Category: MIL-OSI

Source:

The Reserve Bank of New Zealand – Te Pūtea Matua (RBNZ) has released its first voluntary Climate-related Disclosure – Ngā Whakapuaki e Pā ana ki te Āhuarangi for FY2023/24, outlining our progress in understanding, monitoring, and managing climate-related risks.

Source:

By Michael Webster, Privacy Commissioner.

This article was first published in The Post.

OPINION: Should you have to disclose to your insurance company if you’ve taken a genetic test and learnt you have the gene for a medical condition? Should they be able to require you to test?

Without adequate safeguards, a person’s genetic test could be used by an insurer to assume things about them and their whānau, including future children. This could affect insurance cover for people before they’re even born.

If insurance companies require predictive testing to be done before they insure an individual, the results could show a greater risk of a condition developing later in life, but that condition may never actually develop.

But the risk factor means people could be refused cover, or subject to exclusions or higher premiums. This risk could also result in fewer people getting tested or participating in genetic trials, leading to poorer health outcomes.

You might say, for some types of insurance, I already need to disclose a pre-existing medical condition anyway, so what’s the issue? Genetic information is not just highly sensitive personal information about you. It is you. But it also reveals information about people who are related to you – past, present and future.

There is a big difference between disclosing your own personal medical history and disclosing the information of family and relatives for insurance purposes.

What’s more, a person’s medical history shows specific current and past diagnoses and treatments based on assessments by health professionals. Compare this to predictive testing which can tell an insurer what conditions a person may have, but also what their likelihood of developing a condition in the future may be.

Clearly, protections need to be put in place to empower consumer choice and to prevent discrimination in insurance cover based on a person’s predictive genetic information.

The key point relating to privacy and human rights is, it’s the choice of the individual to have this testing done and to share any information it reveals as they choose. They will, hopefully, have made an informed decision to be tested in consultation with a health professional.

The collection, use, disclosure and storage of genetic information are all subject to the Privacy Act. But the act cannot stop insurers from requiring genetic tests are taken or disclosed as a condition of their insurance cover.

Most OECD countries have protections against genetic discrimination; in New Zealand, there have been submissions made to Parliament and recommended changes to the Contracts of Insurance Bill.

I support adding specific targeted protections to manage the privacy risks of using genetic tests in the insurance context. This includes prohibiting insurance companies from requiring an individual to take a genetic test or disclose genetic test results.

There is also merit in exploring amendments to the Privacy Act or stand-alone legislation to better protect against genetic discrimination while providing the safe privacy enhancing use of genetic testing, which could help benefit New Zealanders.

Emerging technologies like genetic testing have great potential and my office supports their use when it’s done safely and in a way that ensures adequate protection of personal privacy.

Predictive genetic testing clearly has a place in New Zealand’s future, but this should be balanced with the right safeguards protecting individual choice about whether to be genetically tested or not.

Back

Source:

This summary was written by Rachel Levinson-Waldman, who served with OPC as a 2024 Ian Axford Fellow in Public Policy.

Read her in-depth report.

What is social media monitoring?

Social media monitoring in this context means just about any use of social media that isn’t for public education or outreach. It covers government agencies and public servants obtaining information about individuals or groups for law enforcement, intelligence, public safety, criminal investigations, regulatory enforcement, risk or threat assessment, or fraud detection.

What are the different ways that government agencies might access social media?

1. Broadly, there are five categories. Most agencies don’t use every one of these, and some may use methods that vary somewhat.
   Google or other general web searches that turn up publicly-available social media information – for instance, a public Facebook profile.
2. Searches on social media sites for people, groups, hashtags, etc. Depending on the needs of the agency and the potential risk to employees, that could be through an account visibly affiliated with the agency or an alias (an account showing a different name and identity from the person operating it). Mostly this activity doesn’t involve interacting directly with other people on the platform, but in some situations could involve viewing or joining a group.
3. Connecting directly with people on social media, via messaging, “likes”, etc. This typically involves the use of an alias account.
4. Using third party tools for data collection and analysis.
5. Taking over an account with the consent of the individual. This appears to be used mostly – perhaps solely – by Police and is carried out through specific forms that enable either temporary or permanent takeover. Note: the forms are included in the appendices of Rachel’s report.

