NZ Engine

Source:

By Michael Webster, Privacy Commissioner

Originally published on the New Zealand Herald 3 October 2024.

One of the greatest risks to privacy in the workplace could be sitting next to you – or it could even be you.

Employee browsing or the unauthorised access and misuse of personal information is one of the most common privacy breaches. I also believe it’s one of the least understood or reported on, as required by the Privacy Act.

New Zealand is a small place and there’s a good chance a familiar name will crop up in a database or on a file at work and it can prove very tempting to have a look.

However, a sneaky peek isn’t a harmless case of nosiness; it’s inappropriate and can be a breach of the principles underpinning the Privacy Act. In the cases I see it can have potentially serious consequences such as harassment and blackmail.

In one example, a person in a position of power looked up the details of a colleague’s partner then used their position to repeatedly sexually harass them via text message. The victim felt intimidated, scared, and fearful in their own home so contacted our Office.

In some circumstances employees look up information and then pass it on for the explicit purpose of causing harm – for example, finding the address of someone who owns expensive assets to be targeted for a burglary.

In other examples they do it because they think they’re helping a friend when they’re acting illegally. Like the employee working for a counsellor who had a friend in a custody dispute with their ex-partner. The employee looked up information about the wellbeing of their friend’s ex-partner and shared it with their friend who then used it in their custody dispute hearing.

Sometimes the temptation to ‘just have a quick look’ is a powerful force but employees need to be stronger. One story I’ve see was from a clinic doing STI and HIV testing. A new employee was being trained and decided to look up their own records while their trainer was in the room with them. That’s fine, it’s their information. However, when the trainer left the room, the new employee took the opportunity to look up the names of their ex-partner, current partner, and best friend – all in breach of the Privacy Act.

The Privacy Act protects the personal information of all New Zealanders, which means that as well as employees not snooping, we need managers and owners to be informing their staff that it’s wrong to snoop, and to act when it’s found out.

There’s a lot of information about us held in various databases, including contact details, bank accounts and financial records, and copies of identity documents. This material needs to be protected from internal threats from staff as well as external threats from third parties.

Employers have a responsibility to secure databases and to limit access only to the staff that need that information to do their job. Employers also have a responsibility to recognise the potential for serious harm if staff are misusing their access privileges.

The bottom line is organisations have an obligation to prevent their employees from inappropriately accessing and/or disclosing customer information. 

Building privacy safeguards into your databases enables you to have access controls in place to protect personal information, ideally supported by audit logs so you can monitor who’s doing what and follow up on any unusual activity.

Significant personal information is held in various databases across New Zealand. A good example is around driver licences and car registration details. Businesses and organisations like insurance providers, vehicle importers, or sellers can be granted access to the motor vehicle register for lawful purposes. However, when staff at those types of agencies access the database for their own reasons or interests then it’s a problem, which often leads to employee dismissal as well as the agency needing to report a privacy breach.

Businesses have an obligation to ensure their staff have privacy training and a general awareness about the risks of employee browsing. They also need to take steps to make sure staff know they can only access information for work purposes.

This can be reinforced by having clear policies about employee browsing in your agency’s code of conduct, including consequences for being caught inappropriately accessing personal information about customers and clients.

Staff access to personal information comes with serious accountabilities about appropriate and lawful behaviour. We all need to treat it with respect. Organisations need to ensure there are consequences for employee browsing and treat any breaches of trust as serious compliance incidents.

Back

Source:

The health sector reports more serious privacy breaches than any other area even though under-reporting continues to occur. Frustratingly, many of those breaches occurred when the underlying issue had been, or should have been, identified and acted on earlier. We explain why more internal privacy breach reporting is needed in the health sector and ways to avoid privacy breaches from occurring.

The Office of the Privacy Commissioner’s last Insights Report (1 December 2020 to 30 November 2021) revealed 85 serious privacy breaches were notified by the Health Care and Social Assistance industry last year – the top contender, and far above second placed Public Administration on 53.  This number almost certainly represents an under-estimate due to the continued under-reporting of serious harm breaches.

Unfortunately, many serious harm breaches occur because previous internal errors weren’t deemed serious enough to be properly secured, for example, where a previous incident wasn’t identified as a privacy breach, or the outcome of the breach wasn’t considered serious enough to result in further action.

TAKE ACTION

Health agencies will be familiar with the need to identify, report, and review adverse events and “near misses”, as well as other accidents or incidents that occur in the workplace.  The same applies for privacy. Identifying, reporting, and reviewing privacy breaches, and acting when individual or systemic issues are identified, are vital to ensuring that a strong privacy culture exists. Personal information must be treated with careful respect.

