Author: MIL-OSI Publisher

Source:

Reviewed for relevance April 2025.

Since 2007, companies like 23andMe.com and Ancestry.com have made at-home DNA testing kits accessible to the masses. Through a simple online order, you can receive a kit, provide a saliva sample and return it to the company for analysis. Genetic data is highly sensitive given that, other than in the case of identical siblings, it is utterly unique to you.

Direct-to-consumer (DTC) genetic testing kits are billed as an inexpensive, non-invasive method of gaining personalised insights into your health, discovering distant family members and learning your genetic origins.

Some companies that sell DNA kits make dubious claims about what their tests can show and consumers who receive home DNA kits often sign onto opaque terms and conditions which allow their genetic information to be used in ways which would make most people deeply uncomfortable.  

According to recent estimates, some 26 million people across the globe have used DTC DNA kits. The largest provider of this services, Ancestry.com, stated that by May of this year they had examined 15 million DNA samples. New Zealanders have a higher rate of testing than people in many other nations. A spokesperson for Ancestry.com told Stuff in 2018 that he believed testing was popular in New Zealand because many Kiwis wished to “find some connection to a bigger story, a bigger sense of belonging to the world.”

How do these tests work?

Although there are many types of at-home DNA tests available, the most common one helps consumers link up with distant relatives and discover their genetic roots.

Human DNA is 99.9% identical in all people. The remaining 0.1 percent contains what are termed single-nucleotide polymorphisms (SNPs). SNPs account for all variation between people including our height, build, hair type, eye colour and so forth.

DTC DNA companies analyse samples collected from the public and compare the unique patterns of an individual’s SNPs to reference groups from around the globe. That comparison indicates how closely your pattern of SNPs resembles broad groups such as Western European, Northern African, East Asian and so forth. Once tests have been examined, consumers receive reports (such as the one below) which outline the percentage of their genes which seem to emerge from different countries.

Accuracy issues

Some experts have levelled criticism regarding the accuracy of take home DNA tests. Criticisms include that these companies generally don’t share their data, their methods are not externally validated and some consumers have submitted their DNA to multiple organisations and received back differing results. Such tests are perhaps best described as giving a probability of where your genes come from rather than a precise picture.

Many genetic markers may be found in multiple populations around the world. This means that trying to neatly categorise groups of people into groups like “European” or “West African” may gloss over massive intragroup variability. Experts argue that human genetic variation does not neatly fit into arbitrarily defined borders. Reporting from Vox highlighted that studies of DTC genetic testing showed that it  may in fact “reinvigorate age-old beliefs in essential racial differences.” In other words, help to reinforce the idea that there are fundamental differences between people of different skin colours.

A report received from 23andMe by Vox journalist Danush Parvaneh outlining the broad categories of his genetic background. Source: Vox YouTube Channel

Opaque terms of services and sharing results with law enforcement

Dr Andelka Phillips is a senior Lecturer at the University of Waikato’s Faculty of Law and a Research Associate at the Centre for Health, Law and Emerging Technologies (HeLEX) at University of Oxford. She has focused her research on the regulation of the direct-to-consumer (DTC) genetic testing industry. One of Dr Phillips’ main criticisms of the industry is the extremely long and complex terms of service that consumers must agree to as part of submitting their saliva samples.

Dr Phillips’ reviewed contracts for 71 of these companies which revealed some disconcerting clauses. Seventy-two percent of contracts included a clause allowing the company to alter terms (without the agreement of the consumer) with 28 contracts including a condition to alter terms at any time.  Nearly half of reviewed contracts allowed for disclosure of personal data or genetic data to third parties in certain circumstances.

Twenty-five percent of contracts permitted disclosure of DNA data to law enforcement. In 2019, it was revealed that FamilyTreeDNA, a company which had collected more than 1 million DNA samples, had been working with the FBI to investigate violent crime.

Privacy considerations associated with these tests

For users of DTC DNA kits, there are major privacy questions including: How long do these companies keep consumer’s genetic information? Who is the data shared with and for what purposes? And are you able to request for your information to be deleted from the company’s records?

