What is the Privacy Act?
The Privacy Act 1993 outlines 12 principles which organisations must follow when collecting and using personal information. These principles cover:
- collection of personal information (principles 1-4)
- storage and security of personal information (principle 5)
- requests for access to and correction of personal information (principles 6 and 7, plus parts 4 and 5 of the Act)
- accuracy of personal information (principle 8)
- retention of personal information (principle 9)
- use and disclosure of personal information (principles 10 and 11), and
- using unique identifiers (principle 12).
12 Principles of the Privacy act.
Every New Zealander is protected by this Act and everyone needs to comply with it - from individuals to clubs, businesses and government departments. It is therefore essential that computer users are aware of this Act and the implications for a breach. People's right to privacy is so important that companies must appoint a Privacy Officer, someone who takes responsibility with how the company handles personal information. Click on the link below for a useful guide from the Office of the Privacy Commissioner to help businesses understand their obligations under the Privacy Act:
http://privacy.org.nz/assets/Files/Brochures-and-pamphlets-and-pubs/76915617.pdf
Why Privacy matters
People have a right to privacy and they care about how their personal information is used. Computers have made it easier to collect information about individuals, it is only right to respect and store this information securely. Consequences of not doing so are not only unprofessional, they could lead to serious reputational risk and financial loss:
Vodafone privacy breach 'serious'
Investigation after child abuse records sent to the wrong person.
Privacy breach inexcusable - Greens.
Ministry investigates WINZ privacy breach.
Rude cake baker gets record $168K in damages.
Even if you are collecting information legally and are completely transparent about what you intend to use this information for, questions about whether or not it is ethical to do so may still persist. Take the recent examples of the Labour Party using a Facebook "baby number" widget, and the National Party inviting people via Facebook and Twitter to wish Prime Minister John Key a happy birthday. This may seem like harmless fun but the real intent was to gather people's email addresses and add them to the party's mailing list. You could argue that this is just the new way of communication, but is it an ethical way to collect this information?
Online gimmicks are being used by political parties to turbo-boost their email lists.
What can you do if you accidentally breach someone's privacy?
It is very easy for someone to accidentally (or perhaps intentionally...) leak personal information. Information stored on a computer can easily be copied and sent to the wrong person, for example. Organisations must take all precautions to prevent misuse of private information, but if a data breach does occur it is important to minimize any harm it may cause. The Office of the Privacy Commissioner has published a useful resource offering guidance on what to do when this happens:
Protecting your Privacy
There is no denying computers have changed the way we live our lives, we can communicate in real-time around the world using Skype and E-mail, buy and sell online, bank online, find information and generally participate in a digital society. But we also need to be aware of some of the risks which come with this convenience and make sure we do what we can to protect ourselves, our families and our businesses. The following site offers some handy privacy tips on what we can do to keep safe in an online world.
Tips from the Office of the Privacy Commission on keeping safe online
It is also important that we are aware of what we are agreeing to when we download apps and have to tick "yes, I have read the terms and conditions". Personal information is often captured and monetized by companies. Take a look at this simplified version of the terms and conditions you agree to when signing up for Instagram, a social networking app made for sharing photos and videos from a smartphone:
Gizmodo article by Rae Johnston
What can companies do to make sure they comply with the Privacy Act?
There are some simple steps companies can take to make sure they are doing what they can to comply with the Privacy Act.
- Align company policy with Privacy Act obligations - make sure you have a policy in place which tells employees how information can be collected and used, who it can be shared with, how this information is stored, how it is checked for accuracy and how long it is retained for.
- Make sure all employees are aware of their privacy obligations and trained to ensure they comply. Employees need to feel comfortable about disclosing any breach as soon as possible so that it can be dealt with effectively. Include in your training the importance of checking emails before sending them, putting strong passwords on all devices, being careful with information at social gatherings and being professional when communicating internally.
- Have a plan in place should an information breach occur - think about how will the breach be investigated, communicated and responded to.
What are the penalties for Privacy Act Infringement?
The Privacy Act is a principle-based system, so the Privacy Commissioner cannot prosecute or fine an agency directly for not adhering to the privacy principles. The only exception to this is personal information held by a public sector agency.
If someone does think their privacy has been breached they need to first speak to the privacy officer of the organization concerned, a further complaint can be made to the Office of the Privacy Commissioner if it is felt there was not a satisfactory response. An action could then be taken on that person's behalf through the Human Rights Commission which can award damages of up to $200,000.