SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Privacy Commissioner John Edwards speaks at TechFest 2020

Privacy Commissioner John Edwards has a clear message: If New Zealand businesses undermine the issue of privacy, they will ruin their business.

He presented a keynote called Promoting Innovation and Protecting Privacy at TechFest 2020 in Hamilton today, where he discussed issues such as the Ministry of Culture - Heritage Data breach, the upcoming Privacy Bill, and some key lessons for businesses to follow.

“It's important that businesses consider the privacy implications of innovation, and that businesses try to innovate in ways that are consistent with privacy values,” he says.

There is a business imperative in ensuring that innovations, business processes, products, and apps are designed with privacy in mind.

Apple – an example of privacy in business, says Edwards

Apple makes a virtue of privacy and its associated issues by making data and privacy part of its business, Edwards points out.

“A device is encrypted. It stores my personal information here, not in some other server that can be interrogated by the business and exploited. When they take my data it's anonymised. Apple uses techniques like differential privacy.

“They've embedded data protection and privacy rules into their business model. And they've said, ‘we're going to make this a point of difference'. And that helps make them one of the biggest companies in the world.

It's a costly mess when businesses get it wrong – just look at Facebook, which was fined US$5 billion for its role in the Cambridge Analytica scandal.

Even New Zealand's Ministry of Culture and Heritage found out the hard way. By leaving a registration form public, 300 people's identity documents were exposed and searchable by anyone. One of those people fell victim to identity theft, Edwards explains.

Businesses should consider from both a risk perspective and customer service perspective. Both of these provide benefits to building privacy and trust for businesses' customers and users.

The Privacy Bill: What it means for New Zealand

The Privacy Bill is making its way through Parliament, which will mandate data and privacy breach reporting for New Zealand and international business that conducts business in New Zealand.

“You will have an obligation to notify the affected individuals and to notify my office if the loss of that data could cause serious harm, as in the Ministry of Culture and Heritage example,” Edwards says.

“If you have not managed to keep your end of the bargain and keep personal information safe, you've got to put control back in the hands of the people who are at risk. Do they need to change their password? Do they need to cancel their credit card?

That's not to say the current Privacy Act has lost its relevance – it still provides clear best practice principles when dealing with the lifecycle of personal information. That is also being built into the new Privacy Bill.

Edwards also notes that New Zealand businesses need to adopt what he calls a “bullshit detector” when it comes to evaluating what vendors are trying to sell to them. For example, “Do you really need biometric facial recognition to run your school? No.

Privacy also filters down into the humble app. Edwards asks, do you know where the components in your apps are sourced from? Even a third-party clock mechanism could be filtering personal information to other places.  A user (and possibly a developer) may not even know it.

While the Privacy Commissioner won't quite get the ability to hand out million-dollar fines like the UK's Information Commissioner's Office (ICO) does, the Bill will provide a better level of personal information protection than the Privacy Act.

Breach fines will be restricted to a maximum of $10,000 if businesses do not comply with the Privacy Bill's mandatory notification requirements.

It's not quite regulation to the level that the European Union's General Data Protection Regulation (GDPR) puts in place – particularly in areas such as algorithmic transparency - Edwards says that the Bill will go a long way in encouraging businesses to take a closer look at their privacy.

The Office of the Privacy Commissioner has developed a series of online modules to help businesses understand their rights.

“You need to prepare for the new law, you need to ensure that as you innovate, you think about what is going to happen to the personal information that you're collecting, you need to be thinking about keeping it safe. You need to be thinking about being open with the individuals and ensuring that they can see what you've got about them. And if you need help with that, you will find it on our website.

Privacy is not about what you can't tell someone – it's about telling people what you're collecting and what you're going to do with it. It's also about protecting that information, Edwards explains.

“Privacy is not dead. It is not going anywhere.".

Read our previous coverage of the Privacy Bill below.

Follow us on: