Tēnā koutou katoa. Welcome to this Allen and Clarke webinar, Protecting People's Privacy, Tackling Common Privacy Myths and Challenges. My name is Jason Carpenter and it's my pleasure to welcome you to our kōrero.
It's great to see such a strong turnout. For 40% of you, this is your first Allen and Clarke webinar, so welcome. You may not be familiar with Allen and Clarke.
We're an Australasian-based consultancy dedicated to making a positive impact on communities throughout Aotearoa, Australia and the Pacific. As an organisation, we give a damn about empowering you to overcome society's challenges, which is why we regularly run these free webinars, create desk guides and provide expert advice whenever we can. Our areas of speciality include strategy, change management, submissions analysis, research evaluation, policy, to name a few.
And we of course have expertise in privacy, but not nearly as much as today's special guests, Michael Webster and Eve Kennedy from the Office of the Privacy Commissioner. Kia ora to you both. Michael, did you want to introduce yourself to everyone? Kia ora, thanks Jason.
I am the Privacy Commissioner for New Zealand and I've been in the role for just under two years now, Jason. Perfect. Eve.
Kia ora, Jason. Thanks for having me. My name is Eve Kennedy.
I'm the Manager of the Capability and Guidance Team at the Office of the Privacy Commissioner, where I've worked for the last five years. Interesting. Hi Jason.
I am the Privacy Officer here at Allen & Clark. I've also previously been a Team Manager at the Ministry of Justice that had responsibility for privacy policy. Since being at Allen & Clark, we have prepared some desk guides around the Privacy Act, as well as work with clients around producing privacy policies.
Perfect. Welcome to all three of you. Today we have people of all experience levels joining us out there in the audience.
So from those starting out in their careers through to privacy officers, and we've even got some Chief Executives in there. So Michael, as the Commissioner, the best place to tell us about it, could you just make sure we're all on the same page about the Privacy Act and how it's different, I think, from the previous iterations? Sure. Thanks Jason.
There are a number of significant regulatory changes between the two Acts. One of the things I would highlight though is in the Purpose Clause, it talks about the promotion and protection of privacy. And in many ways, it's saying that privacy has to leave the wings of the stage and move to centre stage for organisations.
We want it to be a core focus for agencies as much as, say, health and safety is these days. And the Act certainly has that message underpinning all the new provisions in it. Just to highlight a few of those, one of the most important is notifiable privacy breaches.
You do have to now, if you suffer a privacy breach and consider that it could be one that could result in serious harm to people, you do have to notify my office now. We have, I guess, a rule of thumb of within 72 hours, don't we, basically, to do that. We can also, in response to a privacy fail, a privacy breach or failure to follow good privacy practise, issue what's known as a compliance notice under the Act.
And that allows us to instruct agencies to do certain things or to stop doing certain things to reach a more privacy-compliant place in relation to that activity. We can issue binding decisions on access requests under the new Act. And we can ensure protections apply when personal information is sent overseas.
And there's also a range of new criminal provisions. One thing I would add is that, it's a bit of a but wait, there's more, Jason. There is a Privacy Amendment Bill that's before the House right now.
And I can talk more about it later, but there are currently 13 privacy principles in the Privacy Act. And there is another one proposed in relation to indirect collection of information. So people out there should really have a look at that.
If they're not aware of it, have a look at the Parliament website and see what the implications of that legislative change could be for their organisations, and if necessary, think about submitting on it. Hey, Jason, before you move on, I've actually got a question, Michael. Because there's now a requirement to notify when there's been a serious privacy breach, have you seen an upsurge in notifications? And are there any general trends with notifications that are coming through? And Eve, you might have something to say on this too.
From what we've seen, and we've just been looking at the data for our annual reporting purposes, there's been a significant increase in the number of breaches being reported in general, and a very significant, probably 30% plus increase in the number of serious breaches that are being reported to us now. The other thing I'd say is that we're seeing, I guess, a bit of a realisation that agencies that might previously have reported breaches as being something from human error are recognising that actually their systems have a role to play in resolving that human error. So if a human is making a decision that results in a privacy breach because they're trying to bypass a system, that's probably actually a system issue, not a human error issue, if the system's not set up correctly.
And in terms of compliance notices, I would assume there's only been a few. Are you, can you say that? And some are public and some don't have to be. There have only been a few.
That said, we have a range of regulated responses that we can bring into play in response to a breach. We can suggest to someone that if they don't fix things up, we might issue them a compliance notice, if you see what I mean. So there's a number of steps from educate, to encourage, to warn, to actually implement quite a directive approach.
