example, the number of apps being developed by businesses has greatly increased in recent times due to consumer demand. A key part in developing an app for use in a business is the role privacy plays in respect of the personal information users are required to provide in order to use the app. Transparency over how that information is stored and used is key so that consumers can decide for themselves whether to opt in or opt out.
The Global Privacy Enforcement Network Privacy Sweep takes place each year with a different focus. The focus this year was privacy in the context of mobile apps. The New Zealand OPC participated in the sweep along with 25 other privacy agencies worldwide. Of the 1200 mobile apps examined during the sweep, nearly a third of these raised concern over the nature of the permissions sought and requested information that was not required for the app to function.
The OPC publishes a resource entitled “Need to Know or Nice to Have” which provides business and app developers with guidance on meeting their privacy obligations under the Act when collecting personal information by way of a mobile app.
Enforcement of legal obligations under the Act currently sits within an alternative dispute resolution model. Significant changes are afoot most notably: the implementation of mandatory breach notification; compliance notices; cloud computing and changes to the personal affairs exemption. The OPC will publish guidelines on the major privacy reforms once details of the changes are released so that companies can build processes and policies around the new law before it comes into effect.
The Act will retain its flexibility despite the reform so that businesses can continue to operate without stringent obligations to privacy that significantly hinder their day-to-day work.