Author: MIL-OSI Publisher

Source:

I was recently lucky enough to attend the Asian Privacy Scholars Network 5^th International Conference, hosted by the Business School at the University of Auckland.

The inspiring line up of privacy thinkers from around the world included the Honourable Michael Kirby, Prof Kiyoshi Murata from Japan’s Meiji University, and Professor Dr Sarah Hosell of the University of Applied Sciences in Cologne. You can find out more about the speakers and topics here. Their presentations will also be published in due course. 

Snapchat and sexting

One outstanding privacy commentator was Prof Woodrow Hartzog of Samford University, Alabama. Prof Hartzog is the Starnes Professor of Law at Cumberland School of Law, as well as being an Affiliate Scholar at The Center for Internet and Society at Stanford Law School and he spoke about his upcoming book – Privacy’s Blueprint: The battle to control the design of new technology.

Prof Hartzog began his presentation with the example of Snapchat- a smart phone application with an invitation by design to send sensitive information. Its picture messages disappear within seconds of the recipient opening them. When Prof Hartzog asked what the purpose of such an app might be, there were delighted calls of “sexting!” from the mostly middle aged scholarly audience.

Third party operators soon appeared after the advent of Snapchat and these provided ways for snap-chatterers to capture the images before they disappeared. Inevitably, this led to the data breach known as ‘The Snappening’. But shouldn’t Snapchat have been prepared for this eventuality?

Hacks and data breaches

Recently, there have been many other hacks and data breaches in the news media – Ashley Madison, the Australian Census site, Hacking Team, Yahoo to name a few – and yet we see agencies applying sticking-plaster solutions and some governments even acting to criminalise ‘white hat’ (or ethical) hackers who work to expose vulnerabilities safely and alert the relevant agency.

What’s the answer? Prof Hartzog makes three broad points:

1. Design matters for privacy;
2. Privacy law should take design more seriously; and
3. A design agenda should have its roots in consumer protection and surveillance law. 

Making Privacy by Design meaningful

There are huge gaps in privacy law concerning the design of new technology, and Privacy by Design (PBD) has a long way to go before it reaches the universal acceptance it deserves, according to Hartzog.  Furthermore, we need to make sure PBD is a meaningful concept and not just a slogan.

Prof Hartzog says privacy’s three basic rules are:

1. Give individuals some control over their own data;
2. Don’t tell lies; and
3. Don’t cause any harm.

But what do these three aspirational points mean in the real world? How can people control what they don’t understand? How can you understand what you are consenting to with a single click as you eagerly wait to use your new app? And how realistic is to go back and check the 50 apps you already have on your phone?

Also while designers might not deliberately tell lies, what about obscuring the important stuff in the usual “accept all” requirement before downloading a new app?

And finally, how do we define harm? In New Zealand, we have a definition in our Privacy Act and some guidance from the Human Rights Review Tribunal, particularly following this precedent-setting case, and others like this one. But harm can be difficult to attribute to a single cause when your personal information is leaking from numerous sources.

Prof Hartzog says the big problem is the overwhelming incentive to design technology which maximises the collection, use, and disclosure of personal information. The value of personal information encourages a “collect first, ask questions later mentality” which marginalises the virtue of being transparent.

While there are some good examples of privacy-protective design, many new digital products and services are not good enough and erode our privacy rights.

In short, the design in new information technologies is failing us.

Three values for design

The three values of Prof Hartzog’s blueprint for designing for privacy are trust, obscurity and autonomy. These three values are intertwined. Autonomy is furthered as a design value when privacy law nurtures technologies that protect our ability to trust and maintain obscurity. Trust and obscurity are complementary values. Trust protects our information within relationships. Obscurity protects us when there is no one to trust.

He also says designers need to design to standards so their products are not deceptive, abusive or dangerous. Lawmakers and the courts need the right tools to discourage deceptive, abusive or dangerous design. These tools vary in strength from soft to moderate to robust. Robust responses should be used to confront the most serious privacy design problems. Lawmakers should seek balance and fit when choosing the appropriate legal response. Their toolbox should include privacy enhancing technologies, education, investigations and enforcement, fines and penalties and international collaboration. If you have others, we welcome your suggestions.