I was just, fundamental to all that with everything you're saying, like privacy data, what is it? Could you tell me a little bit more about what it actually is under the law? Yeah, sure, I can take that one. So the Privacy Act is all concerned with personal information. So that's the language that the Act uses.
And it's a very, very broad definition. So at its heart, really, personal information is any information which tells us something about a specific individual. So back prior to joining OPC, when I was a junior privacy officer working in an organisation, I would look at, say, a data Excel spreadsheet or whatever it was.
And if I could, say, look at it and go, I can tell that this data relates to a person, even if I myself don't know who that person is, then it's personal information that's covered by the Act. So it includes health information, obviously, financial information, purchase records, contact details, address information, unique identifiers is another one. So your National Health Index number, your national student number if you're a student, your IID number, all personal information.
So very broad. And are New Zealand's privacy laws only applicable to government departments or do they cover businesses or even go further than that and cover like sports clubs? Yeah, that's a great question. So a really broad sector that it applies to, incredibly broad.
So all agencies is the language that the Privacy Act uses. But really what we're talking about there is any kind of organisation. So public sector, private sector, not-for-profit sector, technically it even applies to an unincorporated body.
So I could set up a company selling chutneys and even before I've gone so far as to actually register with the company's register, the information that I hold about my customers is personal information that I would hold and be liable for under the Privacy Act. So really, really broad. That's great.
And you mentioned one of the privacy principles before, but would you care to expand on those a little bit for the people out there? Sure. Under the current Privacy Act, as I said, there are 13 privacy principles. And what they do is set out a framework for the rights we have as individuals in relation to the management of our personal information and the obligations on agencies in response to that.
Within those principles, there is a degree of flexibility. For example, some of the obligations are amended in the interests of, say, law enforcement or for health and public safety reasons. But nonetheless, they set out the expectations that you and I might have.
And so they enshrine in legislation things like, you should know that information about you is being collected, that information could be shared and could be used appropriately. And the expectations on agencies for how they go about that are set out in those principles as well. That information is kept safe and secure.
We are having a real issue, particularly in the Australasian region over recent years, but worldwide with cyber attacks on personal information databases, because that is information that can be quite easily monetised on the dark web, and it's quite profitable, ransomware attacks, those sorts of things. And actually, one of those information privacy principles makes it clear that you have to keep that personal information secure. That is the obligation on you.
And then there's rules in those principles about how you can access your own personal information, how you can have it corrected if it's wrong. And yes, sometimes it is incorrectly entered. You can understand that with the nature of the work that businesses do.
And so it's that complete life cycle of information, Jason, from the moment it's collected, to how it's kept, to whether it's deleted when it's no longer needed, to how it can be accessed, to how it's kept secure. We've actually just had a question come through from Chris Surrett. Do those principles apply to private information such as photos, videos, and audio recordings? So I think, Eve, as you were saying, anything about you is personal information, so yes.
Yeah, it doesn't matter what format it is. It can include any sort of photo, recording, anything that pertains to a person. I mean, if you think about it, say, in terms of, and this is obviously a hot topic, biometrics, social recognition technology, what is being kept of you there is a digital image, not image, but digital format of who you are.
But it's still who you are, you see what I mean? So yeah, the boundaries of what is personal information are growing as technology grows. Interesting. And Stu, as someone that implements the Privacy Act, anything from what Michael said around the principles that stuck out to you? I think that the principles around the collection and storage and disposal of information is really key.
I know that when I'm talking to my colleagues, while they get around the collection and the storage, the one that they really struggle with is that disposal principle and what it means and what it actually means in practise in terms of how long you can keep that information. And also, when you apply on top of that, the legal requirements under the health and financial information, and therefore it creates, I know talking to our data officer, a big headache for him in terms of sending up pop-up reminders that information needs to be disposed of. Absolutely.
And I think you make a really good point there, Stu, in relation to the fact that actually there's a web of legislative obligations on agencies in terms of how long they keep information for and when they can dispose of it. What I would say is that what we've seen with a number of those really significant cyber attacks in both Australia and here is that people have had personal information exfiltrated, taken, they've had to go off and get new driver's licences. And the last time they were a customer of that company was 15, 20 years ago.
And they're saying to the regulators, why did they still have my information? Yeah, that's great. And the principles provide a bit more of an accessible way than reading through 300 clauses in an app. So yeah, definitely a good thing.