Some companies in this industry have been explicit in stating their real motives for collecting people’s DNA. 23andMe, at their launch in 2007 told the San Francisco Chronicle: ““Once you have the [genetic] data, [the company] does actually become the Google of personalized health care.” Understanding variations in the human genome may assist with drug development and give DTC DNA companies valuable insights into the global pharmaceutical industry worth $1.2 trillion USD in 2018.  Drug-company giant, GlaxoSmithKline invested $300 million in 23andMe in 2018 with an eye to using the DNA company’s de-identified, aggregate customer data for drug research. As this Atlantic article noted, “you don’t make that kind of money selling $99 spit kits.”

Dubious tests conducted by some DTC DNA companies

The lack of regulation in the DTC DNA industry is apparent in the fact that some genetic testing companies offer to reveal information about people that there no scientific evidence they can deliver. Examples include tests that claim they can show whether your child has “language learning” genes, will possess innate football talent or even whether they are a “picky eater”. The evidence that DNA can reveal any of these traits is doubtful at best and more likely, completely misleading.

One savvy Canadian man decided to assess the accuracy of a Toronto-based DTC DNA lab which charged $250 dollars to conduct a check into your ancestry. He submitted three samples, two from himself and one from his girlfriend’s dog for analysis. The results he received showed that both he and Snoopy the chihuahua shared identical “indigenous” ancestry. It emerged that the tests were being used by some wealthy Canadians to fraudulently attain indigenous status and save money on some taxes.

health, data, DNA, 23andme, Ancestry.com

Back

Source:

New Zealand is generally an engaged country, and most of you reading this will be part of or will have been members of a club at some point. Whether it is a swimming, softball or rugby club or a miniature horse society, you will have been involved in one or know someone who is in one.

A common issue that arises is how those small clubs handle personal information.

Here’s a hypothetical. Let’s say Lucy makes a request for her personal information but Ethel, who is the chairperson of the Canasta Club, insists there is no need to comply with the request.

The difficult news for Ethel is that the club has obligations under the Privacy Act 1993 to provide Lucy with her personal information – for example, meeting records that may mention her and any other information.

Definition of personal information is wide

Personal information is any information which tells us something about a specific individual.

The information doesn’t necessarily need to name Lucy – she may be identifiable in other ways, like through her home address. All sorts of things can contain personal information, including notes, emails, recordings, photos and scans, whether they are in hard copy or electronic form.

This means that Ethel will need to think carefully and make an assessment about what personal information the club holds about Lucy.

In the unlikely event your club gets a letter from our office notifying you of a complaint made against your club, here are some key points to consider.

You’re not in trouble, so don’t panic

Say Lucy makes a complaint about the Canasta Club to our office because her request was not complied with. Here are two common scenarios where we may investigate.

Scenario 1 – Request for personal information

Our office needs to consider if Lucy’s right to access personal information had been interfered with. If Ethel failed to respond to Lucy’s request, we will contact the Club and ask it to either:

1. Give the information to Lucy directly if the club has no reasons for withholding the information, or
2. If the club is seeking to withhold Lucy’s information, it needs to explain which withholding grounds it is seeking to rely on (as set out in sections 27 to 29 of the Act).

This letter from our office will inform the Canasta Club that we have received Lucy’s complaint. The notification letter will set out the facts as Lucy has put to us, and identify why the complaint may raise issues under the Privacy Act.

The facts set out in the notification letter do not necessarily mean that our office is investigating the matter on those facts only. We’re also contacting the club to understand what has happened from its perspective.

The notification letter will also include a ‘statutory demand’. This means the club is required to provide any information it wishes to withhold to our office for review. We will then assess the information and determine whether the club is justified in withholding the information, or whether we think it should be released to Lucy (see sections 91(4) and 92 of the Privacy Act).

Scenario 2 – Collection, disclosure, security, and use of personal information

Lucy gave Ethel her email and mobile phone number, so Ethel can let her know about canasta in the local area. Lucy claims Ethel gave this information to Briony who rang Lucy to ask her to join her pyramid selling scheme. Lucy was annoyed Ethel had given her mobile phone number to Briony.