In conclusion, Woodrow Hartzog is a bit of a privacy hero with some really cool ideas. You can follow him on Twitter at @hartzog. When his book is published in 2017, I will be reading it.

Image credit: Red and white bullseye design by Peter Kratochvil

International, research, Asia Pacific

Back

Source:

“I was never ruined but twice: once when I lost a lawsuit, and once when I won one.” Voltaire’s words encapsulate the sharp reality that it can cost a lot of money for cases to be heard and decided in a court of law – even if you are the successful party. A recent Human Rights Review Tribunal case, for example, cost ACC just over $33,000.

In that case, Dr L had complained to the Privacy Commissioner’s Office and subsequently to the Tribunal because ACC had withheld personal information about an investigation it had carried out into his practice as a chiropractor. You can read about the case in this earlier blog post.

Application for costs

After the Tribunal had decided in favour of ACC, the agency made an application for costs of $15,000. In its submission to the Tribunal, ACC said an award of costs was justified because:

• Dr L repeatedly ignored the Tribunal’s directions, including when to file his witness statements;
• He raised issues that were without merit or that were a waste of time;
• He behaved in a manner that was neither reasonable nor appropriate;
• He put ACC to substantial additional and wholly unnecessary costs and he was therefore liable to compensate ACC for some of that cost.

Not a model litigant

The Tribunal said it was true that Dr L had not been a model litigant – “but few self-represented parties are”. While it had been at times frustrating for both the Tribunal and ACC to deal with Dr L, the Tribunal was not persuaded there had been needless, inexcusable conduct justifying an award of costs.

It noted the most important factor, not addressed by ACC, is that a person who has had personal information withheld by an agency has only one practical remedy –  to ask the Tribunal to view the withheld information and to reach an independent decision whether the withholding ground was justified.

“In our view, it would be wrong in principle for an individual to be deterred from challenging the decision by the prospect of an adverse award of costs should that challenge fail. After all, the individual does not know what is in the withheld information or what evidence the agency has in its possession to justify the withholding decision,” the Tribunal said.

In other words, the complainant has no practical way of knowing what his or her litigation risks are when deciding to test an agency’s case before the Tribunal.

Justice is expensive

The Tribunal referred to the decision in the High Court by Justice Mallon in Commissioner of Police v Andrews and said it provided a forum “through which individuals, who are potentially vulnerable, can challenge the exercise of state power over them”.

While justice can be a costly business, the Tribunal took the view that bringing a case before it should not be a prohibitive factor for complainants seeking redress for a perceived wrong. It said the decision to award costs should “promote, not negate, the protection of individual privacy, and access to the Tribunal should not be unduly deterred”.

On that basis, the Tribunal dismissed ACC’s application for costs.

Image credit: Portrait of François-Marie Arouet (Voltaire) via Open Culture.

Human Rights Review Tribunal, ACC

Back

Source:

In their job, health professionals have to look after some of the most intimate details of their patients’ lives. This is a great responsibility, and patients trust and expect doctors, nurses and others to not just tell anyone. This obligation is recognised in the Health Information Privacy Code.

Rule 11 of the Code says health professionals cannot disclose health information they hold about an individual, unless there is a valid reason to do so.

But when can you release information? Will you be breaching a patient’s privacy if you talk to a police officer about them? Can you hand over everything you can find; or just a little bit, or nothing at all? Watch what the Privacy Commissioner has to say.

Section 22C of the Health Act 1956 allows, but doesn’t require, health professionals to disclose information to a police officer (and some other officials), if they need the information to do their job. Where the treatment relates specifically to drug dependency, then the information is privileged against disclosure in criminal court proceedings under section 59 of the Evidence Act 2006.

If you believe that any child or young person has been or is likely to be harmed, whether physically, emotionally or sexually, you can report the matter to a social worker or Police. This is vital, as there is little that is more serious than the need to protect a child.

Disclosure to a social worker or Police is allowed under section 15 of the Children, Young Persons, and Their Families Act 1989. Health professionals are protected under section 16 of that Act from any civil, criminal, or disciplinary proceedings if they do so. Importantly, this authority and immunity is not limited to the extreme end of imminent risk to children, but incorporates a wide range of harms, including suspected ill-treatment, neglect, abuse or deprivation. If you have concerns about a child, you can report it under section 15.