So thanks for that summary. And so now we're all on the same page about what we're talking about today. Some great insight there in terms of what's changed and sort of some of the focusses of your organisation now with your new powers, et cetera.
We're now keen to hear from the audience. So everyone out there, you should have a poll pop up on your screen. So we're keen for you to read through that and click on which of those you can click on more than one apply to you most.
So what are the privacy challenges in your organisation? So lack of resources, insufficient training and awareness, complex regulatory requirements, resistance to change within the organisation and keeping up with technology. So click as many of those as you can. I'm really keen to hear from you around what sort of challenges you're facing.
Any early indicators of what you think will be the most popular? I can take a stab. My bet is probably lack of resources would be the top one and maybe also insufficient training and awareness because I think those two go fairly hand in hand. We're getting a strong response for insufficient training and awareness coming through and keeping up with technology currently in second place.
Interesting lack of resources, complex regulatory requirements and resistance to change all down around the same, about 20%. It's interesting for me and I speak to a number of privacy audiences particularly in Auckland, peak industry bodies and their resistance to change. It's not quite that, it's the what's in it for me.
How can I sell the importance of privacy to the next level up? I'm the privacy officer, how can I convince the senior leadership team of this organisation and how can they and I then convince the board who've got a million other things to worry about how can I convince them to take privacy and protection of personal information seriously? And then that insufficient training awareness, a lot of it's symptoms of that lack of resources, that lack of emphasis and so all starts at the top really. So exactly, it comes back to the point Michael's just made. I think that actually if you don't have that governance buy-in or that board buy-in about why privacy is important and why you need to resource your privacy function it's really hard to do anything else.
And so that's certainly something that we're focussing on. About expectation setting, about guidance that can actually help people to do the job in a low transaction cost, low resource cost way but also trying to explain the benefits of a privacy protective organisation to those who have governance and senior leadership roles. I've lost my access to the questions unfortunately but so we'll try and get that back online.
But if we just carry on back to demystifying the Privacy Act, knowing what people have just said but how can the audience today protect digital information in their organisation? Yeah that's a great question and something that we're ever increasingly being asked about actually Jason. So I guess the main takeaway for me is that security of information and IT infrastructure is a really critical component of a robust privacy programme and ever increasingly important I would say. So as Michael's already alluded to cyber attacks are on the rise and when they happen they generally affect a really large number of individuals which can make a breach response a really massive thing.
So being able to respond appropriately to them and plan for those responses is a really big thing for organisations to be thinking about. So under principle five organisations have to take reasonable steps to make sure the information that they hold is kept safe and secure and we think one of the most effective ways to do that is to have a well thought out security plan for all the personal information that you hold. And yesterday our office released draft guidance which is called Popo Matatapu Doing Privacy Well and it's nine pillars or PO of what makes a good privacy programme and one of the PO is about security and internal access control so we've got lots of guidance on there which you can find at privacy.org.nz. That's great.
We're going to have a look at that after this. And we've had a question about this from Alika who's asked how do we ensure we're protecting people's data and also gain the benefits of using AI tools? Yeah I think this comes back to the point Michael's made earlier about privacy as an enabler so that's you know the kind of value of privacy to the business and I think that's a really critical foundation for being able to use any digital tool. So that's something like making sure that you actually are considering privacy before you roll out a new AI tool or any sort of new digital infrastructure.
So we recommend doing a privacy impact assessment and we've got a toolkit again how to do that on our website and last year in September we also released some really robust guidance about how the information privacy principles apply to AI as it exists currently not to continue tooting our website as the source of great guidance but you can see it there so I'd recommend people have a look at that. That's great and have you had any reporting around AI tools, AI breaches anything like that coming through? I don't think we have yet and I say yet from New Zealanders but I have been in contact with my overseas counterparts the regulators in other countries like Canada, the UK and Australia and they are seeing at the beginning of people complaining to their officers to say that their personal information has been swept up in say a large language model in an AI tool and is being used as part of the process and capability there without their express consent or agreement. The other thing I'd just jump in there and add is that my team we deal often with the organisations asking for help and for the organisation side we get a lot of requests for more guidance on AI or lots of requests for how to think about it in applying the organisation so it is really heartening to see the organisations are actually actively thinking about that as they implement it.
So go and have a look on the website for more information about the tools available. We're going to jump across to the second part of our talk today which is around myth busting. I'm sure you're very aware that there's many persistent myths around privacy and the Privacy Act so today we just wanted to give a bit of an opportunity for A, people in the audience to share some of the myths that they have that they've heard that they struggle with when they're trying to report up around privacy breaches etc and get a bit more emphasis within the organisation but also give you guys a chance to debunk some of the common ones that come through.
