Key Points:

Extra diligence with customer data will pay dividends for organisations that are prepared to go above and beyond minimum legal standards, say privacy experts. As New Zealand privacy legislation gets a revamp to reflect an increasingly data-intensive environment, companies which can build digital trust will be the winners. Compliance alone won't cut it, says Jania Baigent, partner at law firm Simpson Grierson. Consumers now share masses of data with the organisations they interact with, and are increasingly expecting high levels of care and accountability. The New Zealand population is highly digitally connected. Most households and businesses have an internet connection and more than two-thirds have a smartphone they're accessing daily. But 65 per cent of Kiwis are concerned about their privacy, with a similar proportion saying data shouldn't be shared because the risks to privacy or security outweigh the benefits. "Their specific concerns were relating to things such as the personal information that is uploaded by children, identity theft, businesses sharing personal information amongst themselves and, of course, security," says Baigent's Simpson Grierson colleague, partner Karen Ngan. Interestingly, the digital natives - the generation of 18 to 29-year-olds who have grown up with technology - are growing more concerned about privacy. It has been more than two decades since the Privacy Act came into force and its revision - to remain in step with a very different privacy environment - is imminent. "A lot of the changes in the privacy environment have arisen through advances in technology, the way people interact with each other and the power of analytics," says Ngan. "Some of these changes have occurred very recently." Technologies such as drones, artificial intelligence and even smartphone cameras are blurring the privacy lines. And personal information is not just information linked directly to an individual - not when combining datasets means that what appears to be anonymised data can still be used to identify individuals to a personal level, says Ngan. On one hand, this data-heavy landscape provides great opportunities for insights and predictive analysis, but it can also result in increased surveillance, greater risk of unauthorised data use and disclosure, and increased security risk, she says. "Privacy breaches used to involve somebody leaving a hard copy file in a cafe somewhere," says Baigent. "Now they often involve sending out an email inadvertently, but on top of that there are hacking breaches." Some legislative change has already been put in place. Rules on the transfer of personal information out of New Zealand, the sharing of information between government departments, and cyberbullying have all been introduced in the past couple of years. As well, a review of the Search and Surveillance Act, now under way, will include consideration of the privacy implications. While the new Privacy Act is yet to be released in draft form, Baigent says there are clear indications as to what changes are likely to be included. She says the mandatory reporting of data breaches - regimes that are commonplace overseas - will come into effect here. "At the moment in New Zealand, if there is a major data breach that your company has suffered, there is no mandatory obligation to tell anybody - it's voluntary."

For those who don't comply with privacy policies, there will be a backlash, we expect.
Jania Baigent
Companies that neglect breaches or are slow to tell customers about them will face widespread criticism and suffer reputation damage, Baigent says. The Privacy Commissioner is aware that the potential reputation damage through naming and shaming is a bigger deterrent than any fines, she says. "It's that 'front page of the Herald' test and it's not a good place to be." Baigent says lines of responsibility relating to data breaches by overseas service providers will also be tightened up. New offences are likely to be introduced, including penalties for extracting personal information by impersonation, and destroying documents instead of responding to a request to release them. The powers of the Privacy Commissioner will also be beefed up, with the fines for offences also likely to be increased five-fold from the current $2000. "It is clear that digital advances are going to continue to challenge the law and our approach to privacy," says Baigent. "There is obviously a tension growing between these new uses on one hand and interests in data protection on the other." She says progressive companies are moving their focus from compliance to accountability for customer data, with bigger corporates taking a more rigorous approach to managing that information. Explaining the complex ways in which customer data will be used and managed has been the realm of long privacy statements, which customers generally click on without reading.
A lot of the changes in the privacy environment have arisen through advances in technology.
Karen Ngan
Baigent says that approach to privacy is going to wear thin among consumers and won't generate the consumer trust that forward-looking organisations are going to want to have. "For those who don't comply with privacy policies, there will be a backlash, we expect. "There could be claims of misleading or deceptive conduct for those organisations that don't comply with privacy policies. "We have had quite a lot of legislative change over the last few years when you look back, but we expect more and quite rapidly if the reforms do come in next year as expected."