Kia ora koutou,
My editorial this week is all about transparency and consent. Consent has never been much of a focus here in New Zealand. Our Privacy Act promotes a "notice of purpose" approach — agencies should set their lawful purposes for collecting and using personal information and make these clear to people. As contemplated by the EU General Data Protection Regulation, consent is just one way to use or share personal information, but unlike in the EU, agencies in NZ have not latched onto it as the primary way. This means that while transparency has always been a big part of the privacy picture, it has not always been done well.
In a very helpful thought piece, NZ Privacy Commissioner John Edwards noted the flaws in the consent model and that agencies need to do more to ensure people truly understand how their information will be used, shifting “the burden from consumers to read terms and conditions for services they are using, to the service providers to ensure they are clearly explaining the choices that consumers have, and the consequences for them.” It’s well worth a read.
Australia’s recently established Office of the National Data Commissioner has similarly called for a shifting of the burden from the individual to the agency. In a consultation paper about law reforms in respect to public sector data use and sharing, the ONDC proposed that consent was not an appropriate basis to share personal information in all cases. The ONDC suggests placing responsibility on “data custodians” and “accredited users” to safely and respectfully share personal information when reasonably required for a legitimate objective. Not surprisingly, transparency was a big part of the picture.
At least one agency in NZ has taken on this burden and worked hard to get transparency right. At our latest IAPP KnowledgeNet meeting in Auckland 19 Aug., we heard from Air NZ Chief Privacy Officer Leah Parker about Air NZ’s recent award of the Privacy Trust Mark (which recognizes products or services that show a privacy-by-design approach) for its online Privacy Centre. This is the third Privacy Trust Mark the NZ Privacy Commissioner has awarded. Supporting his view on transparency, the Commissioner stated in a news release, “I am pleased that Air NZ has chosen to go above the minimum standard of compliance and demonstrate that privacy statements don’t have to be full of legalese.”
Our next KnowledgeNet meeting in NZ will take place in Wellington 10 Sept. Make sure you join us if you can to hear from Sebastian Morgan-Lynch, privacy officer for the Accident Compensation Corporation, about his views on privacy law reform in NZ and the changes agencies will need to make to comply with the new law.
The IAPP issued its 25,000th certification this week. The privacy community in NZ and Australia is now starting to see the value in these certifications, particularly as we continue to grapple with the local impact of global privacy regulations. One of the benefits I see in the IAPP’s investment in this region is how this will help the local profession look beyond our borders and start measuring the performance of our clients and employers against global best practice.
Finally, a plug for the upcoming IAPP ANZ Summit in Sydney 29-30 Oct. Spaces are filling up fast, so get in quick to secure your spot at our region’s most important privacy hui (that’s what we call a gathering here in NZ).
Enjoy the digest.
Nga mihi nui
If you want to comment on this post, you need to login.