We have asked for people to send a few through so one that did come through already is that privacy makes it harder to get stuff done. Well if I could leap in on that one Jason and I'll answer that from the perspective of both the private and the public sectors because there are different things that play there and I would say first off that and I'm sure many of those taking part in the webinar will know the Privacy Act includes within it a number of tools, a number of processes to enable the sharing of information within government agencies. There has always been frameworks and legislation that's allowed that, that is carried on and there's a system of things called ACES, information sharing agreements that can be implemented through order and counsel in consultation with my office, with me to allow the matching and sharing of information between government agencies so it doesn't stop that from happening and that's really important for people to know that in the interests of good governance and good public policy privacy is not a barrier, it is an enabler, the Privacy Act does have that flexibility within it.
I guess what I'd say for those who are working in private sector agencies is that there's an increasingly survey and research information emerging around the world and in New Zealand about the, I guess, the dollar value benefits from privacy. There are obviously costs in responding to privacy breaches. It's no secret, for example, that Latitude Financial, which was New Zealand's largest data breach, a million New Zealanders affected, 14 million overall, including in Australia and New Zealand.
I think the company made provision in their accounts for $73 million to respond to that and the year before the breach they were in a healthy profit, the year after the breach they're in a lost situation. So that's just an example of the costs of not doing privacy in a way that might result in a breach happening, for example. So that can show, I guess, the benefits, the dollar value benefits of that.
There's also, I guess, value in being known as a company that is privacy protective, that protects personal information. That has, surveys have shown, sends a message to customers that this is the organisation I want to go with. We've seen surveys that say that 70% of people would consider, for example, changing providers if they thought the one they were with wasn't taking privacy seriously or had suffered a privacy breach through poor practise or egregious, poor behaviour.
And so privacy is actually not making it hard for people to get stuff done, it's making it easy for people to actually achieve their aims and objectives if they do it well, do it right. That's great, and I'm sure an organisation that has their privacy prioritised and upfront is probably in other things well as well. So it's an organisation you'd like to do business with.
Speaking about not stopping you, one of the things that's come through is that privacy stops businesses from using cloud services. Something increasingly common in today's world, government and private alike. Anyone want to cover that one? Well, that is increasingly a thing, and people do ask us about this.
And obviously, both public and private sector agencies are using third party cloud providers. And it's important, I think, Jason, for people to realise that they are not, when they're contracting with those providers, they're not contracting out of their obligations under New Zealand law in terms of privacy and the protection of that personal information. Third party providers are a useful service provision.
But the important thing, from my perspective, is that when you're contracting with them, you make it very clear that you expect them to have the highest standards of data security, of data care, and that if there was ever any suggestion that they were going to use that data themselves for their own purposes rather than just using it, holding it for your purposes, that that brings into play other requirements under the privacy thing. Yeah, we've had a really good myth or fact come through here from Stephen. Myth or fact, you shouldn't expect privacy when you're in a public space.
I can take that one if you like. Thanks, Stephen. So that one, I guess, is slightly outside the realm of what the Privacy Act itself is concerned with.
So the Privacy Act itself is concerned about the protection of personal information that's held by an organisation. So in terms of the implications of that in a public space, I guess if you're, say, in a public space and, I don't know, a marketing organisation is walking down the street, taking photos of you, they're still collecting personal information. And it's telling you that Eve Kennedy's walking down Lampton Quay at lunchtime, getting a banh mi for lunch.
Can you tell where I'm going after this? So they do still need to think about the implications of the fact that they are collecting personal information. But if it's Eve Kennedy as a person, individual, acting in my domestic capacity, taking photos of people walking around Lampton Quay, probably not going to come under the realm of the Privacy Act. There are obviously other legal obligations that you need to think about in terms of the tort of invasion of privacy, but I'm not going to go into those today.
Another webinar. Exactly. That probably segues through to another myth that's come through here, which is you must always get a person's consent before dealing with their personal information.
Right. I'm sure everybody on this webinar and all of us here have endlessly clicked the box, the privacy box, when you've gone on a website saying that, do you want to use the service? If so, you need to agree to all this. This is what our information we used for.
Some people, Eve, read those sorts of things. Some people probably don't, actually, because some of them are written like 20,000 pages in legalese language. The terms and conditions.
Terms and conditions. Now, of course, it's important that people are aware that their information is being collected and used for a particular purpose. But once they've agreed to that, it can continue to be used for that without having to be checked in with again and again and again.
