Category: MIL-OSI

Source:

We’ve all seen the ads for genetic ancestry testing – as a way for people to trace their genealogy beyond traditional family trees and historical detail. And thanks to shows like CSI, the public might think of DNA as an investigative tool for the Police; a silver bullet that can solve any high-profile case in just minutes. But DNA can be used for much more than law enforcement activities or tracing ancestry.

The Law Commission – Te Aka Matua o te Ture – is currently reviewing the use of DNA in Police investigations. While its review focuses on Police DNA analysis and databanks, it also raises some significant questions that relate more broadly to privacy and health issues.

Genetic profiling might reveal genetic disorders

The Law Commission’s review considers how DNA profiles generated for criminal investigatory purposes may also reveal a genetic disorder, including conditions the individual may not yet be aware of. For example, testing can determine if a person has the genetic markers for Huntington’s disease, which is fatal and currently has no cure.

As doctors will be aware, genetic testing can confirm a diagnosis when symptoms are present and there is a documented family history of a particular disorder. However, some people who have a parent with a disorder will choose to be tested before presenting with any symptoms. Others choose not to be tested at all – even if it is an available option.

Medical genetics specialists will generally only make a DNA test available alongside full genetic counselling and a psychological evaluation because of the risk of harm from receiving such sensitive information if the patient is not fully prepared for it. Revealing genetic disorders without this kind of support could result in significant psychological distress for the patient.

Genetic information may affect life and health insurance

Alongside the psychological impacts of testing positive for a genetic disorder, this information may also affect a patient’s possibility of obtaining life and health insurance. Some countries have enacted legislation to restrict or ban the use of genetic information by insurance companies, so that insurance providers can’t charge higher premiums or exclude insurance cover if an individual has a genetic risk marker for particular conditions or diseases.

Future genetic testing is likely to provide even more information

Commercial genetic tests are currently marketed for tracing ancestry, and there are questions about how accurate these tests might be. But with advances in genetic science, it’s likely that commercial tests in the future could reveal significantly more information about an individual.

The Law Commission considered whether there are circumstances when Police may have a duty to disclose information about a genetic disorder to an individual. The review raised as an example malignant hyperthermia, which can cause death and can now be diagnosed by a DNA test.

If this type of information came to Police attention from a DNA sample analysed as part of a criminal investigation, should Police be required to disclose that to the individual, who may not know they are at risk? Or, if an individual makes a Privacy Act request for their own genetic profile, what are the consequences if they inadvertently learn more about themselves than they were prepared for?

Conceivably, in the future your patients may receive information about a genetic disorder or risk factor which they have tested positive for, but for which they are unprepared. They may well have many questions that you will have to assist them with.

Updating the law

There are no easy answers to these issues, but it’s important to give some thought to what the future holds. The Law Commission recommends that the Criminal Investigations (Bodily Samples) Act should be replaced with a law that is more up-to-date with scientific advances.

Other legislation or regulation might also be necessary to control what commercial DNA testing companies can test for, or how patients should be told about genetic disorders for which they have tested positive. In the meantime, general practitioners will want to be aware of the work being done in these areas and be prepared to answer questions about what DNA results might mean for your patient’s health.

First published in New Zealand Doctor on 22 May 2019.

Image credit: New Zealand Law Commission logo.

Health Information Privacy Code, health

Back

Source:

Cameron Slater, a well-known blogger, published a number of posts about business consultant Matthew Blomfield on the Whale Oil site. The posts were released between May–October 2012. There were additional publications containing personal information about Mr Blomfield on other blog sites.

The posts accused Mr Blomfield of dishonesty, theft, bribery, deceit, perjury and asserted, amongst other things, that Mr Blomfield was a psychopath, loved extortion and was a pathological liar.

The source of the information for the posts came from a hard drive that Mr Blomfield had used over a ten-year period to back up his business emails and documents. How the hard drive came into Mr Slater’s possession was not confirmed, although Mr Slater denied taking it unlawfully.

