Privately speaking - issue 3, September 2015

Privately speaking is a quarterly publication tracking developments in privacy legislation, regulation and case law.

The risks for organisations from a privacy breach can be very high. This applies both when the organisation is the victim – as in industrial espionage – and when the organisation fails to maintain expected standards of data integrity and confidentiality.

Our team of data protection lawyers can assist you with data security risk management, including reviewing contractual terms, privacy compliance training, responding to privacy requests and investigations,

and litigation to contain data security breaches.

NEW ZEALAND

Harmful Digital Communications Act 2015

The Harmful Digital Communications Act 2015, which came into force on 2 July 2015, makes two changes to the scope of the Privacy Act 1993:

• it closes the “revenge porn” loophole so that the distribution of “highly offensive” intimate videos and/or photographs without the subject’s consent is now covered, and

• it removes the protection of the publicly available information

exception where disclosure would be “unfair and unreasonable” –

e.g. if sensitive data hacked from a government agency’s computer system was posted on an anonymous blog, and was subsequently used or distributed by someone else.

The Privacy Commissioner says the amendments will “only apply to a small portion of cases, as the legal threshold for “highly offensive” and “unfair or unreasonable” are quite high”.

Link: Privacy Commissioner’s media release and FAQs on the Act

Growing cyber-security threat

The National Cyber Security Centre (a division of the GCSB) has recorded 132 serious cyber attacks in the first six months of this year, 79 of them in the public sector, and expects the number to exceed 200 by year’s end. This compares to 147 in the whole of last year.

Prime Minister John Key has confirmed that more organisations are signing up to be covered by the government’s cyber security programme – Cortex – as the incidence of attacks rises.

Link: Article

Unisys NZ consumer perception survey of data breach risk

A survey by Unisys which asked 503 New Zealanders to rank seven sectors according to the likelihood of a privacy breach within the next 12 months found that telcos were the least trusted followed in order by: government, banking and finance, retail, health care, utilities and airlines.

Link: Survey results

Contents

New Zealand                      1

Australia                            3

North America                     4

European Union                   5

United Kingdom                   5

Contacts                             6

1. | September 2015

Independent Review of Intelligence and Security

Among the matters being considered by Sir Michael Cullen and Dame Patsy Reddy in their independent review of New Zealand’s intelligence and security framework is the definition of “private communication”

in the GCSB Act. This currently excludes communications where the parties ought reasonably to expect interception “by some other person not having the express or implied consent of any party to do so”.

Submissions closed on 14 August 2015.

Link: Independent review of intelligence and security

Drone controls

The Civil Aviation Authority (CAA) has introduced new regulations to control drones. These include a requirement to get permission from individuals and property owners (including of public spaces) before flying a drone over them or their land.  Operators who cannot get consent from a landowner or an individual can still operate if they get an operating certificate from the CAA under Rule Part 102.

Link: Regulations

Privacy Commissioner’s activities

The Privacy Commissioner:

• will trial a programme this year which asks companies to keep a standardised record of information requests from such agencies as the Police, IRD and the Ministry of Social Development to be forwarded to his Office for publication. The research from the pilot and the first transparency reports will be published on the

Commissioner’s website (  Link: Privacy Commissioner’s speech)

• has released a privacy impact assessment toolkit to help organisations to identify the potential risks arising from how they collect, use and handle personal information and whether they are meeting all of their legal obligations (                                                            Link: Privacy impact assessment toolkit)

• is making technical amendments to align the Health Information Privacy Code, the Superannuation Schemes Unique Identifier Code, the Justice Sector Unique Identifier Code, the Telecommunications Information Privacy Code, and the Credit Reporting Privacy Code. Submissions closed on 28 August 2015. (        Link: Commission advisory)

Privacy concerns for sole traders in NZ Business Number

Submissions to the Commerce Select Committee on the New Zealand

Business Number (NZBN) Bill have identified an absence of privacy protections in the Bill for the 10% of New Zealanders who are sole traders.

The Privacy Commissioner said his Office had been engaged from the outset in the policy development around the Bill and was satisfied that it reflected “a very deliberate consideration of the balance between efficiency and privacy”. He pointed out that the NZBN was limited to commercial purposes. Had it also been able to be used to access a benefit, or in the justice system, it would have been a different story

as it could then identify the user across all of their interactions with the government and the economy.

However he did ask the committee to consider whether there should be the opportunity to have more than one NZBN for those sole traders who were engaged in two or more quite different activities – e.g. the mental health nurse who was also a music teacher.

Link: New Zealand Business Number (NZBN) Bill

Human Rights Review Tribunal

The Director of Human Rights Proceedings brought action against David Crampton for breaching information Privacy Principle 11 (limits on disclosure of personal information) when, as a member of

the executive committee of the Massey University Extramural Students’

Society, he gave a student magazine a copy of a letter sent by him and other committee members to Jeanette Chapman, then the Society’s President.