In this scenario, we would get in touch with Ethel to understand what’s happened, and to get her side of the story. We would then decide whether the club interfered with Lucy’s privacy.

Our office keeps things confidential

It is important to note that our office’s proceedings are privileged. This is set out in section 96 of the Privacy Act.

Section 116 also requires our office and its staff to maintain secrecy in respect of all matters that come to our knowledge in the exercise of our functions under the Act. These are obligations we take very seriously.

We therefore cannot pass on the information that the Canasta Club has about Lucy. If our office makes a finding the information should be given to Lucy, it is up to the club to do this.

Working with us is beneficial for your club

It is in the Canasta Club’s best interest to work with our office. We have no powers to force the club to provide the information to Lucy.

While our office’s recommendations are persuasive but not binding, we are here to try and assist you in meeting your obligations under the Privacy Act.

If we are unable to resolve the matter, Lucy has the right to go the Human Rights Review Tribunal.

Resolving the matter through our process means that Lucy is less likely to take the matter to the Tribunal. It also means that Lucy and Ethel can work towards mending their friendship and returning to the table to play a round of canasta.

We’re here to help you

We understand that whether playing petanque, softball or canasta, you’re not thinking much about how to keep Lucy’s personal information safe and secure, and it may be your first time dealing with our office.

If you have any questions, please don’t hesitate to ask us for help. It is not necessary to engage a lawyer. Our office is a dispute resolution focused agency – we are ultimately here to try and assist clubs to remedy a privacy issue and come to a resolution.

We also have guidance resources – such as our Priv-o-matic privacy statement generator and our AskUs FAQs – available on our website which you might find helpful.

Image credit: US airman kicks a rugby ball – Public domain.

complaints, IPP6 – access

Back

Source:

We’ve all seen the ads for genetic ancestry testing – as a way for people to trace their genealogy beyond traditional family trees and historical detail. And thanks to shows like CSI, the public might think of DNA as an investigative tool for the Police; a silver bullet that can solve any high-profile case in just minutes. But DNA can be used for much more than law enforcement activities or tracing ancestry.

The Law Commission – Te Aka Matua o te Ture – is currently reviewing the use of DNA in Police investigations. While its review focuses on Police DNA analysis and databanks, it also raises some significant questions that relate more broadly to privacy and health issues.

Genetic profiling might reveal genetic disorders

The Law Commission’s review considers how DNA profiles generated for criminal investigatory purposes may also reveal a genetic disorder, including conditions the individual may not yet be aware of. For example, testing can determine if a person has the genetic markers for Huntington’s disease, which is fatal and currently has no cure.

As doctors will be aware, genetic testing can confirm a diagnosis when symptoms are present and there is a documented family history of a particular disorder. However, some people who have a parent with a disorder will choose to be tested before presenting with any symptoms. Others choose not to be tested at all – even if it is an available option.

Medical genetics specialists will generally only make a DNA test available alongside full genetic counselling and a psychological evaluation because of the risk of harm from receiving such sensitive information if the patient is not fully prepared for it. Revealing genetic disorders without this kind of support could result in significant psychological distress for the patient.

Genetic information may affect life and health insurance

Alongside the psychological impacts of testing positive for a genetic disorder, this information may also affect a patient’s possibility of obtaining life and health insurance. Some countries have enacted legislation to restrict or ban the use of genetic information by insurance companies, so that insurance providers can’t charge higher premiums or exclude insurance cover if an individual has a genetic risk marker for particular conditions or diseases.

Future genetic testing is likely to provide even more information

Commercial genetic tests are currently marketed for tracing ancestry, and there are questions about how accurate these tests might be. But with advances in genetic science, it’s likely that commercial tests in the future could reveal significantly more information about an individual.

The Law Commission considered whether there are circumstances when Police may have a duty to disclose information about a genetic disorder to an individual. The review raised as an example malignant hyperthermia, which can cause death and can now be diagnosed by a DNA test.

If this type of information came to Police attention from a DNA sample analysed as part of a criminal investigation, should Police be required to disclose that to the individual, who may not know they are at risk? Or, if an individual makes a Privacy Act request for their own genetic profile, what are the consequences if they inadvertently learn more about themselves than they were prepared for?

Conceivably, in the future your patients may receive information about a genetic disorder or risk factor which they have tested positive for, but for which they are unprepared. They may well have many questions that you will have to assist them with.

Updating the law

There are no easy answers to these issues, but it’s important to give some thought to what the future holds. The Law Commission recommends that the Criminal Investigations (Bodily Samples) Act should be replaced with a law that is more up-to-date with scientific advances.

Other legislation or regulation might also be necessary to control what commercial DNA testing companies can test for, or how patients should be told about genetic disorders for which they have tested positive. In the meantime, general practitioners will want to be aware of the work being done in these areas and be prepared to answer questions about what DNA results might mean for your patient’s health.

First published in New Zealand Doctor on 22 May 2019.

Image credit: New Zealand Law Commission logo.

Health Information Privacy Code, health

Back

Source:

Cameron Slater, a well-known blogger, published a number of posts about business consultant Matthew Blomfield on the Whale Oil site. The posts were released between May–October 2012. There were additional publications containing personal information about Mr Blomfield on other blog sites.

The posts accused Mr Blomfield of dishonesty, theft, bribery, deceit, perjury and asserted, amongst other things, that Mr Blomfield was a psychopath, loved extortion and was a pathological liar.

The source of the information for the posts came from a hard drive that Mr Blomfield had used over a ten-year period to back up his business emails and documents. How the hard drive came into Mr Slater’s possession was not confirmed, although Mr Slater denied taking it unlawfully.

What was disclosed

Mr Blomfield claimed that at least 46 documents of his, containing personal information, were published by Mr Slater in 2012. These included business emails, correspondence with his lawyers; bank statements; photographs of Mr Blomfield, and a police adult diversion scheme form for Mr Blomfield.

The Director of Human Rights Proceedings (“the Director”) alleged that Mr Slater’s actions in disclosing personal information about Mr Blomfield had breached privacy principle 11 and had caused significant emotional harm.

Mr Slater’s defence was that in publishing this material in the blog posts, he was acting as a news medium, and was therefore exempt from the Privacy Act altogether. The news media exemption in the Privacy Act (section 2(1)(b)) provides that the news activities of any news medium are excluded from the Act’s coverage.

What counts as “news activity”

The Tribunal looked at a number of Whale Oil blog posts about Mr Blomfield and considered whether those posts could be considered to be a news activity. The Tribunal noted in its decision that the media exemption was not all-encompassing or open-ended [para 62.5].

Further, the Tribunal said it was “… not the purpose of the news medium exemption to shield a news medium from the Privacy Act where the agency fails to meet the standards of responsible news activity, including impartiality, accuracy and balance” [para 62.8].

In considering what constituted “news” the Tribunal noted “…the personal information must itself qualify as news, observations on news or current affairs before the news medium exemption applies” [para 78]. This test takes into account the fact that the Privacy Act’s primary purpose is to protect information about individuals.

There was a countervailing responsibility upon news media to act ethically and in a manner that was consistent with the public interest in fair and accurate reportage of news or current affairs [para 80].

Of the 40 or so documents published by Mr Slater, there were 12 posts in which Mr Blomfield’s personal information was accompanied by observations on news or current affairs. The Tribunal considered the application of the news media exemption in relation to only those 12 posts [para 95].

The Tribunal found that, with one exception, none of the blogs comprised news activity as defined in the Privacy Act [para 135].

Harm

Mr Blomfield submitted on the significant harm he had suffered as a result of the publication of the blog posts, including feelings of paranoia; difficulty sleeping; anxiety; concerns about personal and family safety; and a loss of confidence [para 141].

The Tribunal found that, on the balance of probabilities, Mr Blomfield had experienced significant humiliation, loss of dignity and injury to his feelings, and that Mr Slater’s actions were a material cause of the harm [para 142-3].

