The Privacy Commissioner’s office will be keeping an eye on the way Microsoft’s Trusted Computing initiative — including digital rights management plans such as the formerly named Palladium — will be implemented in New Zealand.
Proposed changes to New Zealand’s Copyright Act have emphasised the need to keep digital rights management schemes, such as that embodied in Trusted Computing, from revealing private information about users.
New commissioner Marie Shroff acknowledges that her office doesn’t have a lot of power over the shape of an international development.
“But once it starts in New Zealand, presumably our law will apply to it. We’ll have to look and see whether it does in its present form, or whether we might have to amend it.”
Shroff comes from a very different background to the previous commissioner, lawyer Bruce Slane. “I am not a lawyer, so I won’t be looking at privacy matters from a highly legalistic point of view,” she says. Her experience and interests are in human rights, constitutional law and government administration. Her CV also includes time as a teacher and as a broadcast journalist “more years ago than I’d like to admit to”.
The commissioner, who has been in the job for just over a month, acknowledges she doesn’t have a deep knowledge of IT or communications matters.
“My main relationship with computers has been as a user,” she says, though in her former role as Cabinet secretary and as a long-term public servant she’s seen a number of computer systems implemented and understands some of their benefits and risks. “I do have staff with specialist IT expertise I can access.”
Shroff highlights data matching between government agencies and the growing use of data warehouses as other potential privacy concerns. Warehouses permit sophisticated analyses, aided by the steadily rising power of processors, which may uncover facts about individuals’ habits that would previously have remained hidden. What she calls the “silent power” of computers means those whose privacy can be invaded are often not aware of what is happening and cannot raise the matter in a complaint to her office, she says.
Public registers of information and the use made of them for bulk marketing have for some time been an issue for the commissioner’s office. This is not specifically a computer problem, Shroff says, but the power of IT to re-sort and analyse such data means it can potentially be used in ways never envisaged as possible when the registers were compiled.
Spyware — software hidden in downloaded applications and capable of reporting a user’s actions on the computer — is “probably a concern”, with a likelihood of some breaches of the Privacy Act principle which says data must be collected from an individual in a legal and “fair” way.
Shroff says it has been a refreshing change and a learning experience to “come down from the 10th floor of the Beehive and see what concerns the ordinary citizen”.
Often those people most affected by breaches of their privacy are those in lower socioeconomic groups, perhaps with fewer communications skills of the kind that permit them easy access to the protection her office can provide, she says. Education will raise people’s awareness of their privacy rights and the procedure for raising a complaint.
At the same time, businesses, particularly small businesses, need to be educated out of an attitude that sees the Privacy Act adding one more onerous compliance burden. “We must get it across that privacy is a standard element of business practice, and that it can be good for business. A bank, for example, that neglected the privacy of its customers would damage its reputation.”
Deliberate and systematic breaches of privacy by businesses are rare, Shroff says. More often, it’s a case of poorly designed business processes. “Or simply mistakes”.
Nevertheless, one of the first priorities for the commissioner’s office is to clear a backlog of almost 1000 complaints still in the system, “some of which have been there for quite some time”.