What agencies in Aotearoa New Zealand use social media and do they have policies in place?

Has the government said anything about developing and publishing policies on social media monitoring?

Yes. A 2017 joint report, by the Law Commission and Ministry of Justice, recommended that heads of enforcement agencies be required to issue policy statements addressing social media monitoring. In 2018, the Public Service Commission released model standards requiring agencies to establish a policy framework for information collection, which would also support the publication of policies addressing use of social media.

What does it matter if the government is looking at social media? Isn’t it just dog pictures and whatever people have chosen to put online?

Use of social media by government agencies to make decisions about investigations, prosecutions, risk monitoring, welfare benefits and other activities brings a variety of potential risks. 

• Social media data can help create a surprisingly comprehensive picture of a person or group. Social media platforms host vast quantities of data from posts to likes to pictures, as well as a wealth of information about people’s friends, family, and other networks. Social media also makes it much cheaper and easier to assemble this information than older, analogue methods of information collection.
• Social media can be difficult to interpret. It’s highly dependent on cultural and language references, tone, in-group speak, and memes. Examples include British travellers who were barred from the United States after one tweeted out a joke that was misinterpreted and a high-ranking state official in the U.S. who lost his job after posting a picture from the rap group Public Enemy’s album that was interpreted as a threat to police. People also communicate in intentionally misleading ways on social media, as with white supremacist groups who use jokes to draw people in and try to obscure their intent.
• Social media monitoring can chill personal and political expression and other core democratic rights. As Dame Helen Winkelmann, now the chief justice of the New Zealand Supreme Court, has observed, privacy lies at the “heart of freedom of thought”. It is nearly impossible to dissent or to develop views outside the mainstream if you feel that you’re under surveillance. This risk is not merely hypothetical; there is a history both within New Zealand and around the world of state surveillance of activists and dissenters, and activists who identify as members of a marginalised group, including Māori and LGBTQ+, are at particular risk.
• There may be other impacts on marginalised or vulnerable groups. In addition to the targeting of activists, there’s a risk that governmental social media monitoring, even to detect threats, will be securitised. Muslim communities, for instance, have spoken out about the fact that security agencies were surveilling them prior to the Christchurch attacks rather than monitoring threats from white supremacists; LGBTQI+ groups have pushed back against coercive police activity; and Māori advocates have suggested (Tina Ngata, page 8) that the state is not equipped to provide protection through threat monitoring in light of its own history of harm to Māori. At same time, a significant amount of hate speech is directed against marginalised groups. This highlights the need for governmental agencies to act in close consultation with marginalised groups to determine what would most effectively support their safety, taking the groups’ lead as much as possible. Agencies should also pay close attention to the impact on tamariki and rangatahi, who are particularly vulnerable and are entitled to special protections under the Privacy Act.
• The increase of AI-driven tools supercharges many of these concerns, from facilitating lightning-fast data analysis that could create a holistic picture of an individual to being deployed in ways that – even inadvertently – are strongly biased against marginalised groups. These tools are typically developed using training data that is unlikely to adequately reflect the range of languages or cultural backgrounds in Aotearoa New Zealand. They often promise more than they can deliver. And it’s hard for AI to interpret nuance or context.
• Finally, the use of undercover social media accounts to engage directly with people poses special risks. A public servant could choose an online persona that has a different race, gender, or age from their real identity – something that would be impossible in person. They could even set up multiple personas, given enough time and technological capacity. This makes it particularly important that these practices are subject to stringent oversight and accountability measures. The 2017 joint report from the Law Commission and Ministry of Justice recommended that any agency undertaking covert operations – defined as an operation in which an enforcement officer develops a relationship with someone to obtain information – online or in person publish a policy statement and, in many circumstances, obtain a warrant.

Does New Zealand law prohibit social media monitoring?

No. The main relevant laws are the Bill of Rights Act 1990, the Search and Surveillance Act 2012, and the Privacy Act 2020. They all contain important safeguards but also leave critical gaps.

