Privacy laws and the CIO
Which privacy laws and codes should CIOs and IT decision makers be aware of?
CIOs and IT decision makers need to be aware of the Privacy Act in particular, but also the Health Information Privacy Code, the Telecommunications Information Privacy Code and the Credit Reporting Privacy Code. All can be accessed from our website: www.privacy.org.nz
These form part of the basic business law of New Zealand, and provide for consumer rights and redress.
What are the consequences of non-compliance?
The consequences of non-compliance for businesses and government agencies can be a loss of customer trust – and ultimately that can hurt your bottom line. Non-compliance with the law in this area can lead to complaints to our Office and in some instances an investigation of your practices.
On occasions there are financial settlements paid or, much less often, the dispute will be determined by the Human Rights Review Tribunal. What should be considered when putting together a policy concerning the privacy of information affected by these laws?
Thought needs to be given to the life span of personal information that your organisation collects and uses. How much/what sort of personal information will you need to collect? How do you want to use and disclose that information? How long will you keep personal information? What do you currently tell clients – does that need clarifying?
Apart from the IT decision makers, who else should be involved in the making of these policies?
The privacy officer of the organisation should be involved. It may well be appropriate to involve the HR manager or equivalent and, in some organisations, the customer/client services manager. The CEO should be made aware of the nature of the policy. It may be necessary to consult functional area managers to find out how personal information is collected and used in their area.
How much does the safety of private information depend on an organisation’s staff? And how can privacy breaches be prevented?
Staff can often be at fault when privacy breaches occur within an organisation. Information may be compromised because of:
- Lack of care, eg: through loss of a PSD, or failure to delete information
- Insider theft or inappropriate disclosure
- Low-quality security skills by IT staff
- General lack of awareness of security risks.
Risks can be reduced by:
- Actively managing access to information through security controls which only allow access to information where required
- Actively monitoring and regularly auditing access to information to ensure appropriate use
- Ensuring staff are aware of security risks through regular staff communications
- Ensuring that IT security staff reach and maintain competency in their specialist field
- Developing and communicating a sound PSD policy.
What impact have web 2.0 and social networking technologies had on the safety of an organisation’s information?
Web 2.0, blogs and social networking have seen the internet become a vastly more interactive space where individuals, business and government connect with others. The ease and speed at which information can find its way onto the internet has significant benefits, but can also increase information-handling risks.
As individuals and organisations actively push information onto the internet, care is needed to make sure that personal and sensitive information is not disclosed either by accident, malicious intent, or through poor decision making.
Care is needed to ensure that access rights are controlled when opening up organisational data via websites. Internet-based data storage and processing facilities, or ‘cloud computing’, also raises real questions about data security, including the types of information that are suitably stored in the ‘cloud’, the level of security that can be offered, the application of relevant legal protections, etc.
What rights does a company have to monitor its staff’s online activity and what obligation does it have to inform staff of said monitoring?
Employers need to have a policy about monitoring employee email and internet use, and that policy should be communicated to staff. The policy should cover things such as whether the content of email will be viewed. Employees should be clear about what may be done in certain situations. Employers should aim to intrude only to the extent necessary.
Are there any new privacy laws, amendments or guidelines in the pipeline that CIOs and IT decision makers should be aware of?
A survey carried out earlier this year by our Office of PSD use and data security in the public sector demonstrated that there were some gaps in practice and areas for improvement. As a response to that, we provided some tips for organisations on PSD use. They are available on our website: www.privacy.org.nz.
There is a Bill going through Parliament at the moment, the Privacy (Cross-border Information) Amendment Bill that, among other things, will result in some enhancement of the opportunities for New Zealand businesses in processing data from offshore.
We are in the midst of reviewing the Credit Reporting Privacy Code, which is relevant for credit reporters and the finance industry, along with consumers. Shortly, we will be issuing guidelines on the use of CCTV.
The most significant piece of law reform is the wide-ranging Review of Privacy being undertaken by the Law Commission. This could result in changes to the Privacy Act across a number of areas.