Remedies

The Tribunal awarded Mr Blomfield $70,000 for severe humiliation, severe loss of dignity and severe injury to feelings [para 173].

The Tribunal also made an order restraining Mr Slater from continuing or repeating the interferences with Mr Blomfield’s privacy, and an order that Mr Slater ‘erase, destroy, take down and disable’ any personal information about Mr Blomfield on the Whale Oil website or other websites within Mr Slater’s control [para 162].

A declaration was issued by the Tribunal that Mr Slater had interfered with Mr Blomfield’s privacy.

Image credit: Office of Human Rights Proceedings

Human Rights Review Tribunal, media

Back

Source:

Following the tragic events of Christchurch in March 2019, gun reform is a legislative priority. The Government recently introduced the Arms Legislation Bill to impose tighter controls on the use and possession of firearms.

Many doctors, particularly in rural areas where firearms are more common, may have found themselves in a situation where they have concerns about a patient’s access to a gun. The new Bill will provide some support to health practitioners who hold concerns about individual or public safety. It may also mean that health practitioners are asked for information by Police more often when Police are considering firearms licence applications.

Changes to the application process

The Bill will change the process for applying for a firearms licence. Under the process as proposed, applicants would be required to provide the name and contact details of their health practitioner. Police could then use this information to notify the relevant medical practitioner of the fact the individual holds a licence.

The Bill also clarifies what Police can consider as part of a “fit and proper person” test for a firearms licence. The Bill says Police can consider:

• the applicant having exhibited significant mental health issues, including attempted suicide or other self-harm;
• the applicant abusing alcohol, or having a dependence on alcohol, to an extent that detrimentally affects their judgment or behaviour;
• the applicant using legal or illegal drugs in a way that detrimentally affects their judgment or behaviour.

Health practitioners may find that they receive more frequent requests from Police, either to query an applicant’s mental or physical health, or to advise that a firearms licence has been granted. This will mean health practitioners will be more aware of their patients’ access to firearms.

Concerns about an individual who may be unfit to use a firearm

The new Bill will allow for health practitioners to disclose to Police information about an individual’s mental or physical health where the health practitioner is concerned that an individual is unfit to possess and use a firearm.

The new section 91 states that a health practitioner must consider notifying Police if they have reason to believe that their patient is a firearms licence holder and they consider that in the interests of public safety, that person should not be permitted to possess or use a firearm due to their mental or physical condition.

If a doctor decides to notify Police, they will need to tell Police:

• their opinion and the grounds on which they have come to that conclusion;
• whether the doctor believes the licence holder poses an immediate or imminent danger of self-harm or harm to others.

Police may then temporarily suspend the licence. Police may also require a firearms licence holder to undergo a further medical assessment in considering whether to revoke the licence.

Health practitioners may already be aware of their ability to disclose personal health information to Police if they have concerns about safety. The Health Information Privacy Code 1994 allows health practitioners to disclose health information if they believe it is necessary to avoid a prejudice to the maintenance of the law or there is a serious risk to an individual’s or the public’s safety. The new section in the Arms Legislation Bill provides further support for health practitioners to disclose information where they have serious concerns.

The new section does not impose any obligation on health practitioners to disclose patient information to Police. Health practitioners who disclose information in accordance with new section 91 will be protected from criminal, civil or disciplinary proceedings as long as they act in good faith.

Supporting health practitioners and protecting individual privacy

The Office of the Privacy Commissioner has engaged with Police to ensure that the new firearms legislation appropriately accounts for individuals’ right to privacy, while also addressing the important public safety concerns. The legislation is not perfect – and the Commissioner will be making a submission to the Select Committee considering the Bill on improvements that can be made.

During the development of the Bill, Police originally proposed that health practitioners should have direct access to the registry containing information about all firearms owners. The Commissioner raised concerns about this proposal because of the number of individuals who would have access to the registry, the potential for data breaches and the safety concerns. The Commissioner also noted concerns that the health sector had not been consulted in the development of the proposal. He was also concerned about the effect on the willingness of unwell people, particularly in rural communities, to seek support.