If you decide you want to use it for a different purpose, though, then there should be a process of reaffirming that the person is consenting to that. That's great. We had an interesting one come through here from the local government space, asking whether local government can disclose details to someone if something they are doing affects a neighbour, e.g. problems with fences or trees.
I can have a crack at that and feel free to interrupt me, Stu, if you want. So I guess it comes back to exactly what the information is that's at issue. So what information is it that they're wanting to disclose? And as Michael's just said, what the purpose for collecting that information was.
So if you were collecting information about fencing and trees and then your privacy statement or however you're interacting with the individuals, you're telling them, hey, look, if you make an application for putting a new fence up, we're going to tell your neighbour because they've got an interest in it, then you can do that. It's one of the purposes for which you've collected that information from the individual. If you don't have that, then you need to step through what other processes and things you might need to do to look at disclosing that information.
I will note, of course, that other legislation that applies that includes specific provisions for sharing information will override the Privacy Act. So, you know, Local Government Ratings Act is one example of those. But one key point to take away from what you just said is the exact same principles.
You need to plan in advance why you collect the information, how you're going to use it, how you're going to manage it, when can it be given out and have that really clear framework in place up front. Exactly. If it's an anticipated disclosure, you can set that up from the get go and you don't need to worry about going back and collecting authorisation or any other legal basis.
But you also need to be very mindful and that was something that you raised earlier that when you're disclosing personal information, it's not just that, you know, if you don't disclose their name, you know, you can disclose. So if it is, for instance, you know, you're a local council and you, you know, you go to a home or someone, a small business and then you say, look, you know, we've had a complaint and, you know, by, you know, people with small children, then that may be sufficient for the business owner to identify who made the complaints and therefore, you know, the same with a noise, a noise notice. And so you do need to be careful in the type of, you know, that personal information just does, it's not limited to just the name.
It's that wider, you know, any information that may identify a person. Sorry, I was going to say, that's like just pre-plan, make sure it's all the thing. And we have had a lot of myths and we are running out of time.
We do want to get to some audience questions. So sorry to cut you off. We could have gone for a lot longer.
It's the problem with having super experts on the, you know, that know almost too much. So if we jump through, so one of the, there is a button on your screen that you can click to have someone from Ellen and Clark get in touch if you do want to discuss a specific to your organisation privacy thing rather than having to do live legal advice on screen. So we are more than happy to have a separate chat around that and to make sure in the interest of getting to some of the questions, just want to very quickly just pop across this one.
We have developed as part of the freebie as a seven stage blueprint to protecting people's privacies. It'll come through in our tips with the resources from this webinar. To make sure we've got some time just to run through very quickly as there's seven in connection sections around employee training and awareness, data minimisation that we've talked about a little bit already, data inventory and classification, policy development and compliance, data security measures, third party management, something again that we've talked about that's coming up a lot and our discussions and privacy breach response.
And was there anything that anyone wanted to touch on specifically from those seven before we move on? Well, I think they all sound like, you know, really critical. You can see quite a lot of alignment there with some of the guidance that I talked about earlier in terms of our nine pillars. There's some real similarities there.
I personally can't wait to see what you've got for third party management. I'll be having a look at that. And the other one just to remember is that you should always have an appointed privacy officer.
That privacy officer like myself, while I have quite an intimate knowledge of the Privacy Act, having come from that space. Look, the privacy officer does not need to be formally trained, but there's a lot of great resources. Your website, I know.
Thank you, Stu. I'll plug for your website, but it does have quite a lot of really good information in there that I would guide guidance, little short video clips for people to watch and to click through when they've got a spare five, 10 minutes. And it will definitely help increase the understanding of your privacy officers.
If I could just put a plug in as part of all that, the issue of what I call employee browsing. Now, that is often treated as an HR issue. Someone looking at a database that they shouldn't be looking at or accessing people's personal information.
It's a Privacy Act fail as well. I just want to make that very clear that actually if you don't have the right to access a particular database and look up your ex-boyfriend's details or whatever it might be or your neighbour's details, you shouldn't be. And if you do, that is a breach.
That's interesting. That's something that applies to most organisations. Yeah, I think that you're right.
And it's just that, and you mentioned before about that the agencies need to acknowledge that that is a privacy breach. It's not. It is also an employment issue, but it needs to be treated as a privacy breach as well, which means notifying you.
So when, you know, I remember an infamous case where somebody looked up Joan and Lomu's address and, you know, on the electoral roll and it was classified. And that is a really clear, you know, breach of privacy as well as that they've overstepped the mark with their employment conditions. And good audit systems will be able to assist you to manage that, I think.
And again, your point about expectations up front, if you tell everybody that there are good audit systems in place, hopefully people won't feel tempted to do something they shouldn't. Yeah, that's great. We've made it through to the Q&A section and I can see that there's quite a few coming through.
So keen to get through as many of those as we can. If you do have a question for the panel, please put it in the chat now and we'll try to get to as many as we can. We've had one come through from Manila who asks, who owns your personal identification details when you give it to another party for legitimate use in New Zealand? I can take that one.
So I would say the idea of ownership is probably a bit of a red herring for the purposes of the Privacy Act. So the Privacy Act is all about control of personal information and how it's kept secure, but it's not actually about the idea of legal ownership. So if you give your personal information to an organisation that is subject to the Privacy Act, they have to use it in a way that matches what they told you when they collected it.
So if they don't do that, they need to rely on some other lawful basis. And Michael's talked about some of the exceptions in terms of law enforcement. There's also exceptions for research purposes.
So they need to step through how they're going to share it or they could be breaching the Act. That's great. And I just had a question come through from Melissa, who asks, can you explain the interactions between the OIA and the PA, so the Official Information Act and the Privacy Act? Oof, quick, quick fire.
I'll try and do this very quickly by creating an example. Maybe that's the best way to do that, Jason. So my name is Michael and I used to be a senior manager in a local government agency and I left in rather fractured circumstances, right? If I want to see all the information that that local government agency holds on me, I would make a request under the Privacy Act because I have a right to see all the personal information they hold.
If the local reporter wants to do a story on what did happen at X council, they would make a request under the Official Information Act for the papers and material relating to that, which would include all my material as well. Now, there would obviously be come into play then the provisions in both sets of legislation about people's ability to access and get copies of what is my personal information. So that, in a sense, I think demonstrates the difference between the two.
One is me asking for my stuff and one is somebody else asking for another person's material. That's great. We've had a question here come through from Nick, who's asked, speaking to your website and its fabulous resources.
Is there any work being done by OPC to develop principles around collective privacy, e.g. to make it easier for iwi organisations to access data held by other government agencies about their registered members? Great question. Do you want to take that, Michael? What I would say is that, again, increasingly we see this in other countries as well. People are looking at indigenous, in our case, te ao Māori perspectives on privacy and the nature of personal information is exactly one of those.
Jason, we also see this come up in the context of biometrics, facial recognition technology, tamoko, that sort of thing as well. So we're doing some work on that. We're at very much early stages on that.
There has been a bit of academic writing done on that, I think, Stuart, that you might have seen. But it is something that I have a, I guess, even statutory obligation to consider. I have an obligation in the EU Act to consider different cultural perspectives and take that into account on privacy matters as well.
So we're, I guess, probably at the beginning of a process of digging in further into those, I guess, issues for us and particularly the te ao Māori issues. Yeah. So, I mean, an example would be that where an iwi wants to take proactive steps around, for instance, housing of their community and the whānau that are part of the MRI.
And so, yes, that's where there is that clash between perhaps, as you say, the indigenous perspectives and the privacy protections. For those who are interested in this, Eva, there was a very good case, court case about this that came out during the pandemic because people's health records, of course, are deeply sensitive personal information. And in Auckland, one of the local Māori health providers wanted that data so they could ensure that their community had made available to them in a personal way the ability to get vaccinated.
And so there was a tension between a model that said, no, you can't have people's personal information and them saying it's in the collective good, collective interest for us to actually get this personal information. And that action matter went to court. I think the parties were the Ministry of Health and the Māori Trust at the time.
And in the end, I guess, because the act also includes that flexibility for the interests of health and public safety, a way through was found where people's personal information was protected during that process, but it was enabled that actually the information could flow across to enable greater vaccination rates to occur. We've had another great question come in. Keep them coming.
These are great questions. But Chris says, I'm finding it hard to get management to take privacy seriously. Do you have any tips? Yes, Chris.
My first tip would be to put a plug in again for the website. We're shameless at doing this, Jason. I'm sorry.
Privacy.org.nz Our latest biennial survey is on there. And there is some really important data for everybody who's a privacy officer to look at and think about maybe doing a short note to their senior executives about what it's saying. It's saying that increasingly New Zealanders are concerned about the management of their personal information.
Increasingly, they'll make purchase and other decisions on the basis of the reputation of organisations for being good managers of personal information or not. And it's that sort of material that I think will really speak to busy executives. The financial and the reputational risks of the breach, but also the benefits of being proactive.
And then there's something for you to talk about your green credentials and look how wonderful we are at treating your privacy, et cetera, as well. We had a question come through around how long can you keep customer data as this seven years? And in what circumstances can you keep customer data after this period? I can take first stab and you can go for it. Again, have to give the disclaimer, not a lawyer.
This is not legal advice. I believe there are provisions in the Tax Admin Act for retention of certain financial records for seven years. And there's obviously also potentially other legislation or regulation at play, depending on the sector.
So the health sector has particular health retention of information regulations 1996. And that's 10 years after your last interaction with someone you provided health services to. And then obviously you might also have AML obligations as well.
So there's lots of different legislation that's in play. I think you obviously, those particular specific regulations and legislation will override the Privacy Act to the extent that they're inconsistent. But going beyond what's required under law, we'd expect agencies to be really doing a thorough job of thinking about actually what they're going to use it for.
And is it necessary to keep, you know, all of the data that they hold? Or is it that only some records are subject to those ongoing retention obligations and they can get rid of a whole bunch of other stuff? So for example, we often see that agencies will keep photos or copies of identification, so driver's licences or passports to prove that they checked that someone was of legal age or whatever it was. But actually the legal obligation on them might have only been to cite the ID. They don't need to keep a record of the actual ID itself.
And so there's quite practical ways to think about how you can minimise the data that you hold so that it doesn't end up, you know, on the dark web if you get hacked, while also meeting your legal obligations. And we'd encourage organisations to think through those steps. So as part of our organisation, we do a lot of stakeholder engagement where we are collecting information that is passed on to us by the people we're interviewing and the people we're reaching out to.
That may include their personal information. Sometimes it will be health information and therefore we do run into the health legislation requirements. But sometimes it's not.
And in those situations where it's not financial or health or otherwise, we have a statutory obligation to retain it. We will, at the end of the project, we'll, when we consider and we've talked to the client that we no longer need to retain it, we will, what is it, dispose of that information. Alternatively, sometimes we will, but we won't forward that information to the client unless the person has actually given us permission to do so.
And that that was made very clear when we spoke to them that we would not be retaining or holding onto that information. That probably segues through to a question that's come through here from Kate, which is how might you track the use of personal information throughout your organisation? So you've collected something. How should you know what's been done with it? Is there any tips around that? Yeah, sure.
I can take that one as well. So I guess the tip we would say for agencies is that we recommend they have what we'd call like a data map or a data inventory, which is tracking the data that you hold within your organisation and also what it's used for. So I know that can sound like, oh my gosh, where do I even start with that? That seems like a mammoth task, but I think there are some ways that you can boil that down to make it a bit more achievable.
So a starting point, you could develop a high level view of your data holding. So not necessarily knowing every single field of data that you hold, but you could know, I hold customer data in this database. I hold employee data in this database and I have some, you know, a CRM or something over here as well and all of those talk to each other.
And knowing the kinds of data at a high level is a good way of thinking about that. And then obviously you'll need to talk to those in the business who are responsible or accountable for those specific, you know, databases or whatever kind of repository it is and figure it out what it's being used for and what it was originally collected for. And ideally those two things should match or you'll have some other lawful basis for what you're using it for.
And I guess my final point is just when you are onboarding a new collection of personal information, new data, making sure that you're adding to your inventory as you do that so that you kind of develop like a living document of your data holdings. That's great. And it segues a little bit here to the question from Caroline, which says, what are the obligations on a government department business NGO to ensure the users understand how their privacy will be protected? And most of the media and people with different communication preferences or accessibility needs is me putting a thing on my website saying this is how we're going to do it.
Is that enough? Or how far do we need to go to make sure people are aware? I think, and we talked about this, there's a couple of themes, strong themes emerging from this morning. One of them is about transparency and expectation setting up front. And I think if you engage in that dialogue, these are the undertakings we make to you.
Do you understand those up front? And this is what we will do with your data. That's absolutely critical. I mean, once you've got that sorted, it's a bit like, Stuart, you were saying, you don't want people coming to you with an access request when you've actually deleted their data, for example, so that you've been clear that you deleted it.
It's just getting those understandings straight up front. And then there is also the obligation, though, when people do want to access their information, that you give them what they want within the requirements of the Act. If you don't give them everything and they know that you have got something and you go back to them a second time around and say, oops, sorry, that can then spiral into a rather bitter and acrimonious issue that my team ends up dealing with because there's a breakdown of trust.
