e7d9522d

Regulating AI and protecting privacy

Mon, 06 Jan 2025 22:20:19 GMT

Why AI Regulation Matters: Lessons from the EU AI Act for New Zealand

Artificial Intelligence (AI) is transforming everything, from healthcare to customer service. But what does it mean for privacy in New Zealand? Let’s explore the risks and opportunities AI brings to the table. As New Zealand watches global developments, the EU’s AI Act provides a timely reminder of why regulating AI matters.

The Risks

AI systems often rely on massive amounts of data to function. This can include personal information like browsing habits, location data, or even medical records. If not managed carefully, this data can be misused or leaked. There’s also the risk of bias – if AI systems are trained on incomplete or skewed data, they can make unfair decisions.

It can be really hard to know if what you're creating contributes to an AI model's learning processes. Some businesses allow you to opt out of using you content for AI training, but it's still relatively uncommon and even if the box is ticked, how do we make sure our data isn't being consumed and used?

The Opportunities

On the flip side, AI can enhance privacy protection. For example, AI-powered tools can help organisations identify and secure sensitive data. Machine learning algorithms can also detect unusual activity, such as potential data breaches, and respond quickly.

For New Zealand, the key is ensuring AI is used responsibly. The Privacy Act 2020 and guidelines from the OPC provide a solid foundation, but it’s up to businesses and developers to put privacy first. As of now, we don't have a comprehensive legislative tool for AI so ensuring ethical management of AI comes from existing frameworks. One of the ways that AI ethics are being built in to regulation in other countries is by the EU AI Act.

What is the EU AI Act?

The EU AI Act is one of the most comprehensive attempts to govern AI. It categorises AI systems by risk, from minimal to unacceptable. For example, facial recognition in public spaces faces stricter rules due to its potential for misuse. The Act’s focus is clear: promote innovation while protecting human rights and privacy.

The EU is a recognised world leader in regulating the unregulatable, so I'm sure this Act will have implications for how NZ chooses to manage and regulate AI in future.

What Does This Mean for New Zealand?

While New Zealand doesn’t have specific AI laws yet, we can learn a lot from the EU. The Privacy Act 2020 already offers a strong foundation, emphasising transparency and accountability. But as AI systems become more prevalent, we’ll need to address questions like:

How do we ensure AI systems are fair and unbiased?
Who is responsible if an AI makes a harmful decision?
How can individuals challenge AI-driven outcomes?
H ow do I know how my data is being used in the AI model?

Practical Tips to Stay Safe

While governments work on regulations, here’s how you can protect yourself in the meantime:

Understand AI in Your Life : AI is everywhere, from social media algorithms to job application filters. Knowing where AI is used helps you ask the right questions.
Ask for Transparency : If an organisation uses AI to make decisions about you, like approving a loan or screening a job application, ask how it works and what data it uses.
Be Wary of Bias : AI is only as good as the data it’s trained on. If you feel an AI system treated you unfairly, don’t hesitate to raise concerns.
Stay Informed : Keep an eye on developments in AI and privacy laws. The OPC and other agencies often release guidance to help individuals and businesses navigate these changes.

Do you have AI operating in your business? Do you need a hand understanding the privacy risks?

Get in touch today!

"A fingerprint doesn't lie, but people do" - Se7en

Mon, 06 Jan 2025 22:06:17 GMT

Understanding the New Biometrics Code: How the OPC's Latest Guidance Impacts Businesses and Individuals

Biometric data – think fingerprints, facial recognition, and voice patterns – is becoming a key part of our everyday lives. Whether it's unlocking your phone or speeding through airport security, these technologies are everywhere. But with great tech comes great responsibility, and that’s where New Zealand’s new Biometrics Code comes in.

The Office of the Privacy Commissioner (OPC) introduced this code to address the unique challenges posed by biometrics. Unlike passwords, biometric data is permanent – you can’t change your fingerprints if they’re compromised! The code aims to ensure businesses and agencies handle this sensitive information responsibly and securely.

The OPC is currently consulting on the Biometrics Code, with submissions open until March 14 2025. You can read more about the Code and make submissions here .