As a result of our feedback, the proposal was changed so that health practitioners would not have direct access to the registry.

If health practitioners have concerns about patient or public safety because of someone’s access to a firearm, they should feel confident and supported in their ability to share this information with appropriate agencies which can act before something goes wrong.

The Arms Legislation Bill is currently before Parliament’s Finance and Expenditure Committee. Submissions on the Bill closed on 23 October 2019. You can read the full content of the Bill here.

This article was first published in the November issue of NZ Doctor.

Image credit: Five bullets via Wikimedia Creative Commons.

Health Information Privacy Code, law enforcement

Back

Source:

Reviewed for relevance April 2025.

A fortnight ago, Europe’s top court, the European Court of Justice (ECJ) ruled that Google will not be required to apply the ‘right to be forgotten’ globally. This means that search results suppressed within Europe at the request of the individual, will still be available to searches outside Europe. Sometimes referred to as the “right to erasure”, the rule gives EU citizens the power to demand data, including search links, about them be deleted.

In 2015, French national privacy regulator – CNIL – ordered Google to remove search listings linking to pages that contained false or defamatory information about individuals.

Google implemented a geo-blocking feature that would prevent people searching from within the EU from being able to access search results that had been delisted. They did not impose the same restrictions on searches outside the EU. CNIL tried to fine Google 100,000 Euros for failing to delist the search results from Google sites worldwide. Google appealed against the fine to the European Court of Justice.

Google argued they wished to ensure the right to be forgotten was enforced in the EU while also balancing individuals’ rights to access information. The Court ruled that EU law did not require search engine operators to “carry out such a de-referencing on all the versions of its search engine.” In other words, Google would only be required to delist results from Google sites based within the EU.

History of right to be forgotten

Although it had been discussed and ruled upon in European jurisdictions to varying degrees throughout the early 2000s, the right to be forgotten from search engine results in EU law derives from the case in which Spanish man, Mario Costeja González, took Google to court in Spain in 2014. Mr González was concerned that a Google search of his name brought up a 1998 Spanish newspaper article detailing how he had been forced to sell his property to repay social security debts. In the European Court of Justice, Mr González contended that this record was no longer relevant to his life as he had paid his debts to society. He argued that having the record so readily accessible to someone who searched his name on Google put a stain on his reputation. 

The European Court of Justice declared that Google must remove the man’s data from their indexes.  The newspaper that originally published the article was allowed to keep the story of the forced sale on their site as it had been lawfully published.

In the five years since the 2014 ECJ ruling, Google has removed more than 800,000 URLs after receiving a request for erasure. It has retained more than a million others in its index.

In 2014, Privacy Commissioner John Edwards wrote this blog on the right to be forgotten. In the blog, the Commissioner wrote that that term “right to be forgotten” is inaccurate, imprecise and impossible.” It could mean removal of content from a public source, leaving a social network and taking your data with you but it could not mean an “enforced right to be forgotten.”

When the General Data Privacy Regulation (GDPR) was passed into law in the European Union in May 2018, Article 17 outlined circumstances in which someone can exercise the right to have their data erased.

The GDPR rule  

The GDPR provision sets out that data must be erased immediately in the following circumstances:

1. Where it is no longer required for processing purposes
2. The subject of the data has withdrawn their consent or objected and there is no other legal ground for processing
3. Erasure is required to fulfil a statutory obligation under the EU law or right of Member States

The goal of the provision is not internet censorship but rather, that it should be difficult for someone to discern personal data without substantial effort.

What does this mean for New Zealand?

Neither New Zealand’s current Privacy Act 1993 nor the Privacy Bill currently before Parliament contain an equivalent to the EU’s right to be forgotten. The Commissioner recommended the Bill offer the right to erasure, allowing people to require a company to delete all of their personal data and halt third-party processing of that data.

Our Office will continue to monitor judgments relating to the right to be forgotten with interest.

