Dunne Speaks: The Privacy Act 25 Years On
Twenty-seven years ago I introduced to Parliament what was then - and probably still is - the largest ever Private Member's Bill - the Information Privacy Bill. It drew heavily on work I had begun as Associate Minister of Justice in the previous Labour Government. The Bill was followed a few hurried and embarrassed weeks later by the National Government's own effort, the Privacy of Information Bill, which bore a remarkable, if not identical resemblance to my own Bill! Both Bills eventually morphed to become what we know now as the Privacy Act. This was passed twenty-five years ago, and this week, Privacy Week, is an occasion to celebrate that, and to consider where we need to go with Privacy law in the future.
Of course, a huge amount has changed in the last few years, let alone the last twenty-five years. When we were first looking at the issue in the late 1980s and early 1990s the principal focus was on ensuring that people's privacy was protected from their being included unknowingly on various corporate mailing lists - Readers' Digest was cited frequently as the main offender - and ensuring that they could get off those lists and stop the flood of unsolicited mail. Today, of course, the scope is much wider as there is more collection of data by Government agencies, and that data is shared with and by a wide variety of organisations, for often beneficial, but no means exclusively so, purposes. On top of that, have been the activities of social media entities like Facebook, and more notoriously recently Cambridge Analytica, which have taken the issue to an entirely different level. Just as communications and technological advances have now rendered national boundaries obsolete, so too and even more so in the data world. It is pervasive and constant, a far cry from the occasional unwelcome and incredible offer from an international mailing company. Little wonder, then, that the Government has recently introduced legislation to modify and upgrade the original Privacy Act.
Earlier this week, the Office of the Privacy Commissioner released some sobering figures regarding how New Zealanders feel about the way their data is being treated. Its latest annual survey shows more than two-thirds of New Zealanders are concerned about their individual privacy, and that that figure has been rising over recent years. Perhaps not a surprise given recent widely reported data breaches here and elsewhere. Of more concern, though, at a time when more and more of citizens' transactions with Government take place on line, and New Zealand is recognised as one of the most digitally advanced countries in the world, confidence in the Government's ability to handle individual citizens' data securely has fallen sharply over the last five years. Yet during these years, Government practice with regard to the handling of individual data has improved dramatically. But the test here is a simple one - it is not the actuality of what is happening that matters, but the perception of it. Put simply, if people feel their data is less safe with the Government, they will become far less inclined to comply with data gathering and sharing requirements, which will in turn defeat the purpose and efficiency of greater data use and sharing to improve the delivery of public services.
There are some stark lessons here for the Government, whatever its political hue. They will be ignored at their peril. Governments can only move in this space to the extent they have the public's confidence and endorsement. So, a major part of any Government's effort in the digital transformation space has to be about getting and keeping the public on-side. The Privacy Commissioner's survey results, although mildly encouraging overall, sound the timely reminder that there is still some way to go.
When the original Act was passed in 1993, it was launched in a vacuum. Inexplicably, given the nature of the reform, the Government then did nothing to explain what the Act was about. Consequently, incredibly cautious, risk-averse middle ranking bureaucrats in both central and local government were left to fill the spaces, leading to many bizarre and downright silly rulings and new procedures that risked severely quickly bringing the whole Act into disrepute and ridicule. So, whatever the outcome of the current Bill, I strongly plead that the Privacy Commissioner is given the resources and the time to explain what it will and will not do, so that it can become an effective protection of individual privacy from the day it comes into effect. In this fast-moving space, that is not just a pious wish, but an absolute necessity.