Twenty-seven years ago I introduced to Parliament what was then - and probably still is - the largest ever Private
Member's Bill - the Information Privacy Bill. It drew heavily on work I had begun as Associate Minister of Justice in
the previous Labour Government. The Bill was followed a few hurried and embarrassed weeks later by the National
Government's own effort, the Privacy of Information Bill, which bore a remarkable, if not identical resemblance to my
own Bill! Both Bills eventually morphed to become what we know now as the Privacy Act. This was passed twenty-five years
ago, and this week, Privacy Week, is an occasion to celebrate that, and to consider where we need to go with Privacy law
in the future.
Of course, a huge amount has changed in the last few years, let alone the last twenty-five years. When we were first
looking at the issue in the late 1980s and early 1990s the principal focus was on ensuring that people's privacy was
protected from their being included unknowingly on various corporate mailing lists - Readers' Digest was cited
frequently as the main offender - and ensuring that they could get off those lists and stop the flood of unsolicited
mail. Today, of course, the scope is much wider as there is more collection of data by Government agencies, and that
data is shared with and by a wide variety of organisations, for often beneficial, but no means exclusively so, purposes.
On top of that, have been the activities of social media entities like Facebook, and more notoriously recently Cambridge
Analytica, which have taken the issue to an entirely different level. Just as communications and technological advances
have now rendered national boundaries obsolete, so too and even more so in the data world. It is pervasive and constant,
a far cry from the occasional unwelcome and incredible offer from an international mailing company. Little wonder, then,
that the Government has recently introduced legislation to modify and upgrade the original Privacy Act.
Earlier this week, the Office of the Privacy Commissioner released some sobering figures regarding how New Zealanders
feel about the way their data is being treated. Its latest annual survey shows more than two-thirds of New Zealanders
are concerned about their individual privacy, and that that figure has been rising over recent years. Perhaps not a
surprise given recent widely reported data breaches here and elsewhere. Of more concern, though, at a time when more and
more of citizens' transactions with Government take place on line, and New Zealand is recognised as one of the most
digitally advanced countries in the world, confidence in the Government's ability to handle individual citizens' data
securely has fallen sharply over the last five years. Yet during these years, Government practice with regard to the
handling of individual data has improved dramatically. But the test here is a simple one - it is not the actuality of
what is happening that matters, but the perception of it. Put simply, if people feel their data is less safe with the
Government, they will become far less inclined to comply with data gathering and sharing requirements, which will in
turn defeat the purpose and efficiency of greater data use and sharing to improve the delivery of public services.
There are some stark lessons here for the Government, whatever its political hue. They will be ignored at their peril.
Governments can only move in this space to the extent they have the public's confidence and endorsement. So, a major
part of any Government's effort in the digital transformation space has to be about getting and keeping the public
on-side. The Privacy Commissioner's survey results, although mildly encouraging overall, sound the timely reminder that
there is still some way to go.
When the original Act was passed in 1993, it was launched in a vacuum. Inexplicably, given the nature of the reform, the
Government then did nothing to explain what the Act was about. Consequently, incredibly cautious, risk-averse middle
ranking bureaucrats in both central and local government were left to fill the spaces, leading to many bizarre and
downright silly rulings and new procedures that risked severely quickly bringing the whole Act into disrepute and
ridicule. So, whatever the outcome of the current Bill, I strongly plead that the Privacy Commissioner is given the
resources and the time to explain what it will and will not do, so that it can become an effective protection of
individual privacy from the day it comes into effect. In this fast-moving space, that is not just a pious wish, but an
absolute necessity.
ends