In early June 2022, Justice Minister Kris Faafoi announced the appointment of the new Privacy Commissioner.
Michael Webster, former Secretary of the Cabinet, replaced previous Commissioner John Edwards, who took on a post as the United Kingdom Information Commissioner.
The role of the Privacy Commissioner is one of the most important public service roles in Aotearoa. They are responsible for upholding and overseeing principles relating to the collection, security, use and disclosure of personal information, as well as access to and correction of personal information and the assignment and use of unique identifiers.
In recent years, data privacy has been an extremely relevant topic in Aotearoa. With changes to the Privacy Act in 2020, businesses and citizens alike are thinking more carefully about their data safety, and how they can be assured the correct protocols are in place.
The rise of digitisation and cybersecurity processes in the age of hybrid work has also brought privacy back into the spotlight, with organisations now having to take extra precautions and navigate different technologies.
Breaches to our health system, along with a variety of other high-profile enterprise breaches, have prompted a significant shift in the perception of data security and how it is addressed. In these cases, the Privacy Commissioner is often at the forefront of the decision-making process at a government level, analysing issues and responding to public and enterprise concerns.
Webster has a long history of public service, particularly in council and cabinet roles, and this is something that Minister Faafoi had emphasised upon the appointment.
"Mr Webster's career has to date focused on enabling and driving good governance, the promotion of democratic rights and values, the development and application of codes of conduct and behaviour, and working to ensure compliance with both statutory provisions and constitutional conventions," remarked Minister Faafoi in a release earlier this year.
With Webster now having completed his first few months in the role, we asked him about the changes he has seen so far and what is in store for the future of privacy, electronic data privacy and security in Aotearoa.
"My role is to lead a modern regulator focused on making privacy a core focus for agencies, in order to better protect the privacy of individuals, to enable those agencies to achieve their own objectives, and to safeguard a free and democratic society," Webster says when asked about what the role entails.
"While there are a number of statutory functions that I am charged with performing, an essential part of my role is increasing privacy-conscious practice in New Zealand organisations. And when I say organisations, I mean right across the board, from the boardroom to the marketing team, the software developers to those providing frontline services."
Webster points out that, above all, it is vital for organisations to continue valuing and protecting any personal information they are entrusted with by their clients, customers and team members. He says he understands that there are challenges and obstacles, but having a privacy-centric culture within a business can prevent further cybersecurity, personal and legal issues.
"The leaders of all organisations deal every day with multiple priorities, risks and opportunities, and it is understandable that privacy matters are not always front of mind. But if a privacy-conscious culture is developed and implemented, and if privacy is championed at the top table, then it will become part of the "way we do business around here" – making compliance easier and lessening the risk to organisations of a privacy failure."
Webster remarks that the Office will continue to support and assist enterprises and individuals in understanding Privacy Act requirements and says that they are constantly looking into and reviewing issues relating to technological data privacy.
"We have a role in supporting individuals and agencies in understanding their evolving requirements under the Privacy Act. We live in a rapidly changing world of increasing digitisation and online connectivity, and individuals need support in understanding how to exercise their rights, and agencies in understanding their obligations when working with personal information," he says.
"One of the key ways we can do this is by providing clarity to agencies on the requirements of the Privacy Act through specific guidance. We did this last year with our position paper on biometrics – we knew that biometric information was being increasingly collected and used in the public and private sector, especially utilising facial recognition technology, so we provided clarity about our role as regulator in protecting this very sensitive personal information. This is a good example of how we moved quickly to respond to an emerging technology, and we are now reviewing the position paper to see if there is more we can do in this space."
Another key issue that has been a wide topic of discussion across NZ enterprises has been the emergence of the GDPR and other new online data protection laws. Webster says that his Office will continue to monitor any overseas decisions relating to privacy and that collaboration and communication are paramount to successful outcomes.
"New Zealand's privacy legislative and regulatory framework is regarded by the EU as achieving 'adequacy' (essentially, they see our framework as equivalent to their own protections), which offers us a range of benefits in terms of trade and influence on the world stage.
"My Office keeps an eye on international developments in the privacy space, as there are great opportunities to learn from, and collaborate with, our key partners overseas. We monitor the work of many multilateral groups, and also have good bilateral relationships with our counterparts in other countries, especially Australia, Canada and the UK," he says.
And there will also be close communication at home as well. Webster says the Office currently has a number of crucial existing relationships, and he endeavours to forge more across a variety of public and private sectors, including those most at risk.
"We have some existing close relationships with a range of public agencies, which reflects that they not only handle a lot of personal information but they also drive changes in public policy and legislation that might impact on New Zealander's privacy.
"Some of these agencies, like the Ministry of Education or the newly established Health New Zealand, hold huge amounts of sensitive personal information, so it is important that we as a regulator have a close relationship with them. But I'm also keen to increase my Office's engagement with the private and community sectors, so we are talking to a broader range of agencies and individuals, particularly vulnerable people whose privacy rights may be disproportionately impacted."
Webster also says he wishes to further relationships with other governing bodies, including those that work to prevent online harm.
"Through collaboration with other agencies on cross-cutting issues like online harm, or technological developments relating to the collection and use of personal information and data, we can pool our collective resources and perspectives to effectively tackle these issues," he says.
As NZ grapples with a new age of data privacy, Webster highlights that amidst all the new technologies and ways of thinking, the crux of privacy comes down to human nature. He says that going forward, if organisations and individuals respect and prioritise privacy, then the outcome will be better for all citizens of Aotearoa.
"We should never forget the human face of privacy; it's all about the people - our customers, our clients, our citizens. Every day I see and read stories about people who have been frustrated, embarrassed, hurt or harmed as a result of a privacy breach. And that, in turn, is impacting on people's trust and confidence in organisations.
"If we make protecting and respecting privacy a priority, it will be a win for both individuals and the organisations."