1. KEY POINTS
• We received over 9,000 enquiries from the members of the public and organisations seeking guidance on privacy matters.
• The Office received 310 media enquiries. Numbers were affected by the EQC incident and the MSD kiosk data breach, along with a steady stream of technology related enquiries.
• The Commissioner and senior staff gave 70 presentations and speeches during the year to a wide variety of audiences.
• The Office delivered 48 workshops and seminars to members of the public and stakeholder groups.
• During the year, we initiated a small ad hoc advisory group with participants from business, IT, academia and government, as recommended by the Law Commission. We held the first meeting in early April. We believe that the injection of perspectives will be helpful for a small agency like OPC in seeking to respond effectively to a very challenging environment.
• Pressure is continuing to affect our capacity to respond to rising external demands. Data breaches, government and business demands, media enquiries, new agreements for information sharing and the generally turbulent environment are placing a small agency like OPC under continual strain.
Complaints and investigations
• We received 824 privacy complaints from members of the public.
• The independent review of ACC’s security of information was released in August 2012. The review found the breach of privacy of 6,748 clients was a genuine error, but it also highlighted systemic weaknesses within ACC's culture and processes.
Policy and technology
• We continued discussions with Ministry of Justice officials as they worked through the Privacy Act review proposals and look forward to the Government’s response to that review shortly.
• The New Zealand Government’s Bill to reform the Government Communications and Security Bureau (GCSB) took place against a background of heightened awareness and concern about government intrusion and surveillance of civilian life.
• Our submission on the GCSB Bill said that because of the complex and dynamic environment, we believe surveillance and in particular oversight of that activity needed to be considered further. We agreed that the law governing the GCSB’s activities would benefit from additional clarity. We recommended that a body such as the Law Commission be asked to investigate the most appropriate shape of the legislation to govern the intelligence agencies in New Zealand.
• Following the MSD kiosk incident in October 2012, the Government Chief Information Office (GCIO) was commissioned to review publicly accessible systems across government. The release of the GCIO’s review in June 2013 noted systemic privacy and security weaknesses across the public sector. The report included comprehensive recommendations. Key among the recommendations were new reporting and accountability measures for chief executives.
• Core government agencies are actively trying to do more with the data they hold, as part of the “Better Public Services” programme.
• The Information Sharing Bill became law in February 2013 and we received the first application for an approved information sharing agreement (AISA) a few months later. OPC must be consulted on each AISA, and can report on approved agreements. We will make our reports publicly available on our website to support transparency in government.
• Data breaches are being reported to us more frequently, and we have noticed a growing responsiveness by business and government to the reputational benefits of notifying clients when things go wrong. For the first time, we include a summary of these notifications later in this report.
• A number of public sector data breaches and security failures occurred during the year. In October 2012 journalist Keith Ng exposed security vulnerabilities in Ministry of Social Development (MSD) public-facing kiosks.
• In March 2013, EQC inadvertently released a document containing information about many tens of thousands of its Christchurch claimants.
• In addition, EQC had been struggling to respond to the huge numbers of information requests it was receiving from quake-affected Christchurch residents and had a large backlog.
• We had been in contact with EQC to try to assist them in managing this inflow and, together with the Ombudsman, are also engaged in the review of EQC’s processes. EQC’s experience showed very clearly how business processes and data management are entwined.
• A number of international privacy commissioners wrote a joint letter to Google chief executive Larry Page with specific questions about the nature and scope of the company’s wearable Google Glass technology which is currently in development. We received a response from Google which was broadly unsatisfactory and did not address the queries the commissioners raised. Together with our international colleagues, we are considering how to proceed on this issue.
• In early June, OPC participated in the Global Privacy Enforcement Network (GPEN) Internet Sweep which was an internationally coordinated effort to scan websites to assess the adequacy of their privacy notices and policies. We chose to focus upon particular target areas such as schools and children’s websites.
• The European Commission (EC) issued a long-awaited decision in December 2012 that New Zealand law is adequate for the purpose of European Union (EU) law which provides New Zealand businesses with a ‘comparative advantage’ in cross-border data processing. The decision came into effect across Europe in April 2013.
During the year, we started a small ad hoc advisory group with participants from business, IT, academia and government, as recommended by the Law Commission. We held an initial gathering in early April. We believe that the injection of perspectives will be helpful for a small agency like the Office of the Privacy Commissioner (OPC) in responding effectively to a very challenging environment.
