Testing systems before they go live would prevent breaches.
The latest revelations concerning leaks at Work and Income NZ that allowed personal information of clients as well as some potentially commercially sensitive information - such as that relating to the amounts contractors charge - to be inappropriately accessed comes as no surprise. It follows a series of earlier privacy breaches at the ACC that led to an independent review which has only recently been completed.
Now a fresh inquiry has been ordered, this time across all government bodies. Should we be concerned at the cavalier treatment of our personal information by public sector agencies?
I would argue not. Some of these agencies such as ACC and Winz routinely handle the personal information of hundreds of thousands of individuals, usually without mishap. Indeed, their core business is handling personal information. Private companies would be hard pressed to match them in the scale and intensity of customer interactions and have no reason to feel complacent as to their own practices. The odd mistake in inevitable.
On top of this, it is almost impossible, and perhaps unreasonably expensive, to stop the determined hacker or fraudster. That is why the Privacy Act only requires security measures to be adopted that are "reasonable" in the circumstances.
However, the most recent breach did not concern a hacker or fraudster. Although an inquiry is yet to determine the precise reason, it seems likely there was a flaw in the computer software or system, especially if it was a brand new one being rolled out to the public. This raises the question of whether there ought to be privacy impact assessments done before any new service being offered, especially by government agencies.
The recently completed Law Commission review of the Privacy Act recommended such assessments be made mandatory through Cabinet guidelines. Perhaps they were conducted in this instance, in which case there may be some accountability on the part of those tasked with conducting the assessment. On the other hand, privacy impact assessments ought to be legally required, as the European Commission has recommended.
Other useful recommendations there include making privacy by design and privacy by default measurable legal standards whenever systems that process personal information are deployed. New Zealand would do well to consider such matters when implementing the Law Commission's recommendations by adopting a new Privacy Act to replace the now two-decade-old one.
Such best practice would go a long way to avoiding the type of failings seen recently. It makes far better sense to engineer privacy from the outset in the design of systems, technologies and even legislation, than to retrofit them later. It is also far cheaper to do this - especially if the cost of all the recent inquiries, complaints and so forth is considered.
We also have much to gain by being aligned to European standards in this area as New Zealand is only one of a handful of countries that are well on the way to being granted "adequacy" status by the European Union for the outsourcing of its citizens' personal information. The importance of this to our service and tourism sectors cannot be understated.
Other recommendations of the Law Commission would go some way towards stemming the tide of privacy lapses. A major plank is beefing up the Privacy Commissioner's powers to issue compliance notices on organisations that have persistent privacy issues. Currently, the process is complaint-driven and often a matter may not be investigated as individuals are reluctant (or sometimes just embarrassed) to bring a complaint.
Finally, overseas information privacy trends have included a role for privacy audits. As with financial audits, privacy audits would periodically require agencies and companies to consider their privacy practices and also procedures for handling breaches. This would, in turn, require privacy to be incorporated into the culture of organisations as opposed to being a matter to which lip service is paid. Indeed, the recent report into the ACC recommended exactly this, suggesting a cultural shift in attitudes was required and that periodic privacy audits was one way of instilling this.
We already have this for motor vehicles. Although debate currently exists as to the efficiency of our six-monthly warrant of fitness requirements, no one doubts some form of testing is needed. It is time agencies that handle personal information be required to obtain privacy WoFs before they are allowed to collect our personal information.
Gehan Gunasekara is an Associate Professor of Commercial Law at the University of Auckland Business School and advised the Law Commission on the recent review of the Privacy Act.