Speeches

Opening address to the Wellington Privacy Forum

Wednesday, May 11, 2016 - 09:11
Justice

Good morning

It’s great to have the opportunity to open Wellington’s Privacy Forum and to talk to you about privacy this morning.

Can I start by acknowledging:

  • John Edwards, Privacy Commissioner
  • Joe Cannataci, UN Special Rapporteur for the Right to Privacy

Ladies and gentlemen, we live in the age of information. We are creating and disseminating information like never before.

And that creation and dissemination could be through deliberate acts of each of us or as a consequence of unprecedented collection and analysis of the way we live our lives.

This presents enormous opportunities across both the private and public sectors to better design and provide our services in a way that is more cost effective and better targeted. But as those of us working in and around the area of privacy know, it also poses significant challenges.

Today I want to talk to you about the way data and technology is changing the dynamics of our privacy framework, and how the Government is re-thinking the way it responds.

New Zealanders quite rightly expect that their dealings with government will be easy and effective, and that the government protects people from harm. What is less known is how information sharing is critical to achieving these aims. 

When we make decisions that information cannot be shared across and between Government agencies, there is an opportunity cost that comes with that and our job as privacy practitioners is to lead a mature and informed debate on that balance and ensure we have the settings right.

My goal is to have a government that appropriately uses information in an effective and timely manner for the benefit of New Zealanders – but also where we have the necessary infrastructure and penalties to act swiftly if a person’s privacy is unfairly infringed. And where the public are well informed about which of their information is likely to be used, by whom, and for what purposes.

And what rights they have to control or limit its use and in what circumstances.

Our privacy framework works best when New Zealanders trust and support it.

We want and need the Privacy Act to work and to work well. But more than that, we need the very essence and importance of the Act to be understood and valued. When it’s misused or we get it wrong, it demeans the gravitas of the law.

When the public start seeing the law as a mindless bureaucracy that is more often than not just a barrier to sensible outcomes, we’re all worse off as a result.

Today’s world of data and information sharing

Today’s world is one where it’s almost a given that we share information online, instantaneously.

In 2015, 2.4 billion people were online.

Google alone had 3.5 billion searches per day. 

In 2016, global internet traffic will surpass 1 zettabyte (or 1 billion terabytes) for the first time.

By 2020, there will be over 50 billion connected devices in the world – all with the capacity to collect and share personal data.  Every minute of every day 2 hours of content is uploaded to You Tube and over 1 billion tweets are sent each day.

This illustrates the data explosion we’re living through. Historically, only a tiny fraction of the data created globally has been explored for its analytical value.

This is changing. Recent technological advances in the collection, storage and analysis of large, unstructured datasets means enterprises, governments, and other agencies are powering up their investments in Big Data to convert massive datasets into valuable information and insight. 

Big Data holds the promise of delivering better quality, customised products and services to New Zealanders. To deliver on that promise, however, we need to mindful of our citizens’ expectations about the protection of their privacy. 

This is essential if we want to earn and maintain their trust. 

This age of Big Data means we need to continuously adjust our privacy and data security protections to keep pace with technological developments. 

This is not just the government's responsibility.  It extends to every enterprise and agency that holds and uses personal data.

Breaches of privacy

For our system to have any effective basis, we need to be deal with breaches of privacy swiftly and effectively.

The Government is progressing reforms to our privacy laws that will help reduce the risk of privacy breaches and harm.

These changes have been well-flagged.

We need to ensure we have the mechanisms and infrastructure to guard against inappropriate use and to respond swiftly and appropriately where a person’s privacy has been infringed.

Significant changes in technology have occurred since the Privacy Act was passed in 1993 which means we need to protect our personal information more closely. The recently announced EU data protection rules highlight that New Zealanders are not alone in thinking this.

I’m committed to implementing the reforms, which the Law Commission identified in its Privacy Act review.

These reforms will incentivise private entities and public sector agencies to value early identification and prevention of privacy risks that could cause harm.

These privacy changes will safeguard our privacy laws and give New Zealanders the assurances they need that their personal and private information will be safely kept.

