Annual Report of the Privacy Commissioner For the year ended 30 June 2016 Presented to the House of Representatives pursuant to section 24 of the Privacy Act 1993 A11 November 2016 THE MINISTER OF JUSTICE I tender my report as Privacy Commissioner for the year ended 30 June 2016
Document Preview:
PRIVACY COMMISSIONER ANNUAL REPORT 2016Published by the Office of the Privacy Commissioner PO Box 10094 Wellington 109-111 Featherston Street Wellington 6143 © 2016 The Privacy Commissioner ISSN 1179-9838 (Print) ISSN 1179-9846 (Online)A11 Annual Report of the Privacy Commissioner For the year ended 30 June 2016 Presented to the House of Representatives pursuant to section 24 of the Privacy Act 1993
27 Oct OPC AR FIN 2.indd PRIVACY COMMISSIONER ANNUAL REPORT 2016 Published by the Office of the Privacy Commissioner PO Box 10094 Wellington 109-111 Featherston Street Wellington 6143 © 2016 The Privacy Commissioner ISSN 1179-9838 (Print) ISSN 1179-9846 (Online) Annual Report of the Privacy Commissioner For the year ended 30 June 2016 Presented to the House of Representatives pursuant to section 24 of the Privacy Act 1993 A11 November 2016 THE MINISTER OF JUSTICE I tender my report as Privacy Commissioner for the year ended 30 June 2016 John Edwards Privacy Commissioner CONTENTS KEY POINTS …………………………………………………………………………………………………………………………………………… 7 INTRODUCTION ………………………………………………………………………………………………………………………………… 10 REPORT ON ACTIVITIES ………………………………………………………………………………………………………………… 13 International ……………………………………………………………………………………………………………………………………… 13 Media, outreach & education ………………………………………………………………………………………………………… 14 Privacy Week ……………………………………………………………………………………………………………………………… 14 Education …………………………………………………………………………………………………………………………………… 14 Outreach ……………………………………………………………………………………………………………………………………… 14 Media …………………………………………………………………………………………………………………………………………… 15 Enquiries ……………………………………………………………………………………………………………………………………… 15 Tools and resources ………………………………………………………………………………………………………………… 15 Investigations …………………………………………………………………………………………………………………………………… 16 Results ………………………………………………………………………………………………………………………………………… 16 Quality of process …………………………………………………………………………………………………………………… 17 Conciliation approach ……………………………………………………………………………………………………………… 18 Litigation ……………………………………………………………………………………………………………………………………………… 19 Notable Tribunal decisions …………………………………………………………………………………………………… 19 Codes of practice ……………………………………………………………………………………………………………………………… 20 Policy …………………………………………………………………………………………………………………………………………………… 20 Helping agencies share information …………………………………………………………………………………… 20 Informal information sharing ………………………………………………………………………………………………… 20 Big data …………………………………………………………………………………………………………………………………… 20 Transparency reporting ………………………………………………………………………………………………………… 21 Law reform ………………………………………………………………………………………………………………………………………… 22 Breach notifications ………………………………………………………………………………………………………………………… 22 Information matching ……………………………………………………………………………………………………………………… 23 Statutory review of information matching provisions …………………………………………………… 23 Changes in authorised and operating programmes ……………………………………………………… 24 OFFICE AND FUNCTIONS …………………………………………………………………………………………………………… 25 Independence and competing interests …………………………………………………………………………… 25 Reporting …………………………………………………………………………………………………………………………………… 25 Staff ……………………………………………………………………………………………………………………………………………… 25 Auditing our performance ……………………………………………………………………………………………………………… 25 Investigations …………………………………………………………………………………………………………………………… 26 Policy audit ………………………………………………………………………………………………………………………………… 26 EEO profile ………………………………………………………………………………………………………………………………… 27 Auditor’s report ………………………………………………………………………………………………………………………………… 28 FINANCE & PERFORMANCE REPORT ………………………………………………………………………………………… 31 Statement of responsibility …………………………………………………………………………………………………………… 31 Statement of performance …………………………………………………………………………………………………………… 32 Statement specifying comprehensive income ………………………………………………………………………… 34 Cost of service statement for the year ended 30 June 2016 ……………………………………………… 34 Output class 1: Guidance, education and awareness ……………………………………………………………… 35 Output class 2: Policy and research …………………………………………………………………………………………… 36 Output class 3: Information sharing/matching ……………………………………………………………………… 38 Output class 4: Compliance …………………………………………………………………………………………………………… 39 Statement of accounting policies for the year ended 30 June 2016 ………………………………… 41 Statement of comprehensive revenue and