What was disclosed

Mr Blomfield claimed that at least 46 documents of his, containing personal information, were published by Mr Slater in 2012. These included business emails, correspondence with his lawyers; bank statements; photographs of Mr Blomfield, and a police adult diversion scheme form for Mr Blomfield.

The Director of Human Rights Proceedings (“the Director”) alleged that Mr Slater’s actions in disclosing personal information about Mr Blomfield had breached privacy principle 11 and had caused significant emotional harm.

Mr Slater’s defence was that in publishing this material in the blog posts, he was acting as a news medium, and was therefore exempt from the Privacy Act altogether. The news media exemption in the Privacy Act (section 2(1)(b)) provides that the news activities of any news medium are excluded from the Act’s coverage.

What counts as “news activity”

The Tribunal looked at a number of Whale Oil blog posts about Mr Blomfield and considered whether those posts could be considered to be a news activity. The Tribunal noted in its decision that the media exemption was not all-encompassing or open-ended [para 62.5].

Further, the Tribunal said it was “… not the purpose of the news medium exemption to shield a news medium from the Privacy Act where the agency fails to meet the standards of responsible news activity, including impartiality, accuracy and balance” [para 62.8].

In considering what constituted “news” the Tribunal noted “…the personal information must itself qualify as news, observations on news or current affairs before the news medium exemption applies” [para 78]. This test takes into account the fact that the Privacy Act’s primary purpose is to protect information about individuals.

There was a countervailing responsibility upon news media to act ethically and in a manner that was consistent with the public interest in fair and accurate reportage of news or current affairs [para 80].

Of the 40 or so documents published by Mr Slater, there were 12 posts in which Mr Blomfield’s personal information was accompanied by observations on news or current affairs. The Tribunal considered the application of the news media exemption in relation to only those 12 posts [para 95].

The Tribunal found that, with one exception, none of the blogs comprised news activity as defined in the Privacy Act [para 135].

Harm

Mr Blomfield submitted on the significant harm he had suffered as a result of the publication of the blog posts, including feelings of paranoia; difficulty sleeping; anxiety; concerns about personal and family safety; and a loss of confidence [para 141].

The Tribunal found that, on the balance of probabilities, Mr Blomfield had experienced significant humiliation, loss of dignity and injury to his feelings, and that Mr Slater’s actions were a material cause of the harm [para 142-3].

Remedies

The Tribunal awarded Mr Blomfield $70,000 for severe humiliation, severe loss of dignity and severe injury to feelings [para 173].

The Tribunal also made an order restraining Mr Slater from continuing or repeating the interferences with Mr Blomfield’s privacy, and an order that Mr Slater ‘erase, destroy, take down and disable’ any personal information about Mr Blomfield on the Whale Oil website or other websites within Mr Slater’s control [para 162].

A declaration was issued by the Tribunal that Mr Slater had interfered with Mr Blomfield’s privacy.

Image credit: Office of Human Rights Proceedings

Human Rights Review Tribunal, media

Back

Source:

Following the tragic events of Christchurch in March 2019, gun reform is a legislative priority. The Government recently introduced the Arms Legislation Bill to impose tighter controls on the use and possession of firearms.

Many doctors, particularly in rural areas where firearms are more common, may have found themselves in a situation where they have concerns about a patient’s access to a gun. The new Bill will provide some support to health practitioners who hold concerns about individual or public safety. It may also mean that health practitioners are asked for information by Police more often when Police are considering firearms licence applications.

Changes to the application process

The Bill will change the process for applying for a firearms licence. Under the process as proposed, applicants would be required to provide the name and contact details of their health practitioner. Police could then use this information to notify the relevant medical practitioner of the fact the individual holds a licence.

The Bill also clarifies what Police can consider as part of a “fit and proper person” test for a firearms licence. The Bill says Police can consider:

• the applicant having exhibited significant mental health issues, including attempted suicide or other self-harm;
• the applicant abusing alcohol, or having a dependence on alcohol, to an extent that detrimentally affects their judgment or behaviour;
• the applicant using legal or illegal drugs in a way that detrimentally affects their judgment or behaviour.

Health practitioners may find that they receive more frequent requests from Police, either to query an applicant’s mental or physical health, or to advise that a firearms licence has been granted. This will mean health practitioners will be more aware of their patients’ access to firearms.

Concerns about an individual who may be unfit to use a firearm

The new Bill will allow for health practitioners to disclose to Police information about an individual’s mental or physical health where the health practitioner is concerned that an individual is unfit to possess and use a firearm.

The new section 91 states that a health practitioner must consider notifying Police if they have reason to believe that their patient is a firearms licence holder and they consider that in the interests of public safety, that person should not be permitted to possess or use a firearm due to their mental or physical condition.

If a doctor decides to notify Police, they will need to tell Police:

• their opinion and the grounds on which they have come to that conclusion;
• whether the doctor believes the licence holder poses an immediate or imminent danger of self-harm or harm to others.

Police may then temporarily suspend the licence. Police may also require a firearms licence holder to undergo a further medical assessment in considering whether to revoke the licence.

Health practitioners may already be aware of their ability to disclose personal health information to Police if they have concerns about safety. The Health Information Privacy Code 1994 allows health practitioners to disclose health information if they believe it is necessary to avoid a prejudice to the maintenance of the law or there is a serious risk to an individual’s or the public’s safety. The new section in the Arms Legislation Bill provides further support for health practitioners to disclose information where they have serious concerns.

The new section does not impose any obligation on health practitioners to disclose patient information to Police. Health practitioners who disclose information in accordance with new section 91 will be protected from criminal, civil or disciplinary proceedings as long as they act in good faith.

Supporting health practitioners and protecting individual privacy

The Office of the Privacy Commissioner has engaged with Police to ensure that the new firearms legislation appropriately accounts for individuals’ right to privacy, while also addressing the important public safety concerns. The legislation is not perfect – and the Commissioner will be making a submission to the Select Committee considering the Bill on improvements that can be made.

During the development of the Bill, Police originally proposed that health practitioners should have direct access to the registry containing information about all firearms owners. The Commissioner raised concerns about this proposal because of the number of individuals who would have access to the registry, the potential for data breaches and the safety concerns. The Commissioner also noted concerns that the health sector had not been consulted in the development of the proposal. He was also concerned about the effect on the willingness of unwell people, particularly in rural communities, to seek support.

As a result of our feedback, the proposal was changed so that health practitioners would not have direct access to the registry.

If health practitioners have concerns about patient or public safety because of someone’s access to a firearm, they should feel confident and supported in their ability to share this information with appropriate agencies which can act before something goes wrong.

The Arms Legislation Bill is currently before Parliament’s Finance and Expenditure Committee. Submissions on the Bill closed on 23 October 2019. You can read the full content of the Bill here.

This article was first published in the November issue of NZ Doctor.

Image credit: Five bullets via Wikimedia Creative Commons.

Health Information Privacy Code, law enforcement

Back

Source:

Reviewed for relevance April 2025.

A fortnight ago, Europe’s top court, the European Court of Justice (ECJ) ruled that Google will not be required to apply the ‘right to be forgotten’ globally. This means that search results suppressed within Europe at the request of the individual, will still be available to searches outside Europe. Sometimes referred to as the “right to erasure”, the rule gives EU citizens the power to demand data, including search links, about them be deleted.

In 2015, French national privacy regulator – CNIL – ordered Google to remove search listings linking to pages that contained false or defamatory information about individuals.

Google implemented a geo-blocking feature that would prevent people searching from within the EU from being able to access search results that had been delisted. They did not impose the same restrictions on searches outside the EU. CNIL tried to fine Google 100,000 Euros for failing to delist the search results from Google sites worldwide. Google appealed against the fine to the European Court of Justice.

Google argued they wished to ensure the right to be forgotten was enforced in the EU while also balancing individuals’ rights to access information. The Court ruled that EU law did not require search engine operators to “carry out such a de-referencing on all the versions of its search engine.” In other words, Google would only be required to delist results from Google sites based within the EU.