Google, IPP9 – retention, erasure, right to be forgotten

Back

Source:

Investigating complaints is an important function of our office and a considerable part of our workload. When we receive a complaint, we make an initial assessment about what steps we will take next. In some circumstances, we will investigate. In other instances, our office may decline to investigate.

There are also occasions when we cannot investigate, but we may decide that the complainant has raised legitimate concerns that should be brought to the attention of a respondent agency.

For instance, we may not have enough evidence of a breach of the Privacy Act or of a code of practice, but we have concerns about the conduct or practices of an agency. At this stage, we may offer a complainant the option of our Office contacting the agency with a compliance advice letter.

Compliance advice letter 

What our compliance advice letter contains will depend on the circumstances of the complaint. We may take the opportunity to:  

• relay a complainant’s concerns directly to an agency
• remind an agency of its obligations under the Privacy Act and codes
• identify what conduct and practices of the agency we think conflict with its obligations
• express any general concerns we have
• make recommendations to an agency – such as a change to a policy, or an action it may wish to take with the complainant, such as offering an apology or an assurance
• suggest the agency undertake our online privacy training to better understand its obligations.

How does it work?

But is a compliance advice letter from our office just a ‘slap on the wrist with a wet bus ticket’? Consider this:

• it gives the agency the opportunity to take proactive action and to rectify any practices which are not in line with the Act, codes, or guidelines
• it is a prompt outcome which is much faster than most other resolution options at our disposal.
• it tells an agency that it is ‘on our radar’. If we receive similar complaints about the same agency in future, we will weigh this factor up when deciding whether we need to take further action
• it is not a punishment or penalty. Our focus is on educating an agency and improving privacy practices.

Am I in trouble?

A compliance advice letter does not mean your agency is in trouble. It means:

• we are aware we have only heard one side of the story
• we are not making a finding about the factual correctness of the complaint or about if there has been a breach of your obligations
• unless we have said that we will, it’s unlikely we will be taking any further action.

While a compliance advice letter is not a full investigation, an agency that receives one should take our correspondence seriously because we keep a record of the complaint and our letters for future reference. If we were to use a traffic analogy, consider it a warning for speeding, and not an actual speeding ticket.

Image credit: Free letter via Clipart.

complaints

Back

Source:

One of the most pervasive and persistent problems of privacy and data protection in the digital age is how to move the burden from consumers to read terms and conditions for services they are using, to the service providers to ensure they are clearly explaining the choices that consumers have, and the consequences for them.

We all know the problem, and it has been presented in a number of very striking ways.  We’ve seen researchers print out and measure the length of the privacy policies and terms and conditions of popular services.  Others have calculated the time it would take to read them all, if you started from 1 January.

Our Chief Justice believes that privacy consents will prove to be a significant issue. In her lecture commemorating the first New Zealand Privacy Commissioner, Sir Bruce Slane, she said:

There is good reason for proceeding with caution when weighing the significance to be given to consent when assessing whether the individual expected privacy or had waived it. These are standard contracts people must agree to if they are to access services, sometimes essential services. Most do not read the full content of any such contract. That is especially so with online service providers. Although the privacy policy must be agreed to before services can be accessed, acceptance is easy — simply click on the accept button.

Often the consequential authorised collection of data will occur in the course of a very low to no value transaction. Few would spend time reading a privacy policy before using a search engine or purchasing food to go. And yet by clicking accept, we are agreeing to all of the terms and conditions, if expressed in suitably plain English, contained in the privacy policy of the service provider. Even if we do read the privacy policy, it is doubtful we will have a full understanding of the implications of what we have agreed to. There is a very substantial asymmetry in technical understanding between the customer and most who operate business in an online world.

As with many problems that the digital age has created as a by-product of the convenience and access to services these products represent, the solutions need to be found in a range of different areas.

Yes, we need to change behaviours, both of consumers, and service providers, to make the former more curious, diligent, and perhaps willing to defer their digital gratification before “click(ing) to accept”. Industry needs to be both more transparent with consumers about the nature of the transaction that “click” involves, and more innovative in the ways in which it conveys that transparency.