expenses for the year ended 30 June 2016 …… 43 Statement of changes in equity for the year ended 30 June 2016 …………………………………… 43 Statement of financial position as at 30 June 2016 ………………………………………………………………… 44 Statement of cash flows for the year ended 30 June 2016 ………………………………………………… 45 Notes to the financial statements for the year ended 30 June 2016 ………………………………… 45 FIGURES Figure 1: Files closed through settlement ………………………………………………………………………………… 16 Figure 2: Percentage of files closed through settlement 2016 …………………………………………… 17 Figure 3: Work in progress – age of files …………………………………………………………………………………… 18 Figure 4: settlement outcomes …………………………………………………………………………………………………… 18 Figure 5: Breach of notifications – types year to June 2016 ………………………………………………… 23 Figure 6: Median score (out of 5) ………………………………………………………………………………………………… 26 Figure 7: The relationship between output classes and strategic initiatives ………………… 32 APPENDICES Appendix A – Processes and services ………………………………………………………………………………………… 58 Appendix B – Information matching programme compliance ……………………………………………60 Privacy commissionEr annual rEPort 2016 7 Key points Dispute resolution • We have worked hard to resolve complaints as quickly and fairly as we can. The effect was that 92% of our complaint files were completed within 6 months, and nearly 50% of our cases were settled. • During the year we instituted a quarterly review of a sample of our investigation files by an external auditor. The investigation files received an average grade of 4 out of 5. Litigation • We referred two cases to the Director of Human Rights Proceedings for further action. • Thirty-four complainants took proceedings in the Human Rights Review Tribunal without a referral from us. • We intervened in a Supreme Court case, to assist the Court in its consideration of a question of law about the role of the Privacy Act in determining admissibility of evidence. Helping agencies share information • We supported agencies in responsible information sharing in a variety of different ways, from informal consultations on the application of the Privacy Act to ongoing work to produce formal Approved Information Sharing Agreements (AISAs). • We engaged closely with agencies developing an AISA to help children’s teams, to enable them to share information about children in need of care and protection to provide support for the family and keep children safe. • We provided policy support to assist the Gangs Intelligence Centre to get up and running, ensuring that staff could share information as required. Big data • We engaged with many “big data” initiatives and supported the work of the Data Futures Partnership process. We encouraged agencies to be transparent and robust in sharing the algorithms used in big data analysis. Privacy Week • We hosted a visit from UN Special Rapporteur for the Right to Privacy, Professor Joe Cannataci, during Privacy Week in May 2016. Prof Cannataci delivered a keynote address at Privacy Forums in Wellington and Auckland. • We released new UMR survey results on public perceptions of privacy. • We marked New Zealand’s first ‘Right to Know Day’ – a day dedicated to raising awareness of people’s right to see their own personal information that agencies hold. Privacy commissionEr annual rEPort 20168 Better Public Services – result areas 9 & 10 • We added to our suite of online training modules – with new modules on Approved Information Sharing Agreements (AISAs) and Privacy Impact Assessments (PIAs). Uptake of the modules is steady with around 9,000 people registered across all modules, and growth of around 400 new users each month. • We have developed an online interactive FAQ tool – AskUs – in an effort to provide high-quality and readily accessible privacy advice. • We developed and launched ‘AboutMe’ – an online tool that helps people request their own personal information from agencies. • We offer a facility to enable online lodgement of complaints through our website. This facility is well- used by the public. Outreach • We gave 98 presentations to a wide range of stakeholder groups. • We continued our regional outreach strategy, meeting with the public and stakeholders in Christchurch, Nelson / Marlborough, Tauranga, Rotorua, Whangarei, and Gisborne. • We received 218 media enquiries this year. • We received 7,783 public enquiries through our 0800 number and enquiries email. Transparency and accountability • The Office received 148 voluntary notifications from agencies of data breaches that had occurred. • We published the results of our first reporting pilot, sampling 10 private sector companies about government requests for customer information. We found that 11,799 requests for information had been made, of which 449 were declined (over a four-month period in mid 2015). • We released a vulnerability disclosure policy to provide assurance to users in the event that they find a vulnerability in our computer system or website. International • The New Zealand Privacy Commissioner was elected as Chair of the International Conference of Data Protection and Privacy Commissioners. The Office of the Privacy Commissioner, New Zealand provides the Conference Secretariat. • We participated in the 44th and 45th Asia Pacific Privacy Authorities (APPA) Forums in Macau and Singapore. The membership has now grown to 19 authorities stretching from Peru to Singapore. • The Privacy Commissioner was invited to present at the OECD Ministerial Meeting in Cancun, Mexico on the topic of managing digital security and privacy risks. Information Matching • There are currently 54 information matching programmes in operation. No new programmes were initiated. The Office reviewed four programmes and considered they should continue without amendment. Law changes • The jurisdiction of the Privacy Act was widened by the Harmful Digital Communications Act. Agencies may now only use or disclose personal information which has been obtained from a publicly available publication where, in the circumstances of the case, it would not be unfair or unreasonable to do so. Previously, agencies could use or disclose any personal information that was publicly available. We amended our codes of practice to reflect this change. Privacy commissionEr annual rEPort 2016 9 Law reform • The Office provided substantial advice to the Ministry of Justice and Parliamentary Counsel on reforming the Privacy Act and implementing the recommendations of the Law Commission in its report Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 (NZLC 123, 2011). Privacy commissionEr annual rEPort 201610 Introduction Building foundations of trust - information sharing and transparency In 2013, the OECD recognised privacy as a “fundamental value and a condition for the free flow of data across borders.” In order to achieve this condition, nations would require “privacy enforcement authorities with the governance, resources and technical expertise necessary to exercise their powers effectively and to make decisions on an objective, impartial and consistent basis.” This objectivity and impartiality contributes to one of the most significant aspects of the New Zealand Privacy Commissioner’s role: its statutory independence. It’s something I regard as integral in building an effective watchdog for New Zealanders and important in the freedom it grants me as a regulator. My two predecessors were highly attuned to the responsibility – as well as opportunity – that comes with independent office. That is not to say that any privacy commissioner can distance him or herself from Government objectives or lose sight of the delicate balance involved in working to affect change while maintaining public confidence. Naming Our ‘naming policy’ outlines the criteria we will consider when we publicly name organisations that are not complying with their privacy obligations. To date, we have used it on a small number of occasions only. In one instance, we disagreed with Immigration New Zealand’s (INZ’s) approach in recording a refugee’s age. In that case, a young man arrived in New Zealand from a failed state, without evidence of identity. When his nominated age proved untenable, on the basis of medical and other evidence, the department was initially unwilling to adjust his recorded age. His case raised concerns both about the accuracy of information that the department was relying on, and about an individual’s ability to correct information when it is wrong. The effect was that the young man was unable to access critical social and education services because INZ’s records were inaccurate. The issues in the case were not able to be adequately described without identifying the agency involved: https://privacy.org.nz/INZ-case However, as we noted at the time, a number of agencies – not only INZ - have built robust systems and procedures to safely manage the personal information they hold. This case raises questions about how agencies respond to individuals’ specific circumstances in the context of those systems. Big data Many public sector agencies are using data analysis of large data sets to inform the provision of more