Search warrants and production orders

If Police have a search warrant or a production order for information about a patient, health professionals have to hand it over to them under the Search and Surveillance Act. A search warrant or production order is approved and issued by the Court, if Police have met the grounds required under the Act. If Police have a search warrant they can search a health provider’s premises. If they have a production order, health professionals have to release the information requested. It is an offence to refuse.

But sometimes Police do not have enough information to obtain a compulsory order. The Privacy Act is flexible enough to allow health professionals to disclose information under an exception to rule 11, when necessary “to avoid prejudice to the maintenance of the law by any public sector agency, including the prevention, detection, investigation, prosecution and punishment of offences”.

You may have information that could help Police in their investigations. There will be no breach of rule 11 of the Code if you can demonstrate you have considered this exception, and you acted in good faith.

To be clear, this is your discretion, and there are several things to consider before exercising it.  

Things to consider

First, unless Police have a search warrant or production order health professionals don’t have to give them anything.

Secondly, you need to turn your mind to whether this disclosure is reasonably necessary in these particular circumstances. It’s Police’s job to convince you. If you are convinced, then you can release the information.

If Police’s request is vague or informal, or you question why they really need all that information, then follow up. They should provide you with a form or an explanation explaining why the information is needed. If you are unsure whether to disclose information, you may wish to seek legal advice or contact the Medical Protection Society for further guidance. If you are still in doubt, you don’t have to tell them, and you can ask them to go back and get a production order.

If you decide to disclose to a police officer, it is up to you to ensure the information you do disclose is proportionate and necessary in the circumstances.

Police don’t necessarily have to request information from you for this exception to apply. If you are concerned about a potential crime, or the health and wellbeing of someone, then you can disclose information to the appropriate authorities.

But again, before you do so, consider what information needs to be disclosed, why this particular information should be disclosed, and why it is necessary for the purpose you are disclosing it.

Also, consider who you are disclosing to. Make sure you send it to the people who can do something about it. Don’t set up a Facebook name and shame page about thieves, or arrange a public campaign against possible criminals. Let the professionals look into it and let them do their job.

If you have any concerns or questions, please try AskUs, an interactive FAQ tool on our website, or call our enquiries line on 0800 803 909.

Acknowledgement: This article was first published in NZ Doctor.

Image credit: Doctor examining a patient – Creative Commons.

Health Information Privacy Code, health, IPP11 – disclosure, law enforcement

Back

Source:

Mr Brooks was an active Taekwondo competitor and a long-time member of the Taekwondo Union of New Zealand (TUNZ). He represented New Zealand in the 2005 World Championships and the 2006 Commonwealth Championships.

In September 2008, Mr Brooks was suspended by TUNZ. The grounds for his suspension were contested. From early 2014, Mr Brooks and his supporters made requests under the Privacy Act 1993, for documents relating to his suspension.

In mid 2014, Mr Brooks sought to renew his membership of TUNZ. After some initial correspondence, TUNZ returned Mr Brooks’ membership payment and explained that membership was not automatic, but went on to state that the committee would consider a formal application with supporting material.

In December 2014, Mr Brooks made three requests for his personal information held by TUNZ. The first request was made on 11 December, and the other two requests were made on 17 December.

First request

The first request asked for all information held about him – in addition to specific details about the meeting that considered his membership application.

TUNZ’s secretary responded promptly on 17 December, saying that there had not in fact been a meeting to consider his membership application, since his application had been considered by email. Further, TUNZ considered that it had previously provided the information Mr Brooks sought about earlier events.

The Human Rights Review Tribunal found that there was a great deal of information that had not been earlier provided to Mr Brooks. It also noted that the fact that some information may have previously been released to Mr Brooks was not on its own a permissible ground for denying access to personal information. Refusal of an access request had to be based on the grounds set out in sections 22 to 29 of the Privacy Act.

Second request

After receiving the TUNZ secretary’s response on 17 December, Mr Brooks made a request for “the email correspondence in which I was discussed and all emails relating to my request for membership”.

Third request

A few minutes later, Mr Brooks made a third request, specifying “email correspondence between TUNZ and Dave Aldridge regarding my application to join TUNZ”. Mr Aldridge was a friend who had supported Mr Brooks’ application.