Under the new guidelines, organisations must conduct privacy impact assessments (PIAs) before implementing biometric systems. This means carefully considering whether collecting biometric data is necessary and how it will be stored, used, and shared. The code also emphasises transparency – individuals must know what data is being collected and why.

For individuals, the Biometrics Code offers reassurance. It ensures your biometric data is treated with the utmost care and respect. But it’s still smart to stay vigilant. Ask questions when providing your data and be cautious about who you trust with it.

For businesses, this is a chance to build trust with customers by demonstrating robust privacy practices. It’s also a reminder that cutting-edge tech should never come at the expense of personal privacy.

Biometric technology is exciting, but it’s crucial to strike the right balance between innovation and privacy. The new Biometrics Code helps ensure New Zealand gets it right.

If you need a PIA done on your latest biometric tech, get in touch today !

But she said, that they said that you collected my personal info!

Mon, 06 Jan 2025 21:59:30 GMT

IPP3A in Practice: What You Need to Know About Notifying Individuals When Collecting Their Data Indirectly

Have you ever wondered what happens when an agency collects information about you from someone else? In New Zealand, the Privacy Act 2020 has a new rule for that – it’s called IPP3A, and it’s all about transparency.

IPP3A will come into force in June 2025 and it requires organisations to notify individuals when they indirectly collect personal information. The idea is simple: you have the right to know what’s happening with your personal information, even if you didn’t hand it over yourself.

How Does It Work?

Let’s say you’re applying for a rental property, and the landlord collects a credit report about you from a credit reporting agency. Under IPP3A, they need to notify you about this, explaining that they’ve obtained information from a third party and providing details about how it will be used.

There are some exceptions, such as when notification is impracticable or would undermine the purpose of collecting the information (e.g., during a fraud investigation). However, these exceptions must be carefully justified.

Notification Fatigue: A Growing Concern

While transparency is essential, there’s also the risk of notification fatigue. If individuals receive too many notifications, they might stop paying attention altogether. This can undermine the very purpose of IPP3A. Organisations can address this by ensuring notifications are clear, concise, and meaningful. Providing a summary with a link to more detailed information can help strike the right balance.

Why It Matters

For businesses, IPP3A is more than a compliance requirement – it’s an opportunity to build trust. By being upfront about how they handle personal information, organisations can foster stronger relationships with customers and clients.

For individuals, IPP3A ensures you’re not left in the dark about how your information is being used. If you’re ever unsure or uncomfortable, you have the right to ask questions or raise concerns with the organisation or the Privacy Commissioner.

By planning for indirect notification requirements thoughtfully and addressing potential concerns like notification fatigue, IPP3A helps create a fairer, more transparent approach to privacy in New Zealand.

Does your agency need help figuring out how to implement IPP3A notification processes? Get in touch today!

New year, same privacy obligations

Mon, 06 Jan 2025 21:50:13 GMT

Privacy Law Updates in New Zealand: Key Changes and What They Mean for You

Privacy laws are always evolving, and in New Zealand, there have been some big changes recently. Let’s break down what’s new and why it matters.

The Privacy Act 2020

This Act is hopefully old news to you by now but by it introduced several updates, like mandatory breach notifications and compliance notifications. If a business or organisation experiences a data breach that could cause serious harm, they’re required to let the Privacy Commissioner and the people whose data was breached know. This transparency ensures that individuals can take timely action to protect themselves, such as changing passwords or monitoring accounts for suspicious activity.

IPP3A

From June 2025, a new addition to the Information Privacy Principles, IPP3A ensures agencies notify you when they collect information about you indirectly. It's all about transparency and giving you more control over your data. This change empowers individuals to understand where their information is coming from and how it’s being used, fostering a greater sense of trust.

There is already some very helpful guidance published here .

The Biometrics Code

The OPC has started consultation on a new Biometrics Code. Consultation closes in March so if you have thoughts and feelings, be sure to head to the OPC website and make a submission .

As biometric technology becomes more common, this code provides guidelines for its use. It’s designed to protect sensitive data like fingerprints and facial scans. Businesses using biometric systems are now required to conduct Privacy Impact Assessments and demonstrate their handling data securely and ethically. For consumers, it means greater confidence in how their sensitive data is managed.

