Privacy – it’s in your hands
Last month, the Office of the Privacy Commissioner held its annual “Privacy Forum” as part of Privacy Week – a week of awareness about privacy and data protection. For the first time this year, the Forum (usually held in Wellington only) came to Auckland as well.
The theme of the week was “Privacy – it’s in your hands”, with a particular focus on the right to know about and access one’s own personal information. Privacy Commissioner John Edwards described this as “the cornerstone of privacy law” and a right which has long been recognised by our laws and courts as having “constitutional significance”.
The audience heard not only from Commissioner Edwards, Assistant Commissioner Blair Stewart and a panel of New Zealand privacy practitioners (comprising Kathryn Dalziel, Jacqui Peace and Daimhin Warner), but was also treated to the international perspectives of keynote speakers Professor Joseph Cannataci, recently appointed as the inaugural UN Special Rapporteur on the Right to Privacy, and Timothy Pilgrim, the recently appointed Acting Australian Information Commissioner.
Right of access to personal information
Survey figures from our Privacy Commissioner indicate fairly high levels of engagement with and concern over privacy and data amongst New Zealanders, and that the discussion of these issues during Privacy Week was both necessary and timely. It seems that 65% of us are “concerned or very concerned” about privacy. (“I venture to suggest that the other 35% either didn’t understand the question or didn’t think about it,” quipped Commissioner Edwards.) 62% of those surveyed were cautious about data usage and data sharing between agencies, and while safeguards such as data anonymisation went some way to assuaging concerns, they could not take them away entirely.
The right to access data held by government and other agencies is “so venerated and venerable” that in some Latin American countries it is known as “habeus data”. “So why,” queried Commissioner Edwards good-naturedly, “does it generate so much work for my office?” (about 60% of the approximately 800 complaints received per year).
Part of the strategy for reducing complaint numbers is a new online tool called “About Me”. This will enable New Zealanders to email any agency and ask them for the information held about them in a more targeted way. These emails will also contain advice from the Privacy Commissioner to the recipient agency as well as a clock function letting them know by when they need to respond.
Big data – opportunities and challenges
The Minister of Justice in her opening address to the Wellington Privacy Forum recognised that today’s unprecedented level of information creation and dissemination both “presents enormous opportunities” and poses “significant challenges”.
“Historically, only a tiny fraction of the data created globally has been explored for its analytical value,” Ms Adams said. “This is changing. Recent technological advances in the collection, storage and analysis of large, unstructured datasets mean enterprises, governments, and other agencies are powering up their investments in big data to convert massive datasets into valuable information and insight.
“Big data holds the promise of delivering better quality, customised products and services to New Zealanders. To deliver on that promise, however, we need to mindful of our citizens’ expectations about the protection of their privacy. This is essential if we want to earn and maintain their trust. This age of big data means we need to continuously adjust our privacy and data security protections to keep pace with technological developments.”
This uneasy balancing act, and the need to allow for access and transparency in the equation, proved to be a theme of the Auckland conference as well.
Rethinking privacy … or rethinking big data?
“Privacy has never been more to the fore and more discussed than in the last 24 months. Even in the very creation of my post at the UN we can read a greater interest in privacy,” said keynote speaker Professor Joseph Cannataci. He joked that when Article 12 of the Universal Declaration of Human Rights (the right to privacy) was being drafted – “either there were not enough lawyers present, or there were too many, because they forgot to put in a definition of privacy.” Even if they had put one in, he said, we need to rethink our understanding of what privacy should be in today’s increasingly technological world.
As UN Special Rapporteur for the Right to Privacy, Professor Cannataci provided an international point of view and some salutary lessons as to how other countries are dealing with questions of privacy and “big data”. Often touted as “the oil of modern times”, he considers we should pause for thought and consider what is behind the stories about big data that we read in the news. How is big data actually shaping the world we live in? Is this the kind of world we want to live in – are the risks it poses worth the good it can do?
Concerns over privacy are not new. In 1968, Aleksandr Solzhenitsyn wrote:
“As every man goes through life he fills in a number of forms for the record, each containing a number of questions ... There are thus hundreds of little threads radiating from every man, millions of threads in all. If these threads were suddenly to become visible, the whole sky would look like a spider’s web ... Each man, permanently aware of his own invisible threads, naturally develops a respect for the people who manipulate the threads.”
Yet eerily prophetic as those musings were, what has changed is the landscape and even the rules of the game. With over 1 billion people now using Facebook and similar social media forums, mostly on their mobile devices, roughly 80% of the data we are generating today simply did not exist even a mere ten years ago. Many people are simply not aware of the “metadata” they are continually generating – that we “leave an electronic footprint with every click of the mouse”. That information, says Professor Cannataci, is increasingly being “mined” by those who deal in big data. Solzhenitsyn wrote the above in a time when newspapers, not computers, predominated – imagine how his fears would have multiplied in the face of the electronic tracks we leave today.
Professor Cannataci believes that the right to privacy is part of an overarching right to “the unhindered development of one’s personality”. His concern is that interference with privacy rights through inappropriate use of metadata can also interfere with how we become who we are and the decisions we make along the way.
“Shorn of the cloak of privacy that protects him, an individual becomes transparent and therefore manipulable … at the mercy of those who control the information held about him, and his freedom … shrinks in direct proportion to the extent of the nature of the options and alternatives which are left open to him by those who control the information,” he said. “We don’t yet have the proof that big data can live sideby- side without changing the direction in which we want our societies to go.”
Putting big data in context
Providing a different perspective on the question of big data and privacy was Timothy Pilgrim, the recently appointed Acting Australian Information Commissioner. He stressed the importance of three interrelated concepts when looking at big data – oversight and use of data, freedom of access to information, and the need to deal with information about the community sensitively. In the technology-centric world in which we live, that data is central to how organisations operate. “We cannot afford to ignore it,” said Mr Pilgrim, especially with the world now generating every two days the same amount of data (5 billion gigabytes) that would have been generated in an entire year back in 2002.
Mr Pilgrim considers that data can be a socially-beneficial resource which can help shape policy and improve service delivery (for example, in the areas of crime prevention and emergency and disaster responses). However, privacy should still be “a fundamental part of that”, and “personal information should not be compromised”. “If people can be confident that there is a strong foundation of privacy, there will be more support for the use of information in the better provision of services.”
Mr Pilgrim agreed with Professor Cannataci that there are potential dangers in how organisations collect and collate the data they hold. This is particularly so as data held can change in nature from not personal to personal over its lifecycle, for example, if two previously non-identifying pieces of data are placed together. He went on to discuss some of the strategies used to address these concerns, including de-identification and mandatory data breach notification.
De-identification (i.e. removing identifying factors from data so that an individual is not foreseeably identifiable despite subsequent manipulation of it) can be useful in retaining data’s research utility while still safeguarding privacy. While de-identification techniques have been subject to some criticism (Professor Cannataci having noted the potential for “reverse engineering”), Mr Pilgrim considers that, if properly done to industry standards, “even a determined hack would struggle to re-identify the individuals concerned”. He stressed, however, that it is not a silver bullet.
Mandatory data breach notification by organisations holding personal information is another potentially helpful strategy and is due to be introduced in Australia. This is something to which Mr Pilgrim is looking forward, with survey results indicating that 96% of Australians want to know if there has been a privacy breach involving their information. He considers it will help give people faith in the protection of their information and that it can be implemented without putting unnecessary burdens on businesses. Benefits included assistance and advice from the privacy regulator and increased confidence in the reporting organisation.
While being upfront about breaches will not equate to “a free pass”, it will “be taken into account” when assessing an organisation’s response to and liability for a privacy breach. “It goes to the question of trust – if something goes wrong, will I be given the facts and the chance to deal with it? It is much better to report it than have it turn up in the press some days later.”
For more information on new “About Me” tool, please visit the Office of the Privacy Commissioner’s website.