Contents

New Zealand                      1

Australia                            3

North America                     4

European Union                   5

United Kingdom                   5

Contacts                             6

The letter contained extensive and serious allegations relating to

Ms Chapman’s performance as President, and included information of a personal and sensitive nature.

Mr Crampton argued that the release fell within one of the exceptions provided by Principle 11 – that “the agency believes on reasonable grounds that the disclosure of the information is directly related to the purposes in connection with which the information was obtained”.

In dismissing Mr Crampton’s argument, the Human Rights Review Tribunal noted that the subjective component (the belief) as well as the objective component (the reasonable grounds) must exist at the date of disclosure. An explanation devised in hindsight will not suffice. Further, the phrase “directly related to” does not mean “close” or “substantial”. Instead, the purpose of disclosing the information must have an “uninterrupted, immediate relationship” to the purpose that operated at the time when the information was collected.

The Tribunal awarded Ms Chapman $18,000 for humiliation, loss of dignity and injury to feelings. It also ordered Mr Crampton to undertake training under the Privacy Act.

Link: Director of Human Rights Proceedings v David Crampton [2015] NZHRRT 35

Digital identity, privacy and the cost of doing business

The implications for business of the impending changes to the Privacy Act and to EU data protection regulation are explored in a Chapman Tripp article prepared for the Institute of Directors’ publication Boardroom.

Link: Chapman Tripp article

AUSTRALIA

Australian Privacy Commissioner issues privacy regulatory action guides

The Australian Privacy Commissioner has released guidelines setting out its enforcement priorities. The criteria it will apply in deciding whether to pursue civil penalties are:

• where a large number of individuals are affected by the breach, or the detriment incurred is substantial

• there is a history of serious interferences with privacy, or

• the entity fails to take seriously, or blatantly ignores, its privacy obligations.

Links: Guide to Privacy Regulatory Action and Privacy Regulatory Action Policy

Investigation into Adobe Systems Software Ireland Ltd

The investigation by the Australian Privacy Commissioner into the September 2013 cyber-attack on Adobe has found that Adobe failed  to take “reasonable steps to protect consumer data from unauthorised

access”. In particular, unencrypted credential information (user names,

email addresses and plaintext password hints) was directly linked to

the encrypted password for each user.

The Commissioner noted that taking “reasonable steps” to protect personal data did not mean creating an impenetrable system, but said that organisations must have adequate security measures in place in relation to all, not some, of the personal data they hold.

Link: Investigation report

1. | September 2015

Contents

New Zealand                      1

Australia                            3

North America                     4

European Union                   5

United Kingdom                   5

Contacts                             6

1. | September 2015

Australian Cyber Security Centre Threat Report 2015

ACSC’s Threat Report highlights that financially motivated criminals are increasingly targeting Australian businesses, particularly in the energy, banking and finance sectors. ACSC predicts the following trends will manifest globally in the near future: an increase in the number of cyber criminals; greater sophistication of cyber-crime, making detection and response more difficult, and prominent use of ransomware.

Link: Cyber threat report 2015

NORTHERN AMERICA

Federal Trade Commission issues data security guidance

The Federal Trade Commission has issued a new guide to assist businesses to improve their data security practices based on lessons from its 50+ data security settlements. Among the recommendations are:

• personal information should be collected only where necessary for business purposes and retained only for so long as necessary

• employee access to documents should be on a “need to know” basis only, and

• security considerations should extend to paper and physical media (such as hard drives, laptops and flash drives). Businesses should also contain to a minimum the instances when employees are

off-site with sensitive data in their possession.

Link: Federal Trade Commission guide

Poor data security can constitute “unfair practice”

The US Court of Appeal for the Third Circuit has confirmed that the Federal Trade Commission (FTC) has authority to take action against a private company for poor IT security under § 45(a) of the FTC Act.

Wyndham (a hotel chain) had suffered a number of significant data breaches that the FTC alleged were made possible by poor IT security practices, including storing payment information without encryption, failing to maintain and enforce IT security policies on hotel sites connecting to its central system, and failing to apply appropriate “incident response” procedures.

Wyndham argued that conduct is only unfair when it injures consumers through “unscrupulous or unethical behaviour” and that it could not

be taken to have treated its customers unfairly when it itself was the victim of criminal activity.

The Court rejected both arguments, holding that a business could be subject to an unfairness claim even where its conduct was not the proximate cause of injury, but facilitated that cause in circumstances where the outcome was reasonably foreseeable. The case has been sent back to the US District Court to determine whether Wyndham’s security measures were indeed “unfair” within the meaning of the Act.

Link: FTC v Wyndham Worldwide Corporation

What not to do with employee monitoring software

The British Columbia Information and Privacy Commissioner has strongly criticised the District of Saanich’s use of employee monitoring software, noting that “employees do not check their privacy rights at the office door”.

