1.
Thank you for the opportunity to provide a submission. I am currently a PhD
Candidate in Computer Systems Engineering, investigating embedded vision and video
analytics. As technology continues to improve, new types of applications will
be enabled that allow for the greater and faster extraction and collection of
data and information about individuals. As part of my research, I have sought
to understand the implications of camera-based surveillance systems on privacy,
how we can protect privacy using technology during system design, and the
drivers of public perceptions of privacy.
2.
I am happy that the Bill places specific emphasis on “promoting people’s confidence
that their personal information is secure and will be treated properly”. Without
a strong expectation of privacy, our society would be far more insular, and the
barriers and costs of interaction would be much higher. The proposed Privacy
Bill is a step in the right direction, but it is only that – a step. The
proposed changes, particularly giving the Office of the Privacy Commissioner
more powers to investigate privacy breaches, requiring public notification of
privacy breaches, and introducing compliance notices, are sorely needed in the
digital age where private information flows more freely than ever before. I am
generally in favour of the proposed Bill. However, the protections given in
this Bill need to be extended further to ensure that we have adequate
protections for individuals and their information going into the future. The
Privacy Bill also needs to become more enforceable to de-incentivise non-compliance.
All subsequent suggestions should be taken to be additive, i.e. that they are
added on top of the existing Bill, not replacing any of the existing parts.
Information Privacy
Principles
3.
New Zealand is fortunate to have a set of strong Information Privacy Principles
(IPPs), as elucidated in s 19 of the Bill. As new technologies are developed,
along with their associated opportunities and threats, it is helpful that we
can return to and apply the same set of Principles that can be used in a wide
variety of circumstances. I strongly support the continuation of the use of
these Principles.
4.
However, IPP6 needs to be further extended to provide better protection for
individuals. The “Right to Access”, as presented in the European Union’s
General Data Protection Regulation (GDPR) goes further than IPP6 to allow for
greater transparency. Confirmation that the agency holds information or not,
and access to that information, is insufficient. I believe that agencies should
also, upon request, be required to state how personal information is being
stored, the specific purposes for which the information is being collected (as
already included under IPP3, but available after the collection of
information), whether data will be used anonymously or not, how data is being
shared, and how data was acquired. Making these details available is critical
for allowing individuals to understand, after data collection, where their
information will go and who will have access to it. Importantly, it is also a
source of evidence for individuals seeking to understand how their information
has ended up somewhere unexpected.
5.
There is perhaps more scope to include the findings of the Data Futures
Partnership into this Bill. Their work focused on social license and improving
public confidence and trust around the use of data. In particular, the specific
questions that have been identified by the Partnership that should be answered
about data use could be built into IPP6. Extending beyond the details included
in the previous paragraph, this includes identifying what the benefits of
collecting the information are, and identifying who receives those benefits, as
well as stating whether there is potential for data to be sold or used for
other secondary purposes that are not stated at the point of data collection.
Penalties
6.
I note that s 28 means that only breaches of IPP6 by public sector agencies are
enforceable in a court of law. This is a positive step forward from the status
quo, but it is definitely not enough. Agencies that breach the privacy of
individuals need to be held accountable, more concretely than through a
compliance notice. The Human Rights Tribunal may be the only recourse for most
individuals seeking restitution for privacy breaches, but this process is too
slow and the barriers too high for many individuals. While we may hope that
these never need to be used, it is important that stronger civil penalties are
eventually introduced, with adequate infrastructure to support the associated
justice processes, so that privacy is taken very seriously and not treated as a
secondary concern.
Investigations
7.
While the Commissioner has power to obtain information during investigations (s
88), in order to issue compliance notices (s 129), or to determine whether
personal information can be transferred (s 194), the penalties for not co-operating
with this under s 212 are worryingly weak. In some cases, without the co-operation
of the Agency, it may be impossible for the Commissioner to obtain the
necessary evidence for determining if a privacy breach has occurred. For
example, a large company may be internally using collected data for secondary
purposes that are not covered by their Privacy Statement or notified to
customers. Even though the Commissioner may suspect that something is wrong,
they cannot prove that anything is wrong without the co-operation of that
company. The large company may well choose that they would rather pay a small
fine for obstructing the investigation, than to be subject to a more public
compliance notice or Tribunal hearing. Stronger penalties are required, and
exemptions such as the “reasonable excuse” defence should be further limited or
removed, as recommended by the Privacy Commissioner in their Report to the
Minister of Justice under s 26 of the Privacy Act from 2017 (https://www.privacy.org.nz/assets/Files/Reports-to-ParlGovt/OPC-report-to-the-Minister-of-Justice-under-Section-26-of-the-Privacy-Act.pdf).
8. At the same time, giving the Office of the Privacy Commissioner more investigative powers requires sufficient oversight. It appears that there is little opportunity for appeals against requests for information, or for a complaint to be laid against the Privacy Commissioner for vexatious requests. For example, there exists the potential for a Privacy Commissioner to demand information repeatedly, or for information to be demanded that is on the borderline of the Privacy Commissioner’s scope. Appropriate checks and balances need to be in place in order to improve public confidence and trust in this system. It may be helpful to provide an intermediary ombudsman or similar oversight body to allow for appeals without having to go through the Court system.
9.
In general, the Commissioner needs more powers to investigate whether
appropriate privacy protections have been put in place. A step below the
Compliance Notice may be a “Please Explain”-style notice that is commonly used
by stock exchanges and other agencies in financial areas. This may be useful in
a scenario where the Commissioner is not sure if a breach of any IPP has occurred,
but there is strong potential for an IPP breach and there is public interest in
determining if this is the case. For example, recent revelations that
Foodstuffs are using a security product from Auror that uses facial recognition
to detect shoplifters led to some public concern about the integrity of that
system
(https://www.odt.co.nz/news/national/rise-ai-nz-supermarkets-using-facial-recognition).
In this case, I believe that there would be significant value in allowing the
Privacy Commissioner to ask Foodstuffs to provide more details about the
system, and for the Privacy Commissioner to determine if a subsequent
investigation into an IPP breach is necessary. If the Privacy Commissioner
determines that the system is actually compliant and that there are no
concerns, then that can help allay the fears of the public, improving public
confidence. This option gives Agencies an opportunity to co-operate with the
Office of the Privacy Commissioner before the more punitive step of issuing a
Compliance Notice, and gives the Privacy Commissioner an opportunity to spot
potential issues and provide advice so that Agencies can rectify any issues
before harm can accrue.
Anonymisation and
Re-identification
10.
On the protection of “anonymised” data from re-identification, I believe that
the Privacy Commissioner’s proposed amendments
(https://www.privacy.org.nz/assets/Files/Reports-to-ParlGovt/OPC-report-to-the-Minister-of-Justice-under-Section-26-of-the-Privacy-Act.pdf),
which include controls and penalties on the re-identification of previously
anonymised data, are almost adequate. The idea that intentionally
de-anonymising data for nefarious purposes should be a criminal offence should
be supported. However, identifying the intent is important, and there should be
exceptions in place for those with good intentions. For example, academic
researchers who discover that anonymised data can be de-anonymised should be
given an opportunity to disclose that to the Agency and the Privacy
Commissioner or similar regulatory body, and not suffer negative consequences
as a result. Penalties should exist for Agencies that release poorly anonymised
data that can be easily re-identified in order to incentivise Agencies to take
appropriate care in anonymising and releasing that information.
Conclusion
11.
As a final point, I urge the committee to remain steadfast in a
Principles-based approach to privacy. My recent research into public
perceptions of privacy in the context of surveillance cameras has shown that
the context of how data is being collected, stored, and used is incredibly
important for public confidence and acceptance of surveillance cameras, and
this is likely applicable to other contexts. Creating specific rules that
dictate how to protect privacy will lead to loopholes, non-compliance, and
ultimately reduced public confidence in the efficacy of those privacy
protections. One-size-fits-all privacy protections will not work – the nuances
of each individual application and scenario can significantly change whether
something is considered to be appropriate or not. Trust in how our privacy is
protected is critical for public confidence. Our current Principles allow for
flexibility so that a wide variety of applications can be considered, but also
need to be further extended to provide sufficient protections for individuals
in the digital age.
12.
Thank you again for the opportunity to make a submission to this Bill. I would
be glad to make an oral submission, and understand that all submissions will be
available publicly.
Regards,
Andrew Chen
Andrew Chen
privacy is just human right
ReplyDelete