Cloud computing is one of the biggest recent challenges to online privacy, says Privacy Commissioner Marie Shroff.
And such a distributed risk to privacy is appropriately met by a communal response, she told last week’s Privacy Issues Forum, the central event of Privacy Awareness Week.
Most of us, by using the internet, have already sacrificed some of the control we used to have over information on our stand-alone computers, she says. But trusting a third party to run our applications and their accompanying data, or even to hold our “personal contact and address details” represents a further step in this process.
“There seems little doubt that our privacy, information security and our digital identity will be altered in significant ways by the technological shift that is occurring,” Shroff says.
The responsibility to protect personal information privacy is, accordingly, no longer solely in the individual’s hands, Shroff says.
“We often think of privacy as being about individual action and repercussions — and of course that is true,” she says.
“But more and more, data protection and privacy are forged across organisations, regions, nations, — even continents. There is a very good reason for that — we are charging our way into the digital century and international cooperation has become essential to address emerging challenges we face.”
As one element of this change, she says, a memorandum of understanding (MoU) was signed last week between the New Zealand and Australian Privacy Commissioners.
“The agreement reinforces the already close ties between our offices in tackling emerging privacy challenges.”
When so many companies operate on both sides of the Tasman it makes sense for their watchdogs to talk to each other, she says.
The Australia-NZ MoU, she says, is being seen as a model for similar agreements across the Asia-Pacific Economic Community of nations (APEC). These sit within a broader framework of co-operation known as the Privacy Pathfinder project. Transnational initiatives under this heading include the use of trustmarks or seals to be displayed on websites testifying to the accountability of government agencies in respecting the privacy of their citizens and physical or online visitors.
Amendments to the Privacy Act currently progressing through Parliament will empower the Privacy Commissioner to restrict the transfer of data relating to New Zealanders to a territory with weak privacy protection or where the transfer allows the principles of New Zealand’s Privacy Act to be evaded.
The planned amendment also removes the requirement that, in order to make an information privacy request, an individual must be a New Zealand citizen, permanent resident, or in New Zealand at the time the request is made. It also facilitates referral of an appropriate complaint to an overseas privacy enforcement authority.
Presenters in a session at the forum, titled “Is good privacy good business?”, took pains to point out the effective privacy protection within their own organisations, oil company BP and Trade Me (which is owned by Fairfax, the publisher of Computerworld).
Sandra Keilman of BP outlined the policies which oblige BP employees to safeguard privacy and Trade Me’s Mike O’Donnell told the conference of the circumstances in which his company can make disclosure of deals if illegal practices are suspected.
The recent episode of trade details being passed on by lawyers to defendants in cases relating to the Ruatoki “terrorist” raids “shocked” Trade Me and undoubtedly damaged its reputation in the eyes of some customers, O’Donnell says.
“Some people were shocked that police could get information from us,” and that it had been passed on to at least one defendant in prison, he says. “We are happy we acted in accordance with our privacy guidelines.”
The point was repeatedly made that privacy breaches in any company will inevitably damage its bottom line.