What These Changes Mean for You

For individuals, these updates mean better protection and more rights. If you’ve ever felt unsure about how your data is being used, these updates give you more clarity and avenues to seek answers. For example, if you learn your data was collected without proper notification, you can raise the issue with the organisation or even the Privacy Commissioner.

For businesses, it’s a chance to step up and show they take privacy seriously. Demonstrating compliance with these new laws isn’t just about avoiding penalties – it’s about building trust with customers and showing you’re committed to ethical data practices.

Privacy might seem like a complex topic, but these updates make it easier for everyone to stay informed and protected. Whether you’re an individual looking to safeguard your data or a business aiming to enhance your practices, New Zealand’s evolving privacy laws are here to guide the way forward. By staying informed, we can all contribute to a culture of respect and transparency when it comes to personal information.

Migration 5 through a privacy lens

Mon, 06 Jan 2025 20:31:12 GMT

Migration 5 and privacy

Caitlin's career in privacy started somewhat quizzically in the New Zealand Intelligence Community. Since then she's been working with the New Zealand Privacy Foundation as a regular contributor on the Surveillance Working Group. As part of her work, she was interviewed by Radio New Zealand about the Migration 5 initiative from a privacy perspective.

You can read more by clicking on the picture below

Managing Metadata for Privacy

Fri, 16 Jun 2023 03:30:08 GMT

So your organisation creates, holds, manages and disseminates data. Did you know that all of those actions also generate metadata, which can hide personal information?

At a basic level, metadata is data that describes other data. In the context of digital files, metadata can include information such as the date and time a file was created, the location where it was created, and details about the device or software used to create it. Metadata is important for privacy because it can reveal information about the content and context of a file, even if the file itself does not contain any identifiable information. For example, metadata associated with a photo taken on a smartphone may reveal the location where the photo was taken, even if the photo itself does not show any identifiable landmarks. To protect privacy, it's important to be aware of what metadata is being generated by different types of files, and to take steps to limit or remove metadata as needed.

While metadata might not directly reveal the content of the data, it can still contain valuable information that impacts privacy.

Here's how metadata is relevant to privacy management:

Identifying Personal Information: Metadata can help determine whether certain data falls under the definition of personal information. Metadata can reveal details about the data's source, creation, and intended use, aiding in the identification of personal information.
Assessing Data Sensitivity: Metadata provides insights into the sensitivity or potential risks associated with the data. Understanding the metadata helps assess the privacy implications of different datasets and implement appropriate safeguards, controls, or consent mechanisms.
Consent and Purpose Limitation: Metadata assists in ensuring compliance with the principles of consent and purpose limitation. It helps clarify the intended purposes for which personal information was collected and the scope of consent obtained from individuals. Metadata can also help track and monitor data usage to ensure it remains within the defined purpose limits.
Data Retention and Disposal: Metadata aids in effective data management, including retention and disposal practices. It helps track data lifecycle information, such as creation dates, access logs, and retention periods, enabling organisations to adhere to obligations under the Privacy Act regarding data retention and secure disposal of personal information.
Data Access and Security: Metadata provides insights into who accessed the data, when, and under what circumstances. It assists in monitoring data access, detecting unauthorised access attempts, and ensuring appropriate security measures are in place to protect personal information.
Data Breach Management: Metadata is valuable in managing data breaches and complying with breach notification requirements. It helps in identifying the scope and impact of a breach, understanding which personal information was compromised, and evaluating the potential harm to individuals. This information is crucial for determining the appropriate actions to be taken under the Privacy Act, such as notifying affected individuals and the Privacy Commissioner.

By recognising the significance of metadata in privacy management, organisations can proactively consider metadata-related implications when handling personal information, ensuring compliance with the New Zealand Privacy Act. It reinforces the need to implement privacy-aware practices across data lifecycle, including metadata handling, to protect individuals' privacy rights effectively.

Cookie time - not the delicious kind

Fri, 16 Jun 2023 03:15:40 GMT

I'm sure everyone that has used the internet in the last few years has had one of those pop-ups asking what kind of cookies you want enabled. These pop-ups can be confusing and in my experience, seem keen to ensure you enable all cookies rather than actually enabling only the necessary ones.