• The Bill of Rights Act 1990 provides important protections for democratic and human rights and prohibits unreasonable searches and seizures, but it does not mention privacy and it can be overridden by other laws.
• The Search and Surveillance Act 2012 governs Police’s search and surveillance authority and, by extension, agents of other enforcement agencies. However, it does not address social media, and in their 2017 joint report, the Law Commission and Ministry of Justice concluded that it had “not kept pace with developments in technology”. The report recommended that the Act be amended to require heads of enforcement agencies to issue policy statements addressing social media monitoring.
• The Privacy Act 2020 requires that government agencies and private parties collecting personal information must have a lawful purpose for doing so and the collection must be necessary for that purpose. “Personal information” includes publicly available information, including on social media. But the Act has several carve-outs for publicly available information, and the 2017 joint report concluded that “we do not consider the principles in the Privacy Act provide sufficient protection against unjustified public surveillance”.

Do the major social media platforms have any relevant policies?

Yes. Facebook’s terms and conditions prohibit any user – including police officers and other law enforcement agents – from having an account under a false name. In addition, Facebook and Instagram (which are both owned by Meta), along with Twitter, all prohibit the use of their customer data for surveillance.

Other information

Back

Source:

This article was first published in ‘New Zealand Doctor’ 12/10/2022

When parents split up, this can sometimes create a fraught situation for agencies involved in providing care and services to their children, and GPs are no exception. Which parent has the right to see their child’s medical records? Only the custodial parent? What should a GP practice do if one parent doesn’t want the other to have access, or the GP is concerned about providing it? Office of the Privacy Commissioner Senior Investigator Lynley Cahill explains the answers to curly questions affecting GPs managing requests from parents for their children’s health information.

It is fair to say that many GP practices struggle at times when deciding whether to share personal health information. Many of the complaints this Office receives about GP practices involve a parent complaining that the practice has refused to provide them with their child’s medical records.

The Health Information Privacy Code provides the pathway for health agencies to respond to any request for health information, including those made by a parent for their child’s information. A GP practice, and any medical center, is a health agency. This means it is required to comply with the Code.

In the case of a child under 16 years old, the law explains that their parent or guardian is entitled to make a request for information, and the practice needs to treat this as if it were a request from the child themselves.

The starting point if you receive a request from a parent or guardian for their child’s health information, and the child is under 16 years of age, is that the parent or guardian is entitled to that information – regardless of whether, for example, they are the custodial parent or the parent who enrolled the child at the practice.

This means you cannot refuse to provide a child’s health information only on the basis that the request was made by a parent who doesn’t have custody of that child.

An agency may only refuse the request if it believes one of the following applies:

• Disclosing the information would go against the child’s interests;
• It has reasonable grounds for believing that the child does not or would not wish the information to be disclosed; or
• There would be good grounds for withholding the information under Part 4 of the Privacy Act.

Let’s go over some scenarios.  

Scenario 1: Be careful to only include the right person’s information

A parent contacts your practice, seeking their seven-year-old son’s health information. That parent did not enrol their son in the practice, and you are aware they have split up with the other parent.

You don’t have concerns about providing the notes but notice there is some information on the son’s notes about the other parent. As a parent only has the right to request information about their child, you could remove the information about the other parent from the notes, before providing them to the requesting parent. Of course, before providing a child’s information to either parent, you will want to make sure that you are satisfied of the identity of the requestor.

Scenario 2: Consider the interests of the child

A parent contacts your practice, seeking their 12-year-old daughter’s health information. There are notes within the health information, which indicate the relationship is estranged and the daughter has made certain accusations about the requesting parent. Also included in the notes is sensitive information about the daughter who is going through puberty and her struggles with that.

You might want to consider whether disclosing the child’s health information to the requesting parent in these circumstances would be contrary to her interests, or whether there would be reasonable grounds for believing that the child does not or would not want the information to be disclosed. At 12, the child is likely to have a view on the issue.

Scenario 3: Managing parental conflicts

A parent contacts your practice, seeking their four-year-old child’s health information. The other parent has indicated that they have separated, and they have told you that they don’t want their ex-partner to be provided with the child’s information.

Remember, this is insufficient reason alone to decline to provide it to the requesting parent.

You may want to explain to the other parent that you are required to provide the notes to a requesting parent under the Code – regardless of the other parent’s wishes – unless one of the specified grounds of refusal applies.

