Privately speaking is a quarterly publication tracking developments in privacy  legislation, regulation and case law.

The risks for organisations from a privacy breach can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of security and confidentiality.

Our team of data protection lawyers can assist you with privacy and data security risk management, including reviewing contractual terms, privacy compliance training, responding to privacy requests and investigations, and litigation to contain data breaches.

NEW ZEALAND

Exposure draft of new Privacy Bill later this year

Communications Minister Amy Adams plans to release an exposure draft of the new Privacy Bill later this year and to have the Bill itself in the House next year. She announced the timetable in her opening address to the Wellington Privacy Forum.

She said that she would be working with the Privacy Commissioner to promote data sharing for public safety purposes where that was justified under the law and also to test whether further legislative provision was necessary.

Link: Minister’s speech

The social investment agenda, data sharing and the Privacy Act

Finance Minister Bill English gave his fullest explanation yet of how data sharing sits at the heart of his social investment agenda in a speech to the Third Data Hui in April.

He talked of a “data highway” under which information collected by Health, Education, Social Development, Justice, IRD and – ultimately all parts of government would be shared, subject to the informed consent of the individual or an agent authorised to act on the individual’s behalf.

Access rules would be informed by the work of the Data Futures Partnership, the Privacy Commissioner and the Government Statistician. Policy issues which would need to be resolved but on which the government did not yet have a position were:

  • how to deal with the risk of secondary identification, (when combinations of data points from anonymised information can be used to identify individuals), particularly when the populations involved are relatively small, without anonymising to the point where the data set becomes empty, and 
  • how to provide “citizen-level control” for how data is used – e.g., through an opt-in/opt-out mechanism or Personal Information Management Services, the technology for which exists now.

Link: Minister’s speech

Greater disclosure of tax debt

Legislation is planned to allow the IRD to:

  • disclose tax debt information for serious non-compliance to credit reporting agencies – e.g. significant income tax and GST debt and unpaid PAYE, child support, student loan and KiwiSaver deductions from employees’ pay packets. Certain criteria must be met before disclosure, including that the taxpayer has been notified in advance and that the debt is not disputed, and
  • share information with the Registrar of Companies relevant to prevention, detection and investigation of serious offences under the Companies Act.

The proposals are contained in the Making Tax Simpler consultation document issued by IRD in April. Submissions closed on 30 May 2016

Link: Making Tax Simpler, pages 58 to 66

NZ part of intelligence sharing network on spam and nuisance calls

New Zealand through the Department of Internal Affairs is one of eight countries in a Memorandum of Understanding to share intelligence about unwanted calls and messages. Other jurisdictions are: the Netherlands, Australia, Canada, the US, the UK, Korea and South Africa.

Link: MoU update

Computer Emergency Response Team

A new Computer Emergency Response Team (CERT) to fight cyber- crime will be established from a $22.2 million allocation in the 2016 Budget. CERT will receive and track incident reports and will provide advice on how to prevent further cyber attacks. It will be established as a separate unit within the Ministry of Business, Innovation and Employment.

Link: Announcement

Question mark over SIS security of information

An investigation by the Inspector-General of Intelligence and Security, Cheryl Gwyn, has found inadequacies in the SIS’s internal protocols relating to both the storage of and access to data received as part of government security clearance procedures.

The investigations behind these clearances are necessarily highly intrusive and the personal information obtained is highly sensitive, relating to sexuality, social habits, physical and mental health, financial wellbeing and religious and political affiliation.

Link: Inspector-General’s report (summary)

2015 credit assurance reports

The Credit Reporting Privacy Code requires credit reporting agencies (Veda, Dun & Bradstreet, Centrix) to provide assurance reports to the Privacy Commissioner each year to demonstrate compliance with the Code’s obligations.

The Commissioner asked for particular assurances this time following the issues raised by the Orcon v Taylor case (refer June edition of Privately speaking). He said he had been assured that disputed debts would be either flagged as such or masked from view until a proper investigation had taken place.

Link: Commissioner’s statement

Big bogey corporates not government in NZ online privacy concerns

The latest World Internet Project, the New Zealand segment of which is prepared by AUT researchers at the Institute of Culture, Discourse & Communication, finds that New Zealanders are more worried about companies violating their online privacy (45%) than government agencies (33%).

Link: World Internet Project

NZ gets poor rating in international internet security report

New Zealand had the second highest incidence of ransomware attacks in the Southern Hemisphere (after Australia) and the fourth highest number of social media scams in the Asia-Pacific, and was ranked 21st globally for each in the Symantec Internet Security Threat Report for 2015.

Symantec found more than 430 million new unique pieces of malware, up 36% from 2014. Overall, large businesses which were victims of cyber attack experienced an average of 3.6 successful attacks each.

Link: Symantec Report

AUSTRALIA

New cyber security package

The Federal Government has launched a new AUD230 million Cyber Security Strategy to combat the increasing incidence of on-line threats and attacks. The risk to the Australian economy from computer intrusion and the spread of malicious code by organised crime has been assessed as high and growing. The strategy, which updates a previous 2004 model, was developed over 18 months of intense consultation with more than 190 organisations and assumes a government/private sector partnership.

Link: Cyber Security Strategy

2015 cyber security survey of big end of town

A survey by the Australian Cyber Security Centre of major Australian businesses has found that half reported at least one cyber incident  in the last year that had compromised the confidentiality, integrity or availability of a network’s data or systems. However it also found increased security awareness among staff on the previous year and “clear improvements” in responses, including policies and standards, technologies and mitigation strategies. The survey can be accessed through the link below.

Link: ACSC website

EUROPE

FTSE 350 cyber governance health check 2015

The FTSE 350 Cyber Governance Health Check Report for 2015 shows significant progress on the previous year. Results included:

  • 63% of boards setting out their cyber security management approach in their annual reports
  • 49% identifying cyber risk as a top risk (up from 29% in 2014)
  • 49% having a clear understanding of the potential impact from the loss of or disruption to key information and data assets
  • 77% having allocated budget specifically to protect consumer privacy, and
  • 16% claiming a “very clear understanding” of where sensitive data is shared with third parties.

Link: Report

European Tribunal on when emails sent at work are private

The European Employment Appeal Tribunal has found that Article 8 of the European Convention of Human Rights could protect private emails sent at work, but only where there is a reasonable expectation of privacy. This did not apply in the case in question as the communications had been sent to colleagues at their work email addresses and had adverse consequences for other members of staff in particular the employee who was the subject of the email vendetta.

Link: Decision

Irish privacy watchdog vs Google and Facebook

The Irish Data Protection Commissioner (IDPC) has asked the European Court of Justice to determine the validity of Facebook’s “model contracts” under which it transfers personal data outside the EU (in this case to the US to ensure that it is properly protected from US government surveillance).

Facebook, like many IT companies, has its European headquarters in Dublin.

The ruling will be relevant to all firms operating in, and transferring data out of Europe.

DIY on data protection

A survey in the UK commissioned by the Information Commissioner’s Office (ICO) has established that only one person in four trusts businesses with their personal information and that most people take a DIY attitude to data privacy protection. The Information Commissioner said: “This ought to be a real wake-up call to some sectors. Consumer mistrust is never good for business”.

Other findings are:

  • 25% of people have installed an ad blocker on their web browser or smart phone
  • 75% think data protection should be taught in schools, and
  • 13% have requested a copy of their data from organisations.

Link: ICO statement