The District’s IT systems included keystroke logging, automated regular screen captures and a range of other intrusive features, the effect of which was that any personal information that a user entered into a workstation was collected.

Contents

New Zealand                      1

Australia                            3

North America                     4

European Union                   5

United Kingdom                   5

Contacts                             6

The Commissioner found that this was beyond the mandate of the Freedom of Information and Protection of Privacy Act (FIPPA), a breach exacerbated by the failure to notify employees that the data was being collected.

Link: Saanich (District) (Re), 2015 BCIPC 15

EUROPEAN UNION

Protection of personal data remains a significant concern for EU citizens

Protection of personal data is a significant concern for EU citizens according to a European Commission survey which found that:

• two-thirds of respondents were concerned about not having complete control over the data they provided online

• over half of respondents disagreed that “providing personal information is not a big issue” and that “they don’t mind providing personal information in return for free services online”

• a substantial majority of respondents wanted their explicit approval to be required in all cases before their data is collected and processed

• fewer than four in ten respondents trusted telecommunication companies, internet service providers or online search engines to protect their personal data (however consumer confidence in the data security of financial institutions was higher at six in ten), and

• four out of five respondents did not fully read privacy statements, mainly because they found them either too long or too difficult

to understand.

UNITED KINGDOM

UK Supreme Court to hear appeal in Google v Vidal-Hall

As reported in our April newsletter, the English Court of Appeal, in Google v Vidal-Hall, held that the Data Protection Act 1998 permits compensation for non-pecuniary loss, such as distress, where privacy rights have been violated. The UK Supreme Court has granted Google’s appeal in relation to this aspect of the Court of Appeal’s finding.

Link: Google Inc v Vidal-Hall

Court rules UK surveillance regime inconsistent with EU privacy law

The UK High Court has found that section 1 of the Data Retention and Investigatory Powers Act 2014 (DRIPA) is inconsistent with European Union law in so far as:

• it does not lay down clear and precise rules to ensure that communications data retention notices are strictly restricted to the purpose of preventing, detecting or prosecuting serious offences, and

• access is not subject to prior review by a court or independent administrative body to ensure that only that data which is strictly necessary to the purpose is retained.

The Government has announced its intention to legislate in this Parliament to replace the DRIPA, which contains a sunset clause.

Link: David v The Secretary of State for the Home Department [2015] EWHC 2092

Link: European Commission’s Data Protection Survey Summary

1. | September 2015

Contents

New Zealand                      1

Australia                            3

North America                     4

European Union                   5

United Kingdom                   5

Contacts                             6

If you would prefer to receive this newsletter by email, or if you would like to be removed from the mailing list, please send us an email at subscriptions@chapmantripp.com.

Every effort has been made to ensure accuracy in this newsletter. However, the items are necessarily generalised and readers are urged to seek specific advice on particular matters and not rely solely on this text.

© Chapman Tripp

Darmer v Taylor Wessing – right to access to personal information

An application by the Darmers under section 7 of the Data Protection Act 1998 for access to all the data held about them by law firm Taylor Wessing was dismissed by the English High Court on the basis that the purpose of section 7 is to entitle an individual to check the accuracy of personal information and to have it corrected if incorrect.

Section 7 was not intended to provide automatic access to all matters in which the applicant may be named or involved, or to assist in the discovery of documents that may assist the applicant in litigation or complaints against third parties.

Link: Darmer v Taylor Wessing [2015] EWHC 2366 (Ch)

New Privacy Brief newsfeed

We have recently launched a new privacy law and data protection newsfeed (www.privacybrief.net), collating links and articles from around the world. Visit and subscribe (via Wordpress, email, RSS or Twitter) if you’d like to stay up-to-date in between our quarterly publications.

Our thanks to Steven Li for compiling this publication.

Contacts

PHEROZE JAGOSE – PARTNER

T:    +64 4 498 4954

M:  +64 27 241 2999

E:    pheroze.jagose@chapmantripp.com

Secretary: Luisa Strickland (+64 4 498 4990)

JUSTIN GRAHAM – PARTNER

T:    +64 9 357 8997

M:  +64 27 209 0807

E:     justin.graham@chapmantripp.com

Secretary: Sharon Pereira (+64 9 357 2728)

KELLY MCFADZIEN – PARTNER

T:    +64 9 357 9278

M: +64 27 473 2230

E:     kelly.mcfadzien@chapmantripp.com

Secretary: Ashleigh Burton (+64 9 357 9279)

GEOFF CARTER – SPECIAL COUNSEL

T:    +64 3 353 0394

M:  +64 27 290 5057

E:     geoff.carter@chapmantripp.com

Secretary: Michaela Combe (+64 3 353 0344)

TIM SHERMAN – SENIOR ASSOCIATE

T:    +64 4 498 2400

M:  +64 27 345 3250

E:     tim.sherman@chapmantripp.com

Secretary: Rachel Keelan (+