Privacy risks
How government is seen to treat personal information contributes significantly to government's reputation as fair, transparent and trustworthy. In New Zealand the protection of personal information is provided for by the Privacy Act 1993. The international context of that legislation is generally irrelevant to its domestic operation. However, that context becomes important when offshore ICT services are considered. It is not as simple as saying that any transfer or collection by offshore agencies is bad or inherently risky to the privacy of New Zealanders.
The Privacy Commissioner recommends privacy impact assessments as the best practice tool for examining and documenting privacy risks and mitigations and publishes a free downloadable Privacy Impact Assessment Handbook.
In fact, while privacy legislation dates back to at least the 1970s, the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data on which most modern laws are based, has its origins in concerns that differences in the treatment of personal information could lead to non-tariff trade barriers and impede the free flow of international trade. It is why the Organisation for Economic Co-operation and Development (OECD) and Asia Pacific Economic Cooperation (APEC) work on privacy is part of larger projects to encourage freer trade and electronic commerce internationally. That economic driver adds weight to New Zealand's responsibilities towards personal information as a signatory to the Universal Declaration of Human Rights.
For example, while the Privacy Commissioner has expressed concern about personal information being sent offshore in an address to the 2007 GOVIS Conference, she has also signed a Memorandum of Understanding with the Australian Privacy Commissioner on cross-border cooperation over privacy complaint investigations. The Commissioner's office also participates in a range of activities at APEC, Asia-Pacific Privacy Authorities (APPA), and through the OECD, designed to encourage international cooperation on protection of personal information. The Data Protection Pathfinder, an APEC initiative, is working towards promoting a framework of principles on how cross-border rules should work across economies.
Those international efforts to collaborate on cross-border data privacy complicate our advice by providing a moving target. APPA started as a trans-Tasman initiative and now includes Hong Kong, Korea, and last year Canada. All the international bodies mentioned above have active programmes and other organisations may have useful resources, such as the International Chamber of Commerce model contracts, that can be applied to mitigate privacy risks.
Privacy risks
- Unauthorised release of personal information
- Inability to provide legitimate access by the data subject to personal information
- Inability to cooperate with Privacy Commissioner over complaints of interference with privacy
- Inability of the Privacy Commissioner to investigate or enforce against offshore offenders
- Inability to guarantee the protection of personal information in foreign jurisdictions which do not have privacy/data protection laws
- Foreign laws which conflict with the Privacy Act or offer less
protection for the privacy of personal information
- Some offshore locations may be less problematic than others. Countries whose privacy legislation is considered 'adequate' under the European Union Directive 95/46/EC may provide acceptable protection for personal information but agencies should check on the applicability of that protection to information from New Zealand and on enforceability from outside the potential hosting country
- Conversely, some jurisdictions may have legislation that permits their government access to any source of personal information held in that country. The Privacy Act gives immunity to breaches of the information privacy principles outside New Zealand that result from an agency's compliance with foreign laws (Section 10).
- The Commissioner reported on the implications of that provision in Necessary and Desirable (1998) Chapter 2.18, and in updates to that report in April 2000 and January 2003.
Example mitigations
- Consult with your agency's Privacy Officer (all agencies are required to have a Privacy Officer under s.23 Privacy Act)
- Conduct a Privacy Impact Assessment before putting out a tender.
- Consider not sending personal information offshore and not allowing offshore service providers to collect personal information from New Zealanders.
- Consider whether the information covered by an offshore contract can be restricted to public and static information.
- Know the technological capabilities of proposed offshore locations and their ability to deal effectively with connection loss.
- Develop contracts to cover all eventualities, specifying forum and choice of law and have it reviewed for enforceability under private international law. Contracts can explicitly reference the Privacy Commissioner's guidance on handling data breaches.
- Consider standard contractual frameworks such as those from the International Chamber of Commerce.
- The EU publishes Standard Clauses for the Transfer of Personal Data to Third Countries and has recently issued an opinion that addresses a chain of possible sub-processing operations rather than a single sub-contract..
- OECD covers cross border disputes in Recommendation on Consumer Dispute Resolution and Redress. It says it is not limited to the examples used in the document but might equally apply to other situations.
- In June 2007 the OECD adopted its Recommendation on the Cross-border Enforcement of Laws Protecting Privacy.
- The Privacy Commissioner provides information about international activities and contact information for her international colleagues and their organisations.
- One reasonably up-to-date and inexpensive guide to the state of privacy laws around the world is the annual survey Privacy and Human Rights published by the Electronic Privacy Information Centre, a US-based NGO.
- The European Commission publishes its formal findings on the adequacy of data protection in "third countries" (i.e. non-EU states) online at Commission decisions on the adequacy of the protection of personal data in third countries.
- The EU also has proposed a framework for Binding Corporate Rules that multi-national companies can adopt to ensure their intra-firm transfers of personal information are acceptable under the EU Directive. See the consultation documents and see the Resources section for the Working Documents.
- The EU has an arrangement with the US government about personal information transfers called Safe Harbor. This permits companies to self-certify to the US Federal Trade Commission that they abide by certain principles in the handling of personal information.
- The EU has also published Frequently asked questions relating to transfers of personal data from the EU/EEA to third countries.