History of right to be forgotten

Although it had been discussed and ruled upon in European jurisdictions to varying degrees throughout the early 2000s, the right to be forgotten from search engine results in EU law derives from the case in which Spanish man, Mario Costeja González, took Google to court in Spain in 2014. Mr González was concerned that a Google search of his name brought up a 1998 Spanish newspaper article detailing how he had been forced to sell his property to repay social security debts. In the European Court of Justice, Mr González contended that this record was no longer relevant to his life as he had paid his debts to society. He argued that having the record so readily accessible to someone who searched his name on Google put a stain on his reputation. 

The European Court of Justice declared that Google must remove the man’s data from their indexes.  The newspaper that originally published the article was allowed to keep the story of the forced sale on their site as it had been lawfully published.

In the five years since the 2014 ECJ ruling, Google has removed more than 800,000 URLs after receiving a request for erasure. It has retained more than a million others in its index.

In 2014, Privacy Commissioner John Edwards wrote this blog on the right to be forgotten. In the blog, the Commissioner wrote that that term “right to be forgotten” is inaccurate, imprecise and impossible.” It could mean removal of content from a public source, leaving a social network and taking your data with you but it could not mean an “enforced right to be forgotten.”

When the General Data Privacy Regulation (GDPR) was passed into law in the European Union in May 2018, Article 17 outlined circumstances in which someone can exercise the right to have their data erased.

The GDPR rule  

The GDPR provision sets out that data must be erased immediately in the following circumstances:

1. Where it is no longer required for processing purposes
2. The subject of the data has withdrawn their consent or objected and there is no other legal ground for processing
3. Erasure is required to fulfil a statutory obligation under the EU law or right of Member States

The goal of the provision is not internet censorship but rather, that it should be difficult for someone to discern personal data without substantial effort.

What does this mean for New Zealand?

Neither New Zealand’s current Privacy Act 1993 nor the Privacy Bill currently before Parliament contain an equivalent to the EU’s right to be forgotten. The Commissioner recommended the Bill offer the right to erasure, allowing people to require a company to delete all of their personal data and halt third-party processing of that data.

Our Office will continue to monitor judgments relating to the right to be forgotten with interest.

Google, IPP9 – retention, erasure, right to be forgotten

Back

Source:

Investigating complaints is an important function of our office and a considerable part of our workload. When we receive a complaint, we make an initial assessment about what steps we will take next. In some circumstances, we will investigate. In other instances, our office may decline to investigate.

There are also occasions when we cannot investigate, but we may decide that the complainant has raised legitimate concerns that should be brought to the attention of a respondent agency.

For instance, we may not have enough evidence of a breach of the Privacy Act or of a code of practice, but we have concerns about the conduct or practices of an agency. At this stage, we may offer a complainant the option of our Office contacting the agency with a compliance advice letter.

Compliance advice letter 

What our compliance advice letter contains will depend on the circumstances of the complaint. We may take the opportunity to:  

• relay a complainant’s concerns directly to an agency
• remind an agency of its obligations under the Privacy Act and codes
• identify what conduct and practices of the agency we think conflict with its obligations
• express any general concerns we have
• make recommendations to an agency – such as a change to a policy, or an action it may wish to take with the complainant, such as offering an apology or an assurance
• suggest the agency undertake our online privacy training to better understand its obligations.

How does it work?

But is a compliance advice letter from our office just a ‘slap on the wrist with a wet bus ticket’? Consider this:

• it gives the agency the opportunity to take proactive action and to rectify any practices which are not in line with the Act, codes, or guidelines
• it is a prompt outcome which is much faster than most other resolution options at our disposal.
• it tells an agency that it is ‘on our radar’. If we receive similar complaints about the same agency in future, we will weigh this factor up when deciding whether we need to take further action
• it is not a punishment or penalty. Our focus is on educating an agency and improving privacy practices.

Am I in trouble?

A compliance advice letter does not mean your agency is in trouble. It means:

• we are aware we have only heard one side of the story
• we are not making a finding about the factual correctness of the complaint or about if there has been a breach of your obligations
• unless we have said that we will, it’s unlikely we will be taking any further action.

While a compliance advice letter is not a full investigation, an agency that receives one should take our correspondence seriously because we keep a record of the complaint and our letters for future reference. If we were to use a traffic analogy, consider it a warning for speeding, and not an actual speeding ticket.

Image credit: Free letter via Clipart.

complaints

Back

Source:

One of the most pervasive and persistent problems of privacy and data protection in the digital age is how to move the burden from consumers to read terms and conditions for services they are using, to the service providers to ensure they are clearly explaining the choices that consumers have, and the consequences for them.

We all know the problem, and it has been presented in a number of very striking ways.  We’ve seen researchers print out and measure the length of the privacy policies and terms and conditions of popular services.  Others have calculated the time it would take to read them all, if you started from 1 January.

Our Chief Justice believes that privacy consents will prove to be a significant issue. In her lecture commemorating the first New Zealand Privacy Commissioner, Sir Bruce Slane, she said:

There is good reason for proceeding with caution when weighing the significance to be given to consent when assessing whether the individual expected privacy or had waived it. These are standard contracts people must agree to if they are to access services, sometimes essential services. Most do not read the full content of any such contract. That is especially so with online service providers. Although the privacy policy must be agreed to before services can be accessed, acceptance is easy — simply click on the accept button.

Often the consequential authorised collection of data will occur in the course of a very low to no value transaction. Few would spend time reading a privacy policy before using a search engine or purchasing food to go. And yet by clicking accept, we are agreeing to all of the terms and conditions, if expressed in suitably plain English, contained in the privacy policy of the service provider. Even if we do read the privacy policy, it is doubtful we will have a full understanding of the implications of what we have agreed to. There is a very substantial asymmetry in technical understanding between the customer and most who operate business in an online world.

As with many problems that the digital age has created as a by-product of the convenience and access to services these products represent, the solutions need to be found in a range of different areas.

Yes, we need to change behaviours, both of consumers, and service providers, to make the former more curious, diligent, and perhaps willing to defer their digital gratification before “click(ing) to accept”. Industry needs to be both more transparent with consumers about the nature of the transaction that “click” involves, and more innovative in the ways in which it conveys that transparency.

Privacy by design will play a part. Ensuring that the most privacy protective options are obvious, and the default setting should become the industry norm. 

And regulation will play a part. I and my international colleagues need to grasp the nettle and ensure our consumer protective data protection and privacy laws do exactly that.

Labelling laws are a staple of consumer protection. There is a reason there are easy to understand graphics, prominently displayed on hairdryers warning of the dangers of exposure of the device to water. Would our product safety regulator colleagues allow those warnings to be buried on page 23 of a 26 page “consumer information notice”? I think not.

Here’s the approach I’m taking to our law. It is important to set this out now to ensure agencies know their obligations. When the Privacy Bill comes into effect in 2020 it has clear and explicit application to all agencies doing business in New Zealand, whether they have a physical base here or not.

The digital giants are addressing this issue in other parts of the world, it is important that I give clear notice of the law they are expected to comply with here, and how I apply it.

Consent

Unlike other parts of the world, New Zealand’s law does not depend on consent as the primary authority for collecting, using and disclosing personal information. Consent certainly has a role, but the main driver is the legitimate business purpose of the holder of the information. Here’s what this means in practice for complicated privacy policies, terms and conditions, and “click to consent”.

Information privacy principles 10 and 11 say that an agency that collected personal information for one purpose, should not use or disclose that personal information for any other purpose unless an exception to that overarching principle applies.

The exceptions require an agency to have a justifiable basis for relying on them. They need to have a belief on reasonable grounds that one of a set of conditions exist. For example, a novel use or disclosure of personal information will not be a breach of the principle where the agency concerned “believes on reasonable grounds that the use/disclosure”:

• Is authorised by the individual concerned

This threshold belief is tested when we investigate complaints, and we examine the grounds on which an agency holds a particular belief. In the case of a “clicked consent” defence, we will enquire as to the basis on which the online agency believes that click actually conveys an authority to undertake the action complained of. What research have they done to establish the number of people who actually read the terms they are purportedly consenting to? How many times do their customers click the link to the terms and conditions or privacy policy before clicking the consent box? How long do those who do click spend on the privacy policy page long enough to actually read it?