The proposed changes include stronger powers for the Privacy Commissioner, mandatory reporting of breaches, new offences and increased fines.

With significant information held offshore by companies like Google and Facebook, new measures will also address privacy concerns about cross-border information flows.

The Privacy Act is also being modernised. I intend to release an exposure draft of the new Privacy Bill before the end of 2016 for targeted consultation. This will provide an opportunity for privacy experts to comment on whether the draft Bill implements the Government’s privacy reforms in a way that is clear, accessible and user-friendly.

It’s my intention to introduce the Bill into Parliament in 2017.

Striking a better balance

But it’s not as simple as saying all information is sacrosanct and less personal information is used, the better.

As I’ve already said, It’s important we find the right balance between shoring up privacy protection and the need to share personal information to better target services, more efficiently spend taxpayers money, or to better protect our citizens.

I want to know what New Zealanders think about where this balance lies.

We couldn’t have envisaged in the early 1990s when the Privacy Act was drawn up that we might be able one day work out who needs specific government programmes based on anonymised census information.

Take as an example, Fitbits, or other wearable fitness activity tracker devices.

They seem to have taken the world by storm. Admittedly even I’m a fan.

They sit discretely on your wrist and tell you how far you’ve walked, your heartrate and even how well you’ve slept. But these little devices collect mass data from wearers. I’ve seen reports of these data sets being cross-referenced so that people are re-identified purely on the way they walk. They could also be used by marketers to gain useful insights to offer tailored goods and services to specific people and customer segments.

But, are we okay with that?

And what do we think about commercial uses of re-identified data like your health insurer buying information that shows you don’t walk more than 1000 steps a day when that information is sensitive. Or a credit agency seeing from location information that you spend a lot of time at the casino?

Do we want to prohibit one or all of these examples?

There is a panel discussion later this morning on this issue and I am interested to know where the discussion lands.

Is it time to focus less on how information about a person is obtained (such as whether it is provided, observed, derived or inferred), and instead to focus on how information is used and whether those uses benefit people and society, or cause harm?

I’m interested in exploring what New Zealanders think about the potential to regulate the use of any previously anonymised data that has been accidentally or intentionally re-identified.

To this end, I am working with the Data Futures Partnership – an independent group helping lead the development of the data-use system in New Zealand.

The Partnership will include the theme of re-identification in its public debate - in the second half of this year - on the ‘social license’ to use data in new and interesting ways.

I’m also interested to hear more about what is “private information” in the Facebook age.  Is putting an email address in the cc field instead of the bcc field really a privacy breach when our phone numbers and addresses have been public for decades.  Does posting a relationship status update alter the privacy protection that applies to use of that information?  How do we explain to our children the very real, very viral and very permanent impact of posting photos and information on line?  Who can use that information in the future and for what purpose?

What we do know is that we can’t look at today’s & tomorrow’s issues through a privacy lens created before most of our population was born without ensuring we continually re-calibrate societies view on some of these issues. 

Benefits of sharing information for public policy

From a Government lens we are thinking about these issues in terms of the transformative shift in the way public sector agencies use information to direct programmes to those in need.

The Government’s Social Investment approach is using anonymised data from Statistics New Zealand’s Integrated Data Infrastructure.

It’s about using collating data and using it in smart and sophisticated ways to influence public policy and ultimately drive better results.  But there is a point where we need to move beyond statistical modelling and actually determine the people we need to reach and how to help them better.

There is a great deal of potential for where sharing information in an effective and timely manner can improve the lives of New Zealanders. I think many people would be surprised that it’s not already happening.

For example, community housing workers could find the best housing solutions for people with complex needs, if they have all the necessary information.

School would be notified of health issues that may affect a child’s learning and doctors wouldn’t think twice about reporting their suspicions about how children are being treated at home.

Sometimes, better sharing of information could help to avoid material harm. Instead it seems that all too often information is not being shared because of misperceptions about the Privacy Act.

For example, the notorious escape of Phillip Smith to Brazil was made possible, in part, through a lack of good information sharing by agencies.

Mr Smith, a convicted murderer and sex offender, was able to escape partly because the wider Justice sector did not have effective information sharing processes in place about prisoners on temporary release. 

This meant border officials did not know he should have been stopped at the border.  When asked, the response was that they didn’t think they were able to share that information because of the privacy act.

And while the public sector was tying itself in knots out of concern that it might breach the Privacy Act, the public was put at risk and there was an understandable astonishment that Government wasn’t sharing personal info for these sorts of things.

I expect that the public’s patience to address these kinds of problems is at breaking point. One more example where privacy concerns have contributed to a high-profile case of harm is quite rightly likely to be more than the public will accept and result in an overhaul of our current approach.

Problems posed by the current regime

So, what is the problem? Why is personal information not being shared when it needs to be? And have we lost sight of the issue of balance and appropriate use?

For starters, there isn’t any single issue to point to.

However, the current structure of our Privacy Act appears to cause difficulty for agencies in reaching a definitive or legally-robust conclusion about when information can be shared.

This stems from the principles based approach of the Act, which, ironically, is flexible in nature but doesn’t help a frontline operator needing to make a quick decision. This leads to a situation that stifles decision-making and creates an environment where agencies don’t share information in fear of being responsible for the latest privacy breach.

Agencies are then reluctant to take the risk of breaching a person’s privacy by sharing or re-using, and this can lead to some of the frustrating or even tragic examples.

Recent amendments to the Privacy Act which allow the privacy principles to be overridden have also proven to be cumbersome and have not been widely taken up – Approved Information Sharing Agreements (or AISAs) are perceived as cumbersome, overly-resource intensive and time-consuming.

Solutions to public protection information sharing

While it is clear that there is no quick fix to these issues, there is general acknowledgment that we need to do better.

The public sector has in my view become overly risk averse around information sharing. We need to flip this culture on its head.

Privacy shouldn’t trump public safety.

The Privacy Commissioner has made it clear that he shares my frustration that initiatives to deliver better public services that involve sharing personal information are being held up because of misperceptions of the Privacy Act.

So together, the Privacy Commissioner and I have agreed that we will work together to focus on ensuring Government public protection agencies are sharing information for public safety purposes where that is justified under the

law.

We will be focusing on information sharing in the area of public safety in order to:

  • help keep people safe
  • improve efforts to prevent, detect and investigate offending
  • keep frontline staff in public protection agencies safe
  • reduce the opportunities for criminals with multiple identities to game the system.

We want broad agreement & understanding across the public service about what information can and should be shared and when for public protection purposes.

This approach is intended to improve information sharing practices by driving a culture of appropriate information sharing for these purposes within existing legislative settings. But also to test whether all necessary information sharing can occur under the law as it stands.

These public protection information sharing changes mirror, in many ways, the recently revised EU Data Protection rules for public protection.

The EU is enabling ‘data exchanges’ to support police forces within and across European nations to counter serious crime and terrorism.

New Zealand’s own public protection improvements will support agencies to counter crime and reoffending of all types within and up to our borders.

The Government is also about to introduce law changes which will enable specific agencies to verify a person’s identity, to ensure that an episode such as Phillip Smith does not happen again.

The process of improving information sharing is being overseen by myself and State Services Minister Paula Bennett. We will be following progress closely and will keep well-informed of any barriers identified.

I look forward to updating you on this work programme as it progresses.

Closing remarks

Ladies and gentlemen, I recognise the importance of privacy – as a basic human right that the government needs to safeguard.

I am committed to ensuring we have the mechanisms and infrastructure in place to guard against inappropriate use of information and to respond swiftly and appropriately where a person’s privacy has been infringed.

While privacy is a right - that right does need to be balanced against other human rights like the right to be safe and free from harm and other considerations that may require the sharing of personal information.

There is in New Zealand an evolving conversation around the protection of privacy versus specific use of personal information for public good. I want to encourage New Zealanders to engage in this conversation.

I believe we can all agree that sharing personal information in appropriate ways can improve and, even, save the lives of some of our most vulnerable New Zealanders.

As well as protecting privacy and upholding that right, I see it as a pivotal role in my job as Justice Minister to do all I can to make the safe and effective sharing of information possible to help make the lives of our most vulnerable better

Thank you.