Pressure is continuing to affect our capacity to respond to rising external demands. Data breaches, government and business demands, media enquiries, new agreements for information sharing and the generally turbulent environment are placing OPC under continual strain.
Events during the year reinforced the need to ensure that OPC is equipped with tools to respond to the dynamic data environment that is developing across government and business. In the government context, having adequate privacy and security protections will enable the aims of Better Public Services to be realised successfully. We continued discussions with Ministry of Justice officials as they work through the Privacy Act review proposals. We expect the Government’s response shortly.
The independent review of ACC’s privacy and security of information was released in August 2012. The report was commissioned jointly by OPC and the ACC Board following the unauthorised disclosure of details of 6,748 clients and had far-reaching recommendations for change. The review found the breach was a genuine error, but it also shows the error happened because of systemic weaknesses within ACC's culture, systems and processes.
The report showed that ACC lacked a comprehensive strategy for protecting and managing its client information. We noted at the time that a culture change within ACC was vital if further data security breaches were to be prevented.
The review recommended that an independent audit of how ACC has implemented the changes is undertaken every two years and provided to the Privacy Commissioner. The review provided a strong set of proposals and we will monitor ACC's progress as it implements these changes.
MSD kiosk incident
The data security breach at ACC provided a timely warning to both public and private sector organisations, but it was to be followed by other high-profile data breaches and security failures. In December 2012, a security vulnerability in MSD’s publicly-facing kiosks was exposed by the journalist Keith Ng.
EQC data breach
In March 2013, EQC had a data breach that involved many thousands of its Christchurch claimants. EQC has been struggling to respond to the huge numbers of information requests it is receiving from quake-affected Christchurch residents. We have been in contact with EQC to try to assist them in managing this inflow, and we and the Ombudsman are also engaged in the review of EQC’s processes that is coming to a conclusion.
We noted the release in June of the GCIO’s review of publicly accessible systems in government. The recommendations are significant and we hope will provide a platform for much needed change across government. One concerning aspect is our own limited resources, and the level and quality of suitable external consultants who are in a position to give quality advice and assist agencies. We are considering providing high-level, tailored training to key consultancies to help mitigate this, in discussion with key players.
In New Zealand, the Government Bill to reform the Government Communication and Security Bureau arose against a background context of heightened awareness and concern about government intrusion and surveillance of civilian life.
Technology and international cooperation
Data protection and privacy commissioners are increasingly working collaboratively on issues of concern. This reflects the fact that the data practices of global businesses are having an impact across many jurisdictions, and the recognition that effective enforcement will often require international cooperation and coordination.
GPEN Internet Sweep
In early June, OPC participated in the Global Privacy Enforcement Network (GPEN) Internet Sweep which was an internationally coordinated effort to scan websites to assess the adequacy of their privacy notices and policies. We chose to focus upon particular target areas such as schools and children’s websites. We released a summary of our findings (“Websites leave children and parents guessing”).
Information sharing agreements
The Information Sharing Bill became law in February 2013 and we received the first application for an approved information sharing agreement (AISA) a few months later. In an effort to establish the likely workflow, we contacted core government agencies and asked them to give an indication of proposed information sharing agreements. This revealed there may be a number of prospective agreements from the justice and health sectors among others. OPC must be consulted on each AISA, and can report on approved agreements. Our plan is to make our reports publicly available on our website to support transparency in government.
The European Commission issued a long-awaited decision in December 2012 that New Zealand law is adequate for the purpose of EU law which provides New Zealand businesses with a ‘comparative advantage’ in cross-border data processing. The decision came into effect across Europe in April 2013. OPC assisted New Zealand Trade and Enterprise in May to deliver a workshop for business on EU data protection adequacy as part of NZICT’s Tech Innovation Week.
The EU is in a process of replacing its data protection law. It has published a draft regulation which would, once adopted, replace all the data protection laws at national level across the EU.
The proposed law changes are substantial, will have a major effect on European privacy law and will indirectly influence approaches to privacy elsewhere. One direct effect on New Zealand will be on our existing ‘adequacy’ decision. How adequacy status will be recognised under the new regime has yet to be settled. One proposal is that adequacy decisions will continue until revoked or replaced by the EC. A counter-proposal for expiry after a set date could be contrary to New Zealand’s interests and we have drawn this to the attention of MFAT. We will express concern at that approach with our European contacts and as opportunities arise, possibly in conjunction with other affected countries, such as Canada.
View the full 2013 Annual Report here.
View the Privacy Commissioner's media release.