Some GP practices worry about telling the other parent about the request, but you are allowed to undertake such consultation on the request as is necessary to respond to it. You should only tell the other parent about the request if you need to understand whether there are any concerns and if these might form a proper basis for refusal to provide the notes. 

If an agency declines to provide a child’s notes to their parent, they must also advise the parent of their right to complain to the Office of the Privacy Commissioner. However, if you are notified that we have received a complaint about you, don’t panic.

We don’t seek to substitute our judgement for yours; after all, you know your patient best. What we will need to understand is why you declined the request, and which part of the Code or Privacy Act you relied on to do so.  We’re always happy to talk through our process so if you receive a notification from us, just contact one of our friendly investigators.

Back

Source:

First published in New Zealand Doctor in June 2022.

A potential US Supreme Court decision to overturn Roe v Wade, the landmark case that established a legal right to abortion without excessive government restriction, raises questions about the protection of privacy rights in the health sector. Jess Ducey argues that protecting people’s privacy means not just our secrets or personal data – but our self-determination and bodily-autonomy.

It can be tempting to dismiss the current resurgence in US abortion debate as a peculiarly American issue, but we must remember that Roe was decided on broad and influential privacy grounds.  The court found that the United States Constitution provides a fundamental “right to privacy” that protects a person’s right to choose whether and when to have a child.

Privacy is the foundation of abortion rights as well as other sexual and reproductive rights like gay rights, contraception access, and marriage equality, both here and overseas. The privacy origins of abortion rights stem from the fact that medical information, particularly concerning reproductive health, is universally considered to be sensitive personal information.

International law, including the International Covenant on Civil and Political Rights and the European Convention on Human Rights, both recognise privacy rights. Cases decided under international law have held that these privacy rights include the decision over whether or not to have a child.

While doctors are likely aware that abortion was only decriminalised in Aotearoa New Zealand in March 2020 – just a few months before the new Privacy Act came into effect – this fact remains relatively unknown in the public.

In a 2018 submission to the Law Commission on Abortion Law Reform, Aotearoa New Zealand’s Privacy Commissioner cautioned that including abortion in criminal law raised ‘major issues with the exposure of sensitive health information to the criminal justice system’. Removing abortion from the Crimes Act was an important step towards ensuring that health information is treated consistently with the Health Information Privacy Code, and not subject to additional risks of exposure.

Last month in this column, we saw that the health sector reports more serious breaches of privacy than any other sector. This is a poignant reminder that health professionals hold large amounts of deeply sensitive information, and any breach of this information is likely to result in harm. Healthcare professionals, who can wield considerable power over their patients, especially when they are in a vulnerable state, have a duty to respect and actively work to maintain their trust.  

We know that the majority of privacy breaches are not due to malicious actors or cyber security breaches, but rather are caused by simple human error, whether that’s including the wrong attachment in an email or not confirming an address before sending personal information. Criminalising or otherwise over-regulating medical procedures creates more opportunities for harmful privacy breaches by exposing that personal information to more people, agencies, or systems.

And this risk extends beyond our personal medical information to include digital data more broadly. Internet search history, GPS location information, and other metadata quietly collected and shared by personal devices can and have been used to identify and harm people. The BBC recently reported the concerns of a reproductive rights group about personal data from menstrual tracking apps being used to identity people seeking abortion care.

Discussions about privacy in the medical sector often concern a patient’s personal information and its disclosure, but fundamentally, privacy is not about secrets or data – it is a matter of personal and bodily autonomy and self-determination for everyone.

Abortion, like all healthcare decisions, is a matter of trust between the patient, their doctor, and anyone else they choose to include. Trust is an ongoing relationship, hard won and easily lost. Healthcare providers have immense power in these decisions, and with great power comes great responsibility. How can you continue to honour that trust and responsibility for the patients you serve?

Back

Source:

As part of Privacy Week 2022, staff members from the Office of the Privacy Commissioner joined Charities Services Ngā Ratonga Kaupapa Atawhai on a webinar called ‘Privacy 101 for Charities’.

