The new Trans-Pacific Partnership was signed last week, and includes a chapter on electronic commerce. The full details of the agreement are not yet available, but New Zealand’s Ministry of Foreign Affairs and Trade (MFAT) has released a summary.
The chapter on electronic commerce promises to be of particular interest to privacy and data protection practitioners. In its summary of chapter 14, MFAT states:
“TPP Parties commit to ensuring free flow of the global information and data that drives the Internet and the digital economy, subject to legitimate public policy objectives such as personal information protection. The 12 Parties also agree not to require that TPP companies build data centres to store data as a condition for operating in a TPP market, and, in addition, that source code of software is not required to be transferred or accessed.”
Link: TPP Ministerial Summary (MFAT)
A recent article by Chapman Tripp explores the implications for New Zealand business of impending changes to our own Privacy Act and to the EU data protection regulation . This article was first published in Boardroom, the magazine of New Zealand’s Institute of Directors.
Link (Chapman Tripp): Digital identity, privacy and the cost of doing business
A majority of the Human Rights Review Tribunal has awarded $15,000 to Ms Watson (a former Capital Coast DHB nurse) for being denied information about a harassment compliant she made against her former manager (Ms Slade).
Under the DHB’s workplace policy, the person complained against must be given the signed written complaint and given an opportunity to answer the allegations, and the complainant in turn must have an opportunity to rebut any defences. The DHB had refused Ms Watson’s request for access to Ms Slade’s written response to her complaint, on the basis that disclosure of the response would involve “unwarranted” disclosure of Ms Slade’s own affairs, relying on s 29(1)(a) of the Privacy Act 1993.
The Tribunal observed that the term “unwarranted” in s 29(1)(a) requires a balancing of the requester’s right of access to personal information about him or her, against the competing interest recognised in s 29(1)(a). This required consideration of the context in which the information was collected and the purpose for which it was collected, held and used. The Tribunal also observed that an individual’s “personal information” may include records of others’ opinions about him or her.
The Tribunal held that the DHB had not proved that providing Ms Watson with Ms Slade’s response would be an “unwarranted” disclosure of Ms Slade’s own affairs. The Tribunal gave several reasons, including:
- first, the legal right of access to personal information conferred by Information Privacy Principle 6 and s 11 of the Privacy Act is a strong right,
- secondly, DHB’s harassment policy explicitly stated that Ms Watson would have an opportunity to rebut the written response advanced by Ms Slade, and
- thirdly, this was not a case in which personal information about two persons had been collected for various purposes over various periods of time, accompanied by an “expectation” of non-disclosure or limited disclosure. The information here was collected in the context of an official policy which made explicit the need not only for the person complained against to be given an opportunity to be heard in her defence but also for the complainant to be able to rebut to any defences to the allegation.
Link: Watson v Capital & Coast DHB  NZHRRT 27
New Zealand’s Ministries of Finance and Statistics are establishing an independent cross-sector Working Group, known as the Data Futures Partnership, to lead and guide the trusted use of data for New Zealand. The Data Futures Partnership aims to promote the safe collection, sharing and use of business and government information.
Link: NZ Government Press Release
On 12 August 2015, the Office of Privacy Commissioner (OPC) completed its first investigation into a complaint about a drone.
The drone had been filming a cricket match and, in doing so, flew over the apartment of the complainant. The complaint alleged that the drone may have captured highly sensitive information in an unreasonably intrusive manner. He did not give consent for the drone to film him.
Following inquiries made to SkyTV, which had been operating the drone, the OPC was not satisfied that the complainant’s personal information had been collected: while in the air the drone was filming only intermittently (when requested by SkyTV’s producer), and had not in fact filmed the complainant. Accordingly the OPC found that SkyTV did not breach the Privacy Act.
The OPC noted that SkyTV had used the drone to film and broadcast other identifiable individuals during the same cricket match. In that instance, the drone operator could see the individuals, and had used hand gestures to show that he wanted to film them with the drone. The individuals in turn signalled their consent with hand gestures.
Link: Privacy Commissioner Case Note
Following a privacy breach, Counties Manukau DHB has reminded health professionals of their legal responsibility to protect sensitive patient files when travelling between sites:
- if possible, transport the information in a secure container which is under your control at all times
- only take the notes you need for your task, and
- have them off-site for the least time necessary.
Link: Counties Manukau Health CEO Blog
The Banking Ombudsman has ordered a bank to pay $20,000 to a business owner after a bank employee methodically accessed the business company accounts, apparently without legitimate or authorised purpose.
The office recently released a guide outlining the approach it will take to privacy and confidentiality complaints.
Link: Privacy and confidentiality guide and case note