The Tribunal noted that it was not strictly necessary for Mr Brooks to submit these latter two requests, as his first request extended to all information TUNZ held about him.

Response by law firm

At this point, TUNZ instructed the law firm Gibson Sheat to respond to the requests, which they did on 30 January 2015. The requests were refused on the grounds that the information had already been provided, and that the information requested was “evaluative material” (s29(1)(b)).

Mr Brooks complained to the Privacy Commissioner.

Privacy Commissioner’s preliminary view

The Privacy Commissioner’s investigation led to discussion between the parties and clarification of certain points, including that the information requested was indeed ‘personal information’ about Mr Brooks. The preliminary view of the investigator in July 2015 noted that some requested information was covered by legal professional privilege and so could be withheld on that basis.

Eventually, some 700 pages of correspondence relating to Mr Brooks was collated and released to him on 3 September 2015. Although it agreed to release the information, TUNZ maintained its position that it had been justified in relying on section 29(1)(b) to withhold the information.

Tribunal hearing

Mr Brooks challenged the withholding grounds relied on by TUNZ and sought a number of remedies, including a declaration and damages of $30,000. He later modified this position; seeking only a declaration of an interference with his privacy.

TUNZ also modified its stance, conceding that only four pages of information could be considered to be evaluative material.

Tribunal’s finding of undue delay

The Tribunal formed the view that there was no proper basis for withholding Mr Brook’s information from him and that the delay in providing him with the information was unjustified.

The Tribunal noted that an agency must make a decision on whether an access request is to be granted “as soon as reasonably practicable” and in any case not later than 20 working days (section 40). However, it pointed out that Privacy Act does not require the information to be provided at the same time. “Indeed the Privacy Act does not set a fixed time within which access to the requested information must be given.” It will be an interference with privacy is access is “unduly delayed” and there is no proper basis for delay (section 66(4)).

The information was not provided until September 2015 and the Tribunal found this to clearly represent undue delay.

TUNZ argued that it had a genuine belief that the documents were able to be withheld on the basis that they were evaluative material. TUNZ also pointed out that it was a voluntary organisation with little or no prior experience of access requests and limited time and resources to fulfil the request.

The Tribunal commented:

“It is not a defence that the agency honestly but mistakenly relied on one or more of the withholding grounds… Resource issues, while relevant, are not determinative… TUNZ cannot rely on its mistaken application of the provisions of the Act to justify the late delivery of the information on 3 September 2015.”

Remedy

As sought by Mr Brooks, the Tribunal issued a formal declaration that TUNZ had interfered with his privacy. It went on to note that TUNZ was “fortunate Mr Brooks abandoned his request for damages as TUNZ was at real risk of having an award made against it”.

No costs were awarded.

Image credit: US Army Taekwondo champion via Wikimedia Commons.

Human Rights Review Tribunal, IPP6 – access

Back

Source:

Organisations sometimes get it wrong when they respond to a person’s request for their personal information. Information is sometimes lost, displaced or accidentally deleted. A recent privacy case dealt with by the Human Rights Review Tribunal considers when an organisation can call it quits when it comes to searching for personal information in responding to an access request.

In Yiasoumi v Attorney General [2017] NZHRRT12, Police were accused of breaching an individual’s privacy by concealing requested information.

Police investigation

The case unfolded when police officers arriving at a callout in a Wellington suburb in April 2013 found a man suffering from serious injuries. The victim, Yiasoumi Yiasoumi, was the landlord of the residential property where the attack took place. He told police officers he was visiting the address when he was set upon by unknown assailants who, without provocation, beat, kicked and choked him until he lost consciousness.

Mr Yiasoumi was accompanied to hospital by one of the police officers in an ambulance. Using his Police issued iPhone, the officer took four photos of the scene of the attack and, later at the hospital, two of Mr Yiasoumi’s heavily bandaged face. The officer who took the photos did not attach the ones of the victim’s injuries to the investigation file. Instead he stored them in his personal file in the system’s shared drive.

In an interview a few weeks later at the Lower Hutt Police Station, Mr Yiasoumi was informed Police had obtained CCTV footage of the incident and in it he was shown damaging the tyres of a vehicle owned by one of the people thought to be responsible for attacking him.

The detective in charge of the investigation told Mr Yiasoumi that Police could proceed with an assault complaint against one of the people but Mr Yiasoumi would also face charges of criminal damage. Faced with this dilemma, Mr Yiasoumi chose not to proceed with charges and did not make a statement. Police then closed the file.

But Mr Yiasoumi continued to be unhappy with the decision to close the case. One year and four months later, he made a request for the two photos of his injured face. He accused the detective in charge of creating a fictitious police report and concealing the photographs to prevent their use in an intended private prosecution against the officer for perverting the course of justice.

Police told Mr Yiasoumi they couldn’t comply with the request because staff were unable to find the photos in their File Management Centre, which is housed in Palmerston North. Mr Yiasoumi complained to the Privacy Commissioner that Police had breached his privacy by declining his access request and subsequently took his case to the Human Rights Review Tribunal.

Our investigation

In our investigation, we concluded there had been no breach of the Privacy Act because Police could not provide something they could not find – as set out in section 29(2)(b) of the Privacy Act. In hearing the case anew, the Tribunal also had to decide if Police had breached the Act in declining the request.  

Nevertheless, Police continued their inquiry into the question of whether photos had been taken at the hospital. When Mr Yiasoumi explained the photos had been taken by the uniformed police officer who accompanied him in ambulance, the photos were tracked down to the officer’s personal folder. Police explained they had no ability to search across such folders. As a result, due to human error, the File Management Centre did not have a record of the photos.

Tribunal decision

In its decision, the Human Rights Review Tribunal referred to Geary v Accident Compensation Corporation whereby in relying on section 29(2)(b), an agency must show that it made reasonable attempts to find the information. That search must not only be a reasonable one but also thorough and intelligent rather than mechanical.

The Tribunal concluded that section 29(2)(b) did not require an agency to apply unlimited resources to locate the requested information. While Police did carry out an exhaustive inquiry into the photographs, the Tribunal said a ‘no stone unturned’ inquiry is not the standard set by the Privacy Act.

Police were justified in refusing Mr Yiasoumi’s request under section 29(2)(b) on the grounds the information requested did not exist, or could not at the time be found. The Tribunal concluded there had been no interference with Mr Yiasoumi’s privacy. However, as a footnote, once the photos were eventually found, they were sent to Mr Yiasoumi.

When making a request

This case demonstrates the importance of being specific and giving context to your request. Agencies don’t have to expend unlimited resources looking for something – even when the request is really important to the individual. When making an access request, remember to:

• be concise
• give context
• give details of who was involved and where you think they might have put the information; and
• if appropriate, give reasons why you need the information.

Image credit: Creative Commons Licence via Pixabay

IPP6 – access, Human Rights Review Tribunal, law enforcement

Back

Source:

A recent data breach provided an example of how it is sometimes possible to catch a breach as it is happening and avert potential harm.

An email was sent to the wrong person in the sender’s address list. We have probably all done this at least once. If you are quick, you can sometimes recall the email, deleting it from the recipient’s system before they have opened it. In this case, the recipient had already opened the email.

The incident was resolved by a staff member making the effort to visit the recipient who happily showed them how the email had been deleted and gave assurance that it had not been copied or forwarded. Knowing the recipient through their relationship with the company gave confidence they could be trusted. The data had not got away. This was a good catch.

This degree of co-operation does happen sometimes, so with a friendly recipient it may be worth making the effort to arrange a visit. A visit gives that extra bit of confidence about how the email has been dealt with, and gives an opportunity to thank the person directly for their cooperation.

Here are three steps you can take to help keep emails from getting loose:

Set a delay rule

A good step to take is to set a delay on outgoing emails. This means you will have a little time (you can decide how long) between finishing the email, and it actually leaving your system. [For Microsoft Outlook users, go to: “File”, then “Info”, and” Manage Rules and Alerts”]

Practise recalling an email

Your email system probably has a function to delete emails from the recipient’s system if they have not already been read. This might work within your organisation, but will not help with emails going out of your organisation. Practise using that function once or twice with test emails so that it is easy to do without panic when you suddenly realise you want to recall an email that was just sent. [For Microsoft Outlook, open the message, open the “File” tab, under “Info” is “Resend or Recall”.]