People in the charity sector already have enough on their plate so we focused our presentation on the foundations of privacy. Our Office really enjoyed talking to people from the charity sector, and we were blown away by your interest in privacy and doing the right thing when it comes to personal information.

As always, we want to help all organisations do the right thing. An organisation’s obligations at law will be context dependent – what’s reasonable for one charitable organisation won’t necessarily be reasonable for another. This means that our guidance is focussed on compliance with the information privacy principles – you will need to consider our guidance alongside your organisation’s particular role and circumstances.

Our Privacy Week session gave us some great insight into areas of interest for your sector, and we’ll be continuing to improve our information and resources to make it as easy as possible for you to protect the personal information of your stakeholders, members, customers and clients.

It is the people within your organisation who will be dealing with personal information on a day-to-day basis. We recommend that your organisation regularly trains and upskills staff and volunteers on good privacy practice – we think our free online training modules are pretty great, too.

We’ve also pulled together some of the most-asked questions from our session, as we couldn’t get to them all on the day.  

What is ‘privacy’?

In general terms, “privacy” covers a person’s right to be free from unreasonable intrusion into their personal affairs. Our Office is concerned with a certain type of privacy – the kind that deals with personal information. You might have seen other countries call it “data protection”.

The Privacy Act 2020 governs how organisations and businesses can collect, store, use and share your personal information. It ensures that:

• people know when their information is being collected
• organisations use and share information in an appropriate way
• people’s information is kept safe and secure, and
• people can get access to their own information.

Do we need to report all breaches to the Privacy Commissioner?

No – only if a breach has either caused or is likely to cause someone serious harm.

A “privacy breach” for the purposes of the Privacy Act 2020 is:

• unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or
• an action that prevents the organisation from accessing the information on either a temporary or permanent basis.

The unwanted sharing, exposure or loss of access to people’s personal information may cause individuals or groups serious harm. This is the point at which we want to know more –you must let the Commissioner and affected people know about a privacy breach which has caused or is likely to cause serious harm.

Remember, a ‘privacy breach’ under the Privacy Act is different to a breach of the Privacy Act itself. For example, if an organisation fails to follow an information privacy principle under the Privacy Act, that organisation is in breach of the Privacy Act but has not necessarily suffered a ‘privacy breach’.

For more information, check out our guidance on privacy breaches here.

Our organisation uses cloud service providers to store personal information. What responsibilities and best practices should our charity follow to protect ourselves and all those we serve?

Under the Privacy Act, your organisation will generally be responsible for personal information that another organisation holds information on your behalf. The exception to this rule is if the other organisation uses that information for its own purposes.

Therefore, the rest of the Privacy Act and its information privacy principles continue to apply to your organisation and our advice remains the same – continue to exercise your good judgment with respect to personal information. We particularly encourage organisations to be mindful of their obligation under privacy principle 5 – to ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information.

Your organisation is also likely to have entered into specific arrangements with your service provider. Such terms and conditions can affect how your organisation and your service provider respond to privacy issues in practice, and may also place further obligations on your organisation in addition to the privacy principles. We recommend reviewing those terms and conditions periodically. If you have any doubts, consult a lawyer to make sure that your contractual arrangements with your service providers are robust.

How long do we have to hold personal information?

Under the Privacy Act, you should not keep personal information for longer than it is required for the purpose it may lawfully be used.

Sometimes, the law makes it clear how long your organisation must hold personal information (see for example the Employment Relations Act or the Tax Administration Act). Otherwise, your organisation must decide how long you have a lawful purpose to use the information you have collected. This will largely depend on what the information is and what you told the person when you first collected it.

For more information, check out our guidance on principle 9 here.

How do we control a data breach if a member circulates personal information to a third party?

The best thing that your organisation can do is to prevent such breaches from happening in the first place. All organisations have obligations under privacy principle 5 to ensure there are safeguards in place that are reasonable in the circumstances to prevent loss, misuse or disclosure of personal information (including, for example, employee browsing).

However, your organisation can still suffer a privacy breach even with the best systems in place. Consider whether the privacy breach is likely to cause serious harm (see above) and have a look at our guidelines on how to respond to a privacy breach.

As always, we’re here to help. If you think your organisation has suffered a notifiable privacy breach, please get in touch.

Back

Source: