Community values, big data and data breaches remain top of mind as the 20-year-old Privacy Act is scheduled to be reformed.
John Edwards, Privacy Commissioner
The recent major Kaikoura earthquake has turned our minds to emergency preparedness. It has highlighted the fact that we can minimise harm from unexpected events by taking sufficient steps before they happen.
The same is true for privacy issues in local councils. Local councils handle a significant amount of often sensitive information. I’m going to work through some of the key issues from last year with regards to privacy and local councils, then give some guidance on how local councils can manage these issues.
Public information, community values
One recurring issue involving privacy and local authorities is how each authority manages the public records with which it is entrusted. For example, readers of this publication may recall the system Hastings District Council released in August 2015. It was an award-winning project with an ambitious goal: to make all publicly-available information instantly accessible online, thus taking the “friction” out of requesting information and waiting for the council to assemble it.
Soon after the council launched the system, they took it down, as concerned citizens complained about the effect on their privacy. They were not complaining about the fact that the information was publicly available; it had been available before the online system was launched, and still is available now. They were complaining about the fact that the system made it so much easier for people to access the information. This level of access was not in line with the community’s values, so the system was taken down.
Another, more recent example is the Stratford District Council, which refused to sell publicly-available property sale information to Trade Me. Trade Me has been purchasing information from local councils and hosting it online in an easily-accessible format for house hunters. While the Stratford District Council could have sold this information to Trade Me without breaking any laws, it chose not to because to do so would have gone against its community’s values.
These are the kinds of issues that local councils need to grapple with when it comes to publicly-available information. While there is a significant amount of information that a local council can legally host and share, the question of whether it should share it is more difficult, and the answer to that question should take the community’s values into account.
Data scientists promise major benefits from big data. In theory, large data sets give councils the ability to make better decisions about how to efficiently deploy resources and, in so doing, deliver better value for ratepayers.
One major privacy issue with big data is reidentification. While individuals in large datasets are generally anonymised, the sheer size of the datasets, combined with the growing processing power of analytical systems, means that it is possible to cross-reference two de-identified datasets and identify the individuals within them, even though those details about the individuals may have been anonymised before the datasets were cross-referenced.
For example, we can refer again to companies purchasing publicly-available property sale information from local authorities, and then publishing it in an easier-to-access format. This information is both public and anonymous; there’s no information about exactly who owns which property.
However, if you have another dataset that shows who owns which house, it is easy to cross-reference and figure out how much someone paid for their house – even though the first dataset didn’t identify individuals, and the second dataset didn’t identify house prices.
This is an issue that local authorities need to consider when dealing with de-identified datasets. If reidentification is possible, then the datasets are not as anonymous as they appear.
There are technical responses to this issue that involve complicated software and maths, but there is also a policy issue. I have been looking at the possibility of recommending that the government enact a legal prohibition on reidentifying datasets that have been issued to the public in a de-identified format. Australia has recently introduced a similar proposal, and we are following those developments closely.
In the 2015/16 financial year, 148 privacy breaches were reported to our office – and of these, nearly a third were from people emailing the wrong file. This is a recurring theme with local authorities. For example, a few years ago, a local authority had a major privacy breach, in which a staff member inadvertently released the details of every single complaint the council had received over the previous 10 years. The staff member released this information by attaching the wrong file to an email to a member of the public.
This year was no different. For example, one breach involved a mail merge error and dog registration details, in which a significant amount of personal information about dog owners was sent to the wrong recipient.
This indicates that there is still work to be done in this area. Local authorities – like all agencies – need to develop robust processes to avoid simple errors such as putting the wrong address in the “to” field of an email.
These are not hi-tech solutions. This is the constant day-to-day work of reinforcing good practice, fostering a culture of care and continuously improving.
Privacy impact assessments
Privacy impact assessments are a good way for organisations to mitigate privacy issues, such as the issues above. These assessments take a hard look at the potential privacy issues in any system. The definition of “system” is wide. It could be a big data project with all kinds of new technology, or it could be something as simple as the procedure followed by administrative staff when sending bulk emails to ratepayers.
Either way, a privacy impact assessment helps find and mitigate privacy risks. It’s a methodical process of looking at an issue, determining the size of the risk, then mitigating that risk if necessary.
For example, in my office, there is a five-minute delay on emails sent to people outside the organisation. This gives my staff a short time period to “call back” an email if they accidentally enclose information intended for someone else in the body of that email or in an attachment.
There is guidance and online training about how to carry out a privacy impact assessment on our website: privacy.org.nz.
Privacy Law Reform
One major focus for privacy in 2017 is that New Zealand’s 20-year-old Privacy Act is scheduled to be reformed. The government has reiterated its commitment to introducing a Privacy Bill based on the Law Commission’s 2011 recommendations.
Changes on the horizon include mandatory data breach notification and compliance orders, both of which are designed to update our privacy laws for the current technological environment. As I mentioned above, we also may recommend that the government include an outright ban on reidentification in these reforms.
We’re here to help
If you’re undertaking a project that collects, uses or shares personal data, feel free to contact our office. Just go to privacy.org.nz and you’ll find all kinds of guidance and information, including our contact details. You can also ask a question using AskUs, our interactive online FAQs: www.privacy.org.nz/ask
This article was first published in Local Government Perspectives 2017.