Be nice to people

The story also indicates the value of treating people with respect in your organisation’s dealing with them. If the recipient of the email had had bad experiences with the organisation, they would have been much more reluctant to co-operate.

Further tips for managing emails were described in this earlier blog post.

We regularly get data breach notifications and this year we will be sharing the lessons learned from these more regularly. If you want to know more about data breaches, please check out our data safety toolkit.

Image credit: Stop sign by ndemello (via Creative Commons)

email, data, breach

Back

Source:

We live in an age where agencies collect and hold a lot of information about us. When we then request access to that information, this places demands on the time and resources of agencies to meet their obligations under the Privacy Act. Agencies sometimes feel a bit overwhelmed when responding to requests for personal information –  especially where a high volume of information is held.

Here are our top tips for getting sorted and avoiding problems down the road:

1. Can you get the requester to narrow the scope of their request?

While individuals are entitled to access all personal information held by an agency, we often find that requestors have a specific issue in mind when they make a request for personal information.  A phone call to the requestor can sometimes clarify what it is they are after.

For example, an elderly man requested all of his health information from his GP. These records dated back some 20 years and included hard copy material archived off site. A phone call from the GP to the man established that he wanted information relating to an issue with his hip. There was no need for the GP to trawl through 20 years worth of records to satisfy his request, once both parties had agreed on the amended parameters of the request. 

2. Don’t duplicate information

The Privacy Act entitles individuals to access their personal information held by an agency. But where an agency holds this information in multiple and duplicate forms, it is not required to provide the same information over and over again.

For example, we recently dealt with a case where an agency sought to withhold emails because they were subject to legal professional privilege.  The agency supplied hard copies of each email to the requestor, with the contents blanked out. Rather than supply one copy of the email trail, which included all of the correspondence, the agency supplied every single copy of each email, which included all of the correspondence that came before it. This added up to dozens of pages, with all of the content redacted. This gave the impression to the requestor that far more information was being withheld than was actually the case (because much of the blanked out material was simply duplicated information).  

We also advise agencies that, rather than providing completely blanked out documents, they can simply tell requesters that some information is being withheld under the Privacy Act, and give the specific grounds (for example, advising a requester that “some information has been withheld from you under 29(1)(a) of the Privacy Act”).

3. Think carefully about whether information should actually be withheld

In our experience, human nature means that as soon as someone sees that information has been redacted, (or is advised that some information has been withheld) they automatically assume it is far more interesting than it is! Most of the withheld information we review is quite benign. In fact, we have reviewed some documents in which pages numbers have been redacted – the result of some over enthusiastic redaction. Keep in mind that requestors always have the right to complain to our office and have any redacted or withheld information reviewed. Getting the redactions right in the first place can save you a lot of time down the line, in terms of engagement with our office, or as subject to proceedings in the Human Rights Review Tribunal.

4.  Make sure you redact information properly

We have seen redactions made with vivid pen, in which the information can be read when held up to the light. Use of redaction tools such as Adobe PDF is a good idea, however, be aware that in some cases, if the file is sent electronically, cutting and pasting the withheld information into a different document will reveal the contents of the redacted section!

5.  Think about plain English explanations for why information is withheld

If you use a withholding section often, it can be useful to prepare some clear wording that explains in a straight forward way why you believe the information needs to be withheld. The minimum you need to provide to a requester is the section of the Privacy Act you are relying on and, if the requestor asks for it, you will also need to provide the grounds in support of the section used. Providing a reasonable explanation up front can save you time.  

6.  Good communication prevents complaints

Make it your practice to give good information to requestors about what’s happening with their request, and tell them when they can expect to hear from you. They won’t need to engage with us if you are engaging with them.  

7.  Keep an eye on the clock!

Agencies have timeframes they must meet under the Privacy Act when responding to requests.  Make sure you are familiar with these. We don’t want you to respond to a request with the best of intentions, and end up being caught foul of the Privacy Act because your response was a day late. We have a handy calculator on our website to assist.  Familiarise yourself with Part 5 of the Act – we’re told it makes great bedtime reading.

Don’t be afraid to ask for advice. Our AskUs tool on our website contains information and our enquiries line can offer general advice.

Image credit: Information centre sign (Malaysia) via Wikipedia

IPP6 – access

Back