So what are you agreeing to exactly when you enable all the cookies?

Cookies are small text files that are stored on your computer or mobile device when you visit a website. They can be used to remember your preferences and login information, track your activity on the site, and deliver personalised advertising.

While cookies can be useful for improving the user experience, they can also raise privacy concerns. For example, cookies can be used to track your browsing activity across multiple sites, which can be used to build a profile of your interests and behavior. It's important to understand how cookies are being used on the sites you visit, and to make informed choices about what information you are willing to share. Most web browsers allow you to control which cookies are stored on your device, and you can also use tools like browser extensions and privacy-focused search engines to limit tracking and protect your privacy online.

Some cookies are creepier than others. Take a look at some common types of cookies:

Session Cookies: These cookies are temporary and are stored only during a user's browsing session. They are deleted as soon as the session ends or the browser is closed. Session cookies help maintain user session information and enable essential website functionalities.
Persistent Cookies: Unlike session cookies, persistent cookies remain on a user's device even after the browsing session ends. They have an expiration date set by the website, and they are used to remember user preferences and settings for future visits.
First-party Cookies: First-party cookies are set by the website domain the user is visiting. They enable the website to remember information about the user, such as language preferences, shopping cart contents, or login credentials. First-party cookies are generally considered less invasive to privacy.
Third-party Cookies: These cookies are set by domains other than the website the user is visiting. They are typically used for advertising, tracking user behavior across different websites, and delivering targeted ads. Third-party cookies can raise privacy concerns as they allow third-party entities to collect and track user information across multiple websites.
Strictly Necessary Cookies: These cookies are essential for the functioning of a website. They enable basic features like page navigation, access to secure areas, and form submission. Strictly necessary cookies do not require user consent as they are necessary for the website to provide requested services.
Analytical or Performance Cookies: Analytical cookies collect data about how users interact with a website, including pages visited, time spent, and error messages. The information gathered helps website owners understand and improve the performance and user experience.
Advertising Cookies: Advertising cookies are used to track user behavior and interests to deliver targeted ads. They collect information about browsing habits, visited websites, and clicked ads. Advertisers use this data to personalise advertisements and measure their effectiveness.

One cookie example you might be familiar with is the google analytics. Google has a specific cookie called "DV" that is used by Google to collect information about user behavior on websites that use Google services, such as Google Analytics. This is a bit creepy when you consider that so many websites (maybe up to 86% of them) use Google analytics! This means your behaviour across hundreds, thousands maybe millions of websites can be tracked all by Google (and then probably sold off to other companies)!

If you're not already creeped out, check out this article by the Electronic Frontier Foundation .

Destruction by de-identifying

Fri, 16 Jun 2023 03:02:04 GMT

So this is interesting! Did you know that personal information that can no longer be connected to a person is effectively "disposed of"?

According to the New Zealand Privacy Act 2020, personal information can be considered disposed of if it is effectively de-identified. De-identification is a process that removes or modifies identifiable elements from personal information to ensure that the remaining data no longer relates to an identifiable individual.

When personal information is de-identified, it means that the data has been altered or transformed in a way that makes it practically impossible to identify the individuals to whom it belongs. The Privacy Act recognises de-identified information as no longer falling under the scope of "personal information" because the risk of identifying individuals is significantly reduced. Isn't that cool?

To ensure that personal information is properly de-identified, the Privacy Act provides guidance on key principles that need to be followed. These principles include:

Irreversibility: The de-identification process should be irreversible. Once the personal information is de-identified, it should not be possible to re-identify individuals using the remaining data alone or in combination with other information.
Reasonable means: De-identification should be carried out using reasonable means and methods appropriate to the nature of the personal information and the purpose for which it will be used.
Reasonable likelihood of re-identification: The likelihood of re-identifying individuals from the de-identified information, considering the available or reasonably likely resources and techniques, should be low.

By effectively de-identifying personal information, organisations can reduce the privacy risks associated with data handling. De-identified information can be used for research, statