Dalziel: Privacy Issues Forum
27 August 2008 Speech Notes
Privacy Issues Forum
Associate Justice Minister Lianne Dalziel's speech
to officially open the Privacy Issues
Grey Street, Wellington
Privacy Commissioner, Marie Shroff, thank you for inviting me to open today's forum. May also acknowledge Sir Geoffrey Palmer, head of the Law Commission, and Professor John Burrows, the law professor I studied under at Canterbury University.
I looked back over my speech notes from the last time I opened a privacy issues forum, which was in 2003. There are things that have changed in the five years since I gave that address – Marie Shroff has taken over from Bruce Slane as Privacy Commissioner. There is a substantial review of privacy being undertaken by the Law Commission, whereas when I last spoke on the subject, the Law Commission was analysing the results of submissions it had received in response to a somewhat less detailed discussion paper that had been issued the year before and, of course, Sir Geoffrey has replaced Justice Robertson as the head of the Law Commission.
The opening address that day was given by Justice Michael Kirby, which I recall being particularly thought-provoking, touching as it did on the massive data-banks held by airlines and justifying the degree of scrutiny officials place on passenger lists by our respective countries' decision not to require everyone to carry an identity card.
The point in common between the two forums is that I remain committed to introducing the Privacy (Cross-border Information) Amendment Bill. The only difference this time is that I have actually introduced a Bill, whereas in 2003 it was an aspiration. It is set down for a first reading and has the agreement of support parties for referral to a select committee. The Bill addresses two deficits in the Privacy Act, which does not currently allow foreign nationals resident overseas to make information privacy requests, and does nothing to prevent data received from overseas being transferred outside New Zealand to a jurisdiction without adequate privacy protection.
The 2003 Forum had many eminent speakers as does today's forum. All of the speakers today have made sizable contributions to the various debates on privacy issues, so I anticipate that the discussion will be both thought-provoking and lively. I am including my sister Kathryn in this description because she is highly regarded in the privacy field, but also to ensure that she doesn't get the chance to imply that I am her mother, which I am told is what she does when I am not present.
My interest in privacy legislation dates back to the passage of the Privacy Act 1993, when as a member of the Justice & Law Reform Select Committee, I gained an important insight into not only the range of academic views on the subject, but also the range of public opinion that continues to exist today. The history of New Zealand's legislation lies in part in the desire to be consistent with the OECD Guidelines, but we should not forget - the broader concept of privacy dates back to the Universal Declaration of Human Rights. And as a human right, it has never been more important than it is today with technology making personal information more accessible. It was no accident that a Bill that began its passage through Parliament as the Privacy of Information Bill became the Privacy Act.
The theme of the Forum this year is "Privacy is your business" which has two meanings.
First of all, privacy matters to individuals.
We are now at the point where the collection, use, storage,
and disclosure of personal information can occur unnoticed,
across borders, and at phenomenal speeds. Privacy is in
that sense, very much, your business.
Second, privacy matters to business. Major advances in technology have changed the way in which personal data is collected, stored, and used. The challenge for business is to ensure the benefits obtained through the use of new technology do not compromise individuals' expectations about the security of and use of their personal information. It isn't a case of one or the other. Business efficiency and information management processes that respect individuals' privacy expectations go hand-in-hand.
A business that cannot assure its customers that their privacy will be respected will lose customers to competitors. Here, the degree of trust customers have in the businesses they deal with is paramount.
Let me use the example of the sign that appeared on the airline counters after the current law was first passed. It indicated that the airline would not give out information about passengers due to the Privacy Act 1993. My view was that the notice should have said: 'Because we value our passengers' right to privacy, we do not give out information about our passengers to anyone without their permission.' Advising customers that they had always followed this practice, even before the law change, would have been more honest as well.
I would like to talk more about this issue of trust, and its importance in maintaining an ongoing relationship between a business and its current (and potential) customers.
information technology boom, collection and disclosure of
personal information was far more limited. Most personal
information was stored manually and it wasn't easy to copy
or disseminate written information. A lot more personal
information had to be obtained from individuals themselves
and that's where trust came into play. Things have changed.
The ability to print, photocopy, photograph, videotape,
record, collect and analyse biometric information, and so
on, means there is no longer a serious barrier to the
collection or distribution of personal information. Nor does
much of it have to be obtained from the individual
Increasing use of technology has reduced the personal association between the business collecting the personal information and the individual whose privacy is at stake. Individuals may be perceived, in a millisecond, as "information" in an email, on a disk, or on a webpage. Participants to a transaction may be on the other side of the world from each other. This relative weakening of social relationships weakens the interpersonal regulation of the transfer of personal information.
In an environment where masses of personal data can be disclosed to large numbers of people at the click of a mouse, trust has become more important than ever.
Individuals need to trust that the businesses they deal with will respect their personal information and protect their privacy. But this trust needs to be earned and re-earned. A business that breaches a customer's privacy may not get a second chance. There have been a number of recent examples of privacy breaches that are likely to lead directly to a loss of trust. There was the ticketing company which sent an e-mail to everyone on its mailing list without blocking the display of individual email addresses. And there was the university whose computer "glitch" enabled students to access other student's academic records. The same fault could affect any business that enables customers to access accounts online with disastrous effects on client confidence.
We can't go back to the days where personal information was disclosed only within trusting interpersonal relationships. Few would want to sacrifice the amazing developments in communications technologies to do so. What businesses need to continue to do is adapt.
One way in which businesses can do so is to
develop proxies for trusting relationships "at a distance".
As the Privacy Commissioner has said before, good privacy is
good business. And businesses that are not trusted are not
good long- term prospects.
Development of transparent privacy policies that comply with the Privacy Act and best practise will help businesses gain the level of trust needed to attract and retain customers. Secure websites and data storage, complaints procedures, monitoring, staff training, corporate responsibility, and accurate, up to date and honest information for consumers will enhance that trust. Businesses can help themselves by developing top-down privacy-conscious cultures.
The government has a role in enhancing trust too. The Privacy Commissioner's role in promoting privacy awareness is pivotal. With increasingly complex new technologies, New Zealanders need a legitimate source of information about risks to their personal privacy and how to respond to those risks. I applaud the Commissioner's proactive approach in this area and note in particular her focus on educating the young. We can learn from our technologically-savvy young people and I look forward to seeing the video of the winning entrant to the secondary schools video competition for Privacy Awareness Week.
These forums are also an important part of Privacy Awareness Week, because they give us the chance to dissect important issues that are not only a challenge in New Zealand but which challenge other jurisdictions as well.
I have noted that this afternoon's session will include discussion on information disclosures between agencies. This is a vital area of concern for the government. It is not yet entirely clear what people's understandings and expectations of inter-agency information sharing are. We all seem to know when information should have been shared, but that tragically is usually immediately after something has gone terribly wrong and it would appear with the benefit of hindsight that information held by one agency should have been shared with another.
I welcome the discussion this afternoon and encourage you all to think seriously about what is an incredibly important issue.
I conclude with a
comment about trusting relationships "at a distance".
I said earlier that trusting interpersonal relationships are no longer the primary enabler of personal information transfer; technology is. Modern privacy law either ensures the individual retains some degree of control over the transfer or approximates a trusting interpersonal relationship – an honest broker as it were.
As technologies continue to evolve and individuals become more burdened by more complex privacy waivers, drivers to eliminate individuals from the information transfer equation will increase. This will mean the primary challenge for law reformers will be to design options such as privacy policies, privacy responsibility plans, privacy standards and technology design standards that can intervene to approximate trusting interpersonal relationships.
I hope you all enjoy an interesting and productive day at today's Privacy Issues Forum and on that note I declare the forum open.