27 August 2008 Speech Notes
Privacy Issues Forum
Associate Justice Minister Lianne Dalziel's speech to officially open the Privacy Issues Forum
Intercontinental Hotel,
Grey Street, Wellington
9.00am
Privacy Commissioner, Marie Shroff, thank you for inviting me to open today's forum. May also acknowledge Sir Geoffrey
Palmer, head of the Law Commission, and Professor John Burrows, the law professor I studied under at Canterbury
University.
I looked back over my speech notes from the last time I opened a privacy issues forum, which was in 2003. There are
things that have changed in the five years since I gave that address – Marie Shroff has taken over from Bruce Slane as
Privacy Commissioner. There is a substantial review of privacy being undertaken by the Law Commission, whereas when I
last spoke on the subject, the Law Commission was analysing the results of submissions it had received in response to a
somewhat less detailed discussion paper that had been issued the year before and, of course, Sir Geoffrey has replaced
Justice Robertson as the head of the Law Commission.
The opening address that day was given by Justice Michael Kirby, which I recall being particularly thought-provoking,
touching as it did on the massive data-banks held by airlines and justifying the degree of scrutiny officials place on
passenger lists by our respective countries' decision not to require everyone to carry an identity card.
The point in common between the two forums is that I remain committed to introducing the Privacy (Cross-border
Information) Amendment Bill. The only difference this time is that I have actually introduced a Bill, whereas in 2003 it
was an aspiration. It is set down for a first reading and has the agreement of support parties for referral to a select
committee. The Bill addresses two deficits in the Privacy Act, which does not currently allow foreign nationals resident
overseas to make information privacy requests, and does nothing to prevent data received from overseas being transferred
outside New Zealand to a jurisdiction without adequate privacy protection.
The 2003 Forum had many eminent speakers as does today's forum. All of the speakers today have made sizable
contributions to the various debates on privacy issues, so I anticipate that the discussion will be both
thought-provoking and lively. I am including my sister Kathryn in this description because she is highly regarded in the
privacy field, but also to ensure that she doesn't get the chance to imply that I am her mother, which I am told is what
she does when I am not present.
My interest in privacy legislation dates back to the passage of the Privacy Act 1993, when as a member of the Justice & Law Reform Select Committee, I gained an important insight into not only the range of academic views on the subject,
but also the range of public opinion that continues to exist today. The history of New Zealand's legislation lies in
part in the desire to be consistent with the OECD Guidelines, but we should not forget - the broader concept of privacy
dates back to the Universal Declaration of Human Rights. And as a human right, it has never been more important than it
is today with technology making personal information more accessible. It was no accident that a Bill that began its
passage through Parliament as the Privacy of Information Bill became the Privacy Act.
The theme of the Forum this year is "Privacy is your business" which has two meanings.
First of all, privacy matters to individuals. We are now at the point where the collection, use, storage, and disclosure
of personal information can occur unnoticed, across borders, and at phenomenal speeds. Privacy is in that sense, very
much, your business.
Second, privacy matters to business. Major advances in technology have changed the way in which personal data is
collected, stored, and used. The challenge for business is to ensure the benefits obtained through the use of new
technology do not compromise individuals' expectations about the security of and use of their personal information. It
isn't a case of one or the other. Business efficiency and information management processes that respect individuals'
privacy expectations go hand-in-hand.
A business that cannot assure its customers that their privacy will be respected will lose customers to competitors.
Here, the degree of trust customers have in the businesses they deal with is paramount.
Let me use the example of the sign that appeared on the airline counters after the current law was first passed. It
indicated that the airline would not give out information about passengers due to the Privacy Act 1993. My view was that
the notice should have said: 'Because we value our passengers' right to privacy, we do not give out information about
our passengers to anyone without their permission.' Advising customers that they had always followed this practice, even
before the law change, would have been more honest as well.
I would like to talk more about this issue of trust, and its importance in maintaining an ongoing relationship between a
business and its current (and potential) customers.
Before the information technology boom, collection and disclosure of personal information was far more limited. Most
personal information was stored manually and it wasn't easy to copy or disseminate written information. A lot more
personal information had to be obtained from individuals themselves and that's where trust came into play. Things have
changed. The ability to print, photocopy, photograph, videotape, record, collect and analyse biometric information, and
so on, means there is no longer a serious barrier to the collection or distribution of personal information. Nor does
much of it have to be obtained from the individual concerned.
Increasing use of technology has reduced the personal association between the business collecting the personal
information and the individual whose privacy is at stake. Individuals may be perceived, in a millisecond, as
"information" in an email, on a disk, or on a webpage. Participants to a transaction may be on the other side of the
world from each other. This relative weakening of social relationships weakens the interpersonal regulation of the
transfer of personal information.
In an environment where masses of personal data can be disclosed to large numbers of people at the click of a mouse,
trust has become more important than ever.
Individuals need to trust that the businesses they deal with will respect their personal information and protect their
privacy. But this trust needs to be earned and re-earned. A business that breaches a customer's privacy may not get a
second chance. There have been a number of recent examples of privacy breaches that are likely to lead directly to a
loss of trust. There was the ticketing company which sent an e-mail to everyone on its mailing list without blocking the
display of individual email addresses. And there was the university whose computer "glitch" enabled students to access
other student's academic records. The same fault could affect any business that enables customers to access accounts
online with disastrous effects on client confidence.
We can't go back to the days where personal information was disclosed only within trusting interpersonal relationships.
Few would want to sacrifice the amazing developments in communications technologies to do so. What businesses need to
continue to do is adapt.
One way in which businesses can do so is to develop proxies for trusting relationships "at a distance". As the Privacy
Commissioner has said before, good privacy is good business. And businesses that are not trusted are not good long- term
prospects.
Development of transparent privacy policies that comply with the Privacy Act and best practise will help businesses gain
the level of trust needed to attract and retain customers. Secure websites and data storage, complaints procedures,
monitoring, staff training, corporate responsibility, and accurate, up to date and honest information for consumers will
enhance that trust. Businesses can help themselves by developing top-down privacy-conscious cultures.
The government has a role in enhancing trust too. The Privacy Commissioner's role in promoting privacy awareness is
pivotal. With increasingly complex new technologies, New Zealanders need a legitimate source of information about risks
to their personal privacy and how to respond to those risks. I applaud the Commissioner's proactive approach in this
area and note in particular her focus on educating the young. We can learn from our technologically-savvy young people
and I look forward to seeing the video of the winning entrant to the secondary schools video competition for Privacy
Awareness Week.
These forums are also an important part of Privacy Awareness Week, because they give us the chance to dissect important
issues that are not only a challenge in New Zealand but which challenge other jurisdictions as well.
I have noted that this afternoon's session will include discussion on information disclosures between agencies. This is
a vital area of concern for the government. It is not yet entirely clear what people's understandings and expectations
of inter-agency information sharing are. We all seem to know when information should have been shared, but that
tragically is usually immediately after something has gone terribly wrong and it would appear with the benefit of
hindsight that information held by one agency should have been shared with another.
I welcome the discussion this afternoon and encourage you all to think seriously about what is an incredibly important
issue.
I conclude with a comment about trusting relationships "at a distance".
I said earlier that trusting interpersonal relationships are no longer the primary enabler of personal information
transfer; technology is. Modern privacy law either ensures the individual retains some degree of control over the
transfer or approximates a trusting interpersonal relationship – an honest broker as it were.
As technologies continue to evolve and individuals become more burdened by more complex privacy waivers, drivers to
eliminate individuals from the information transfer equation will increase. This will mean the primary challenge for law
reformers will be to design options such as privacy policies, privacy responsibility plans, privacy standards and
technology design standards that can intervene to approximate trusting interpersonal relationships.
I hope you all enjoy an interesting and productive day at today's Privacy Issues Forum and on that note I declare the
forum open.
ENDS