We’ve already declined to accept an imputed authority for a disclosure, based on the continued use of services on the basis of broad and unexpected terms and conditions.

Purpose

Under New Zealand law, it’s the concept of purpose that plays a central role in authorising the collection, use and disclosure of personal information. The fact that your customer’s “consent” might not pass muster as an authority to use the information you’ve collected doesn’t necessarily mean you’re stuck. You need to look closely at the principles that prohibit novel uses or disclosures:

IPP 10

An agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose …

IPP 11

An agency that holds personal information shall not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds –

that the disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained.

Consent or no, if you always meant to do what you are proposing to do with the personal information, and you’re clear about that, then that’s your purpose, so you don’t need any individual authorisation.

So, you can do what you want, right? Not quite.

In order for consumers to make informed decisions about who gets to see and use their personal information, agencies must, by information privacy principle 3 to take “such steps (if any) as are, in the circumstances, reasonable to ensure that the individual concerned is aware of” a number of matters, including “the purpose for which the information is being collected, and the intended recipients of the information”.

If you are telling customers in the “click to consent” box that their information will be used to “enhance the services we can provide you”, and page 35 of the legalese-dense privacy policy says that all your transaction information will be available to US data brokers, I may well conclude that you have not discharged your obligation under information privacy principle 3 (and potentially IPP 4 for unfairness, in particular for children and other vulnerable consumers), and that you are therefore in breach of the Privacy Act.

So what, you say?

While it is true that neither the current law nor the Privacy Bill allows the Commissioner to issue the massive fines available to my colleagues under the GDPR or at the US Federal Trade Commission, you will be liable for damages for any harm caused by the deception or obfuscation of your purposes. 

In addition, when the Privacy Bill comes into force next year, I’ll have the ability to issue compliance notices to business to improve the digital environment for consumers, whether you are based here, or just doing business here.

It’s 2019, and time to raise your game.

Image credit: Free image by SugarandSkullDesigns via Pixabay

International

Back

Source:

In 2019, privacy policies are omnipresent. We’ve all seen them, we’ve all scrolled quickly to the bottom of the page, and we’ve all clicked “I accept,” granting us access to the wonders of the internet. But when you are presented with a privacy policy on a website, how often do you actually read it?

If your answer to the above question is somewhere in the realm of never, you are not alone. In fact, according to consumer advocates across the ditch, 94% of Australians do not read all the privacy policies that apply to them. As much as we might like to think we’re better readers than Australians, the figures in New Zealand are probably very similar.

The reality is most privacy policies are far too long and complex for any regular internet user to read and understand. As far back as 2008, researchers estimated it would take the average person 244 hours to read the privacy policies on all the websites they visit each year.

More recently, The Atlantic estimated it would take 76 work days to read the privacy policies of every website you visit in a year. That means you would have to read full-time from the first of January through to mid-April before you knew all the ways your information could be used by online companies. 

By 2014, the privacy policies of the 50 most popular American websites had collectively ballooned to 145,000 words, about as long as The Grapes of Wrath. When plotted on a graph alongside other works of classic literature, the privacy policies of many popular websites are considered more difficult to read than Charles Dickens’ Great Expectations, Stephen Hawking’s A Brief History of Time, and Immanuel Kant’s infamously dense Critique of Pure Reason.

For a visual representation of the problem, Dima Yarovinsky’s art project I agree makes it very clear. Yarovinsky printed out the terms of service for seven major tech companies to highlight their length and complexity. Instagram, Snapchat, and Facebook’s terms of service are so long they sprawl off the gallery walls onto the floor.

Despite their ubiquity, long and intricate privacy policies are inaccessible to the average internet user. Most people don’t read them, and many people wouldn’t understand them if they did. The internet is an increasingly complex place, particularly when it comes to individual privacy. As the online world continues to envelop every aspect of our lives, calls for privacy policies that people can realistically read and understand will only get stronger.

Back