Privacy by design will play a part. Ensuring that the most privacy protective options are obvious, and the default setting should become the industry norm. 

And regulation will play a part. I and my international colleagues need to grasp the nettle and ensure our consumer protective data protection and privacy laws do exactly that.

Labelling laws are a staple of consumer protection. There is a reason there are easy to understand graphics, prominently displayed on hairdryers warning of the dangers of exposure of the device to water. Would our product safety regulator colleagues allow those warnings to be buried on page 23 of a 26 page “consumer information notice”? I think not.

Here’s the approach I’m taking to our law. It is important to set this out now to ensure agencies know their obligations. When the Privacy Bill comes into effect in 2020 it has clear and explicit application to all agencies doing business in New Zealand, whether they have a physical base here or not.

The digital giants are addressing this issue in other parts of the world, it is important that I give clear notice of the law they are expected to comply with here, and how I apply it.

Consent

Unlike other parts of the world, New Zealand’s law does not depend on consent as the primary authority for collecting, using and disclosing personal information. Consent certainly has a role, but the main driver is the legitimate business purpose of the holder of the information. Here’s what this means in practice for complicated privacy policies, terms and conditions, and “click to consent”.

Information privacy principles 10 and 11 say that an agency that collected personal information for one purpose, should not use or disclose that personal information for any other purpose unless an exception to that overarching principle applies.

The exceptions require an agency to have a justifiable basis for relying on them. They need to have a belief on reasonable grounds that one of a set of conditions exist. For example, a novel use or disclosure of personal information will not be a breach of the principle where the agency concerned “believes on reasonable grounds that the use/disclosure”:

• Is authorised by the individual concerned

This threshold belief is tested when we investigate complaints, and we examine the grounds on which an agency holds a particular belief. In the case of a “clicked consent” defence, we will enquire as to the basis on which the online agency believes that click actually conveys an authority to undertake the action complained of. What research have they done to establish the number of people who actually read the terms they are purportedly consenting to? How many times do their customers click the link to the terms and conditions or privacy policy before clicking the consent box? How long do those who do click spend on the privacy policy page long enough to actually read it?

We’ve already declined to accept an imputed authority for a disclosure, based on the continued use of services on the basis of broad and unexpected terms and conditions.

Purpose

Under New Zealand law, it’s the concept of purpose that plays a central role in authorising the collection, use and disclosure of personal information. The fact that your customer’s “consent” might not pass muster as an authority to use the information you’ve collected doesn’t necessarily mean you’re stuck. You need to look closely at the principles that prohibit novel uses or disclosures:

IPP 10

An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose …

IPP 11

An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds –

that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained.

Consent or no, if you always meant to do what you are proposing to do with the personal information, and you’re clear about that, then that’s your purpose, so you don’t need any individual authorisation.

So, you can do what you want, right? Not quite.

In order for consumers to make informed decisions about who gets to see and use their personal information, agencies must, by information privacy principle 3 to take “such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of” a number of matters, including “the purpose for which the information is being collected, and the intended recipients of the information”.

If you are telling customers in the “click to consent” box that their information will be used to “enhance the services we can provide you”, and page 35 of the legalese-dense privacy policy says that all your transaction information will be available to US data brokers, I may well conclude that you have not discharged your obligation under information privacy principle 3 (and potentially IPP 4 for unfairness, in particular for children and other vulnerable consumers), and that you are therefore in breach of the Privacy Act.

So what, you say?

While it is true that neither the current law nor the Privacy Bill allows the Commissioner to issue the massive fines available to my colleagues under the GDPR or at the US Federal Trade Commission, you will be liable for damages for any harm caused by the deception or obfuscation of your purposes. 

In addition, when the Privacy Bill comes into force next year, I’ll have the ability to issue compliance notices to business to improve the digital environment for consumers, whether you are based here, or just doing business here.

It’s 2019, and time to raise your game.

Image credit: Free image by SugarandSkullDesigns via Pixabay

International

Back