Breaches are not just external

A common misconception is that a privacy breach only occurs where personal information is inadvertently shared to, or inappropriately accessed by, someone external to the agency.  That is not the case. Accidently sending personal information to the wrong clinician or someone’s payslip to a fellow staff member is a privacy breach. Browsing patient records or looking up the records for friends or family members may be HR or professional conduct issues, but they are also privacy breaches.  Health records that are lost or accidently destroyed – again, these are privacy breaches. Access to personal information should be restricted to only those need to see the information. This protects the person whose information you hold in trust, your staff, and your organisation.  Trust is hard won and easily lost.

Not just sensitive information

Another common misconception is that is it only ‘sensitive’ information that matters.  Again, that is not the case.  All personal information, whether it is of a ‘sensitive’ nature or not, requires legal protection.  For example, it is a privacy breach regardless of whether test results sent to the wrong address are a simple and unremarkable blood count or disclose the existence of an STI or underlying medical condition.

Not just ‘notifiable’

While the above examples may not all be at the level that they need to be reported to the Office of the Privacy Commissioner – you may be lucky and the breach may be quickly contained with no risk of harm to the patient – they do all need to be reported to your privacy officer and recorded and reviewed as a privacy breach. 

Just like “near misses” in the Health and Safety at Work regime, they all tell you something about your privacy systems, and the changes needed to ensure the information you are entrusted with is appropriately protected.  

HUMAN ERROR

More than 60 per cent of privacy breaches last year were due to ‘human error’.  Agencies are responsible for ensuring their systems are fit for purpose and that the personal information they hold is protected by reasonable security safeguards.

Email hygiene

Poor email hygiene is a common cause of privacy breaches.

One example we were made aware of involved an email containing detailed health information about a group of patients, which was intended to be sent internally to the staff of a medical provider. A typing error in the ‘TO’ field resulted in a member of the public receiving these patients’ medical records. Having their sensitive personal information exposed in this way caused considerable emotional harm to a number of these patients.

Respect the people whose information you’re sending by double-checking who you’re sending it to. Go a step further and use a delayed send option on your email to avoid any hasty mistakes. Always use the BCC field when emailing groups of recipients.  If you are emailing sensitive material, encrypt the material. If you do this, the password (phrase or code) should be sent by some method other than email so that the wrong person doesn’t receive both.

Confirm Contact Details

Ensure you confirm patient contact details before sending out their personal information.  Check that the address or email is still current.  If you’re enrolling a new patient or emailing a patient for the first time send out an email just to confirm the correct address.

Explaining your processes to your patients is not only good practice, but also demonstrates you are trustworthy.  It helps ensure information is accurate and reduces the risk of a data breach.

One case notified to our Office was about a patient who told their GP about being abused in the past. The GP referred the patient to counselling to help work through the issues stemming from that abuse.

The GP’s office followed up this referral by sending a letter to the patient’s house. Due to human error in the office’s internal processes the envelope containing the letter did not have the patient’s name on it, or a return address. It also had the incorrect street number, meaning that it was sent to a neighbour’s house instead of the patient’s house.

Not knowing who the letter was addressed to or who it was from, the neighbour opened the letter, inadvertently finding out about the patient’s abuse history.

Inadvertent disclosures

Our Office receives numerous notifications of healthcare staff either accidentally dropping patient documents or leaving the information in public view. Being busy caring for patients isn’t an excuse and making changes to your systems and practices now can make a big difference.

• Where is patient information recorded or displayed in your organisation? Think whiteboards, run sheets, patient lists, computer screens, medical records. Can these be seen or accessed by others? If you have paper run sheets, are these collected and destroyed at the end of the shift?
• Do you use portable storage devices such as USBs? Should you? If you do, are they encrypted? 
• If you are transporting paper records, how do you make sure they are secure? Can they be seen in transit?

This article first appeared in NZ Doctor – Rata Aotearoa magazine.

Back

Source:

Key themes of this analysis: An evidence-based approach to pandemic data sharing COVID-19 – a serious threat to public health and how Te Tiriti o Waitangi and tikanga Māori can influence the discretion to share Māori data Detailed case notes on the High Court decisions plus our submissions to the reviews are available here.

The right to privacy remains fundamental in the government’s pandemic response. When asked whether we have to choose between a good pandemic response or having privacy, New Zealand’s former Privacy Commissioner John Edwards responded in a media interview:

“We should be saying, I reject that, I want both. I want to contribute to the management of the pandemic and I will give up freedoms to do so on the condition that my privacy is respected as we do so. Those pressures to frame the need to give up rights in ways that simplify, I think, need to be resisted constantly.”

The Privacy Act and the Health Information Privacy Code contain a process for pandemic decision-making to make sure that personal information, including health information, is able to be used as necessary for the pandemic response, while ensuring that people’s privacy is protected.

After two consecutive High Court judicial review decisions in November and December 2021, the Director-General of Health modified his decision about the release of data of unvaccinated Māori in the North Island/ Te Ika a Māui to the Whānau Ora Commissioning Agency – the data being subsequently released with clear conditions.

As an independent intervenor in the proceedings, the Privacy Commissioner provided specialist insight into aspects of privacy, personal information, and the Health Information Privacy Code.

The judicial review resulted in two consecutive decisions from Her Honour Justice Gwyn and include the first (and second) judicial consideration in Aotearoa New Zealand of the “serious threat to public health” exception under rule 11 of the Code.

Further information about the judicial review plus the Privacy Commissioner’s submissions is available here in our online case note and court decisions section.

The Privacy Commissioner welcomes the Court’s decisions as they give guidance about the scheme of the Privacy Act and the Code, discretionary decision-making about releasing data where there is a serious threat to public health, and how te Tiriti o Waitangi and tikanga Māori respectively influence the exercise of this discretion.  

The judge’s analysis is consistent with our Office’s view on the application of the Code and the Act. The Court has agreed with the Privacy Commissioner’s approach that the purpose of the Privacy Act is concerned with both the protection and use of personal information: it is a “how to”, not a “don’t do”.

The “serious threat to public health” exception is highly relevant in the government’s pandemic decision making and an important component of the privacy framework. The Court agreed with the Commissioner’s submissions that urgent decision-making within a tight timeframe cannot be a “counsel of perfection” before information is disclosed in response to an evident threat to public health. The Court required the Ministry to reconsider its response to the requests for vaccination data based on an evidence-based assessment.

The Act and Code empower appropriate sharing of personal information under the information privacy principles (including health information under the Code rules) where necessary in specific circumstances such as the pandemic.

This case is a reminder that neither the Act nor the Code necessarily pose insurmountable barriers to disclosing and using personal information in the public interest – especially if necessary to respond to a public health emergency. The Code requires proportionate and evidence-based assessments when deciding whether to rely on rule 11(2) to disclose specific health information. Government decisions about disclosing sensitive information like vaccination data that is necessary for the pandemic response should refer to relevant public health advice to make an objective and evidence-based assessment.

At the heart of these proceedings are government decisions about the use of Māori data in responding to the pandemic and mitigating the serious public health risk and specific risk to Māori. This raised important questions about the role of tikanga Māori in the Ministry’s decision-making process with tikanga evidence before the Court, from Dr Carwyn Jones and Lady Tureiti Haroumi Moxon that the highly prized taonga of health has primacy in the pandemic context:

There is taonga in life and health. If there is taonga in data, then that taonga must give way to life and health. Providing the contact details of unvaccinated Māori provides the best chance of respecting the taonga of their life and health.

The Court also examined the Ministry’s discretion to disclose Māori data in terms of its expressed commitment to exercise its powers in relation to the vaccine rollout in accordance with Te Tiriti o Waitangi.

The Office of the Privacy Commissioner takes account of cultural perspectives on privacy under section 21(c) of the Act). Te Tiriti o Waitangi/Treaty of Waitangi is considered a founding document and the text(s) and the principles of partnership, active protection and equity help guide the work of the Office of the Privacy Commissioner. The Court’s discussion of te Tiriti o Waitangi, tikanga Māori and Māori data sovereignty respectively will further help to inform our Office’s approach.

Te Ao Māori, Covid-19

Back

Source:

Technology developments can be challenging to privacy laws. We all know our phones are powerhouses of data collection, and that our data is the key asset for big tech. But we don’t always know what data is being collected, nor how it is being used.

Recently in Australia the Federal Court found that Google misrepresented how Android OS collected, stored and used personally identifiable location data. As the Australian Competition and Consumer Commission Chair Rod Sims said, “This is an important victory for consumers, especially anyone concerned about their privacy online, as the Court’s decision sends a strong message to Google and others that big businesses must not mislead their customers.” Privacy and consumer laws can bite back.

While we know phones are collecting our data, other new technologies and practices are pushing the boundaries of how we expect our personal information to be treated. One of the key functions of the Privacy Commissioner is to monitor and examine the impact that technology has on privacy. The Privacy Commissioner recently discussed this connection between technology and privacy for a chapter in a book celebrating 60 years of IT Professionals in NZ.

The development of privacy is often traced back to the seminal article in 1890 by Warren and Brandeis. Core to the writing of the article was their concern that the ‘recent invention’ of the photographic camera would destroy privacy among Boston socialites:

Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops” …The press is overstepping in every direction the obvious bounds of propriety and of decency.

By the 1970s New Zealand society was producing a large and continuous flow of information, which was only managed through the use of computers. This radically changed the concept of individual privacy, raising legitimate concerns that an individual’s personal affairs were moving out of their control. This concern was focused in New Zealand on the Wanganui Computer, a mainframe computer on which Police, Justice and Transport shared information, raising the spectre of “Big Brother”. The legal response was to pass a very proscriptive and restrictive law called the Wanganui Computer Centre Act 1976, to ensure that the system made no unwarranted intrusion upon the privacy of individuals.

Technology has again changed considerably since the 1970s, and the place of privacy in our society is also changing.

One of the real shifts that we have seen is a move away from a binary concept of privacy, being it’s either private or it’s not. The old common law concept is that if it is in the public domain then it can’t be private; if you are walking down the street you have no expectation of privacy. That has been reflected in our data protection laws, and the Privacy Act has a number of exceptions to the restrictions of information, including being publicly available information.

But some of the new technologies, such as biometrics, really challenge that. Is your face publicly available information just because you happen to be wearing it when you are out in the street? Is that enough to say that you no longer have any right or expectation that those very unique facial measurements that distinguish you from everybody else can’t be harvested and put to use for a range of benign or malign purposes? These are interesting questions.

In Challenging technologies: Perspectives from the Privacy Commissioner the Commissioner discusses privacy as a public good, the NZ COVID tracer app, the concept of open data, anonymisation and differential privacy, Māori approaches to privacy, cultural and international perspectives, and the role of IT professionals. The book celebrates 60 years of technology in New Zealand.

This book is available in paper or digital versions:

Paperback here

Ebook on Kindle, Apple Books, Kobo, Booktopia, Barnes & Noble, Google Play Books, Scribd, Smashwords

You can also read it online here: https://history.itp.nz/

Edwards, J. & Bennett, L. (2021) Challenging Technologies: Perspectives from the Privacy Commissioner. In J. Toland (Ed.), From Yesterday to Tomorrow: 60 Years of Tech in New Zealand, IT Professionals New Zealand

Back

Source:

Under the Privacy Act, the Human Rights Review Tribunal can award damages for emotional harm caused by a privacy breach. Damages are compensatory rather than punitive; the goal is to compensate individuals for specific harm rather than punish a defendant’s bad behaviour.

Calculating damages for emotional harm is not an exact science, especially when there has been no quantifiable financial loss. We have identified some factors contributing to the different amounts awarded for emotional harm in recent cases, which are helpful to consider when balancing the risks and benefits of taking your complaint to the Tribunal.

What damages can the Tribunal award?

The Tribunal can award damages if, as a result of a privacy breach, the complainant has:

• suffered a pecuniary loss
• reasonably incurred expenses
• lost a benefit that they might reasonably have expected, or
• suffered humiliation, loss of dignity, and injury to feelings.

The Tribunal has provided some useful guidance on quantifying emotional harm caused by a privacy breach. There are three broad bands of emotional harm: less serious breaches can see up to $10,000, more serious awards have ranged from $10,000 to $50,000, and the most serious awards have been more than $50,000[1].

The Tribunal occasionally awards high amounts for emotional harm – $98,000 in Hammond v Credit Union Baywide and $70,000 in Director of Human Rights Proceedings v Slater (opens to PDF, 717KB) – but the majority of successful claims are in the $5,000 to $25,000 range. (See the table of damages awarded on the Tribunal’s website.)

Linking harm to the breach

Because damages are compensatory, you are less likely to be awarded damages if you cannot show that your harm was a direct result of the privacy breach. This was seen in Wise v Commissioner of Police (opens to PDF, 169KB). The Tribunal found an interference with Ms Wise’s privacy, but she was unable to link her stress to the breach and there was no basis to justify damages for emotional harm.

While the breach does not need to be the sole cause of harm, the Tribunal takes care not to conflate emotional harm arising from a privacy breach with emotional harm caused by other issues. This is particularly important when there is a break down in the relationship between the parties, or where there are wider issues. For example, in Cook v Manawatu Community Law Centre (opens to PDF, 261KB) the Tribunal found the Centre had breached Ms Cook’s privacy when collecting sensitive financial information about her from WINZ. The Centre argued that any stress and anxiety suffered was caused by an ongoing employment dispute, rather than the breach of privacy. The Tribunal acknowledged there were other factors involved, but Ms Cook was able to prove the privacy breach was a material cause of her stress. The Tribunal awarded Ms Cook $6,000, taking care to separate the emotional harm caused by the privacy breach from the harm caused by the employment dispute.

Severity of the harm

An award will likely be higher depending on the severity of the breach and the amount of harm caused.

In Holmes v Housing New Zealand Corporation, the Tribunal awarded Mr Holmes only $400 when, having taken a “possibly over generous view of the facts,” it found he experienced a limited degree of injury to feelings. This can be contrasted with Green v EIT [2020] NZHRRT 24 (opens to PDF, 985KB) in which Mrs Green and her son were awarded $25,000 each after a staff member at the son’s school disclosed a significant amount of personal information about them to the courts. The Tribunal noted this was a “betrayal of trust and extreme embarrassment.” The son was particularly vulnerable because of his disabilities, and the Greens had been encouraged to trust the staff and share intimate details about the son’s health and relationships.

The specific circumstances of each case will be considered when looking at the severity of harm. This is one of the reasons it is difficult to quantify emotional harm.

Conduct of the agency

In Hammond, the Tribunal noted the conduct of the defendant can exacerbate or mitigate the emotional harm caused, and therefore is a relevant factor in the assessment of damages[2].

One mitigating factor the Tribunal considers is the presence of an apology.

In Williams v ACC, ACC accepted they had interfered with Mr Williams’ privacy, by relying on inaccurate information when stopping his weekly compensation payments. Soon after receiving a complaint from Mr Williams, ACC acknowledged the breach, reinstated his payments and provided a written apology. At the Tribunal, Mr Williams made a claim for $10,000 for the emotional harm caused. The Tribunal considered the timely apology to have lessened the harm and awarded Mr Williams $7,500, noting the speed with which the interference was recognised and remedied by ACC.

However, an apology will not always be enough. In Vivash v ACC, Mr Vivash was awarded $40,000 for injury to feelings, plus an additional $10,000 for other harm, for the destruction of his file. While ACC apologised to Mr Vivash, it had been 12 years since the breach and the Tribunal noted a “belated eleventh-hour acceptance by ACC of the breach can be given little weight.”

It is worth noting it is not only an apology the Tribunal will consider. The conduct of an agency throughout the breach and complaint process may be relevant when calculating damages.

Conduct of the individual

The Tribunal will also consider the conduct of the complainant when assessing the harm caused by a breach.

In Deeming v Whangarei District Council, Mr Deeming made a complaint to the Council’s Mayor about his local rugby club. A Councillor then disclosed the fact he made this complaint to the club president. Mr Deeming was banned from the club and experienced significant loss of dignity and injury to feelings. However, Mr Deeming delayed bringing the case to the Tribunal for nearly five years after our Office’s investigation. The Tribunals’ decision also acknowledges that Mr Deeming disclosed similar information to the club himself. Consequently, he was awarded $2,000 in damages, significantly less than the $40,000 he claimed.

Although the Privacy Act 2020 has put a time limit of six months on making a complaint to the Tribunal following an OPC investigation, complainants should also consider their conduct when making claims for damages under the Privacy Act.

Risks of going to the Tribunal

There are some risks associated with going to the Tribunal, including the length of time involved, the fact the decisions are public, and the possibility that the Tribunal can award costs against either party. These are all factors to consider when deciding whether to pursue your complaint through the Tribunal process.

[1] Hammond v Credit Union Baywide at [176] 
[2] See paragraph [170.3]

Back

Source:

31 Jan 2025, 13:00

The first Privacy News of 2025 covers the release of the Biometrics Code and how to give feedback on this, a new case note about personal information being published to a website, and the introduction of OPC’s Māori reference panel. There is also a notice about new translations of our privacy brochures – we now offer them in Traditional and Simplified Chinese, and Vietnamese.

Read the January 2025 issue.

Source:

Print | Email this page

Office of the Privacy Commissioner | Printable privacy brochures in Traditional and Simplified Chinese

9 Dec 2024, 09:00

Our brochure covers New Zealander’s privacy rights, what to do if your personal information is taken, and how to make a complaint to us. It also includes our contact details. We find these are popular with GP clinics, Citizen’s Advice Bureau outlets, and libraries.

These brochures can be printed from a home or office computer. They are double sided, with an English translation on one side. 

Please note, we are unable to provide professionally printed versions of this brochure. View professionally printed options.

Download our privacy brochure in Traditional Chinese (PDF, 1.78MB)

Download our privacy brochure in Simplified Chinese (PDF, 1.78MB)