And so it's that importance of maintaining trust and confidence between the person whose information it is and the organisation. I remember earlier in my career, we had a situation where someone requested whether we held any information about them. And so we created a file to say, this person has now requested information.
And then they said, do you have any information? It was like, we now have the file of you requesting information. And so we're going to hold it in line with our policy. And it created quite a big circuitous argument.
It was quite an interesting conundrum to be in. We didn't previously hold anything. Someone's come through and asked a question around if I met someone face to face and they gave me their details, is it acceptable to inform them, provide our policy and ask them to opt out rather than opt in? We have problems with getting responses back.
I guess a little bit, with the OIA, what's in your head can be sort of IA-able, your reflections. Is this similar for you collecting information via face to face meetings, protected in the same way, anything else to be aware of? I can take first stab at that if you want. So in terms of the face to face, yes, if you're there as an employee or an agent or a representative of the organisation that's collecting the information, then yes, absolutely.
A conversation that you have, a phone call, obviously that you call up a call centre, that's still personal information about you. Your call with that person is another example. So yes, it is personal information in terms of the opt opt out part.
The law, the Act itself doesn't actually specify a requirement, whether it's opt in or opt out. I guess we would encourage agencies to be thinking about the sensitivity of the data and how transparent they are being with those customers about the expectations of uses. So for data that's incredibly inherently sensitive, you might want to put a few more steps in place to make sure that those individuals do really understand what it is that they're agreeing to or what it is that the agency is going to do with that information.
Otherwise, even if they might have complied with the requirements of the Privacy Act, you run massive reputational risk of undermining the trust of the people as we've talked about. And around the vulnerable clients has come through here, to try and get to this very quickly, is vulnerable clients may not engage with support services my agency provides if they think their personal details will be identified through reporting to our government contracts. How will the amendments to the Privacy Act protect them or anything else? A quick final... One of the things I'd say is a kind of like a lead into that, is that, as I think I said before, the Privacy Act is quite pragmatic about some things.
And there are a number of provisions in relation to, say, people wishing to access the material which provide the organisation with the ability to exercise some care and judgement about how it provides and deals with customers or former customers in relation to their personal information, which might be in their best interests, for example, not to do that sort of thing. So there is that degree of flexibility and people need to be aware of those, I guess, provisions when they're dealing with these issues. In terms of issues around indirect collection, what the Minister has said, what the Ministry of Justice who are responsible for that legislation have said, is that there will, of necessity, need to be a number of exceptions built into that new information privacy principle.
And they will be asking people in sectors who have a particular perspective on that to submit setting out what the concerns and issues might be from their sector's perspective and how they think they could be best addressed. And that's the new the amendment bill that's currently before the House? That's right. And should it pass, we'll write guidance.
We're going to write guidance on it, yeah. There's just one thing just before we go, and I know that there's only a minute or so left, and that is, we've worked with a number of organisations to develop their privacy policies and to amend and update that. And I'd really encourage agencies to develop and make sure that they do have a privacy policy and to make sure that it reflects the current changes to the law when that amendment, if that amendment is passed, to check to make sure that it meets the necessary requirements.
And particularly with changing technologies, I mean, you talked before about using social media sharing platforms in terms of talking about work and making sure that your privacy policy covers those sorts of scenarios when you said before that the firm has a right to access emails and Teams chat and just making sure that that's set out in the privacy policy. And I do think, but I do have one really quick question on that is, should community groups, sports clubs, charities, have privacy policies? I would say they always should. So they should know what info they're collecting and what they're using it for.
And they should be clear about their members. I mean, we actually get a surprising number of queries in the sports space because those sports clubs are sometimes collecting quite sensitive health information about their players. And it's really important that they're up front with those players about what that information is.
That's great. And unfortunately, we have run out of time to answer any more questions, but we're happy to catch up with you at any time to answer more questions if you have to discuss the potential ideas or further support. There's a button on screen and one of us here, Ellen and Clark, can get in touch.
As we said at the start, we regularly run webinars. Our next one is Mastering Measurement, what to measure, how and why. And there's a button that you can click on that to register for that.
That's going to be a great discussion. And most of all, I want to thank the panellists today, but in particular, Eve and Michael, for your time today and for helping us bust some of those myths and being very generous with your time and your expertise, answering the questions that came through live. I know that can always be a bit of a challenge, but absolutely wonderful discussion.
That's it for us. Thanks for coming. I'll see you at the next one.
