Advising on data breaches, email intercepts and the unintended consequences of big data were all part of the office’s work in 2017. Expect more of the same, plus the launch of a privacy trust mark, in 2018. John Edwards, Privacy Commissioner.
Does the local council tell my landlord if noise control officers pay a visit to my flat? This is just one of the many privacy-related questions we get asked. This particular query and its answer is now part of our online AskUs tool.
We launched AskUs in 2016 with more than 400 common privacy questions and we’ve been adding to these throughout the past year. There have been over 12,000 enquiries made to AskUs in that time, in addition to the 7000 public enquiries through our 0800 number and email.
Through AskUs we’ve also learned things. One is that people really like recording each other with over 700 people having read our questions about CCTV and other recording devices.
Public education is an important part of our work. But the other half of the equation is the work we do to help government and business use the Privacy Act as an enabling legislation – to find ways to achieve the goals of being more efficient and more cost effective for ratepayers and customers.
Each year, we interact with local councils either by giving advice on policy developments or in dealing with complaints made to us. We have provided advice on electronic public registers, smart city sensors, smart meters and, a perennial issue, surveillance cameras – including a new brochure on drones and surveillance cameras which is now available from our office.
In a recent case, a local body approached us requesting feedback on a proposal to equip parking wardens with body cameras. Among other things, the local council sought our authorisation to collect personal information in a way it thought would be a breach of a privacy principle.
We advised the local council that its policy did not seek to breach a privacy principle, so it did not require our authorisation. This clarity gave the council the certainty it needed to implement its cameras.
We welcome that kind of engagement with local government. After all, we’re here to help – and we don’t mean that in an ironic “I’m from the government and I’m here to help” way.
Big data redux
It goes without saying that local councils handle a significant amount of often sensitive personal information – that’s because you have to. It comes part and parcel with what you as local councils do in fulfilling your functions and responsibilities.
While local government is only one part of the personal information food chain or ecosystem, there’s an obvious allure across all levels of government (and business) for using big data sets to unlock cost savings.
Big data has been called a type of modern day alchemy, turning data into information gold. Our role at the Office of the Privacy Commissioner is to represent for privacy so that the pitfalls are thought through and mitigated against.
We know the smart use of data has the potential for positive impacts but it comes with attendant risks – to agencies and to individuals. The positive impacts for organisations include more efficient resource allocation, while the risks include incorporating biases and large-scale mistakes. Bad data can result in harm to individuals and the community.
One example comes from the US City of Boston. The city was patching up about 20,000 potholes each year. To help allocate its resources more efficiently, it released a smart phone app to detect and report potholes. It did so by collecting accelerometer and GPS data as motorists travelled through Boston’s streets.
But the city managers failed to consider one structural issue. People in lower income groups were less likely to have smartphones. This was particularly true of older residents with smartphone penetration as low as 16 percent in that age group. Poor neighbourhoods were therefore less likely to have their roads fixed and more affluent neighbourhoods, instead, received disproportionately more attention from the city’s road mending teams.
When made aware of this issue, the city gave the app to all its municipal workers to use as they drove around to remedy this collection imbalance. But the lesson learned was clear. Data is only useful if it is not based on flawed assumptions and skewed information.
MSD individual client-level data report
It was for these reasons, among others, that we welcomed the government’s decision to reverse a Ministry of Social Development (MSD) policy to collect individual client-level data from social service providers.
The service providers were required to provide information about individual clients in order to receive funding. The information included clients’ names, number of children and the other social services they dealt with.
We acknowledged projects like this had the potential to do a lot of good by measuring and improving the efficacy of social services. But if they were overly intrusive, they could undermine their own aims by creating situations where people opted to leave out key details or were dissuaded from accessing social services in the first place.
An unintended consequence could be to deter people from seeking support or assistance, which could put them at further risk and make them “invisible” to government and policy makers – thus skewing the data collected.
One of our main recommendations was for MSD to explore less privacy-invasive means of achieving the government’s social investment strategy. We pointed out that if you don’t get the privacy right, people will opt out of needed services if they feel their privacy is not respected.
You can find our MSD individual client-level data report on our website.
Advisory opinions are another tool we launched to give agencies greater certainty about our approach to the law. This is where agencies can seek our view on a legal issue: for instance, the privacy impact of a proposed process or service.
We published one advisory opinion this year. We were asked by the New Zealand Fire Service about its proposal to publish the addresses of fire incidents on its website. The move was designed to reduce administrative burden from insurers seeking this information.
We decided that addresses of fire incidents could constitute personal information, and disclosing them on the website could be a breach of the Privacy Act. We suggested an alternative way of sharing this information without compromising individual privacy. Our advisory opinion is available on our website.
We’ve received at least one complaint about the Horowhenua District Council policy of intercepting emails between the public, and council members and staff. There’s been considerable media interest and our office was approached for comment. We’ve been in close contact with the Office of the Ombudsman in giving a view on whether the practice breaches the law.
In the past financial year, 132 breaches were reported to our office, slightly down on the previous year’s total of 148. The main categories of breaches have consistently involved electronic or hard copy information being sent to the wrong recipient.
In one case, a file was sent by accident because it had a very similar name to the file that should have been sent. The lesson from this breach was that underlying processes and procedures – such as file naming conventions – need to be built to reduce the likelihood of human error in sending personal information.
Other common types of breaches were website vulnerabilities, the loss or theft of hard copy files or portable work devices, and employee browsing.
Privacy trust mark
This year, we intend to launch a privacy trust mark to certify products and services that meet our privacy criteria. Privacy certification can play an important role in promoting privacy-positive behaviours while trust, control and transparency are essential to the digital economy. Please stay in touch with our office for more news on this exciting project.
We’re here to help
If you’re undertaking a project that involves the collection, use or sharing of personal information, feel free to contact our office.
Our website offers all kinds of guidance and information, including our contact details. You can also put a question to AskUs at www.privacy.org.nz/ask.
This article was first published in the Perspectives 2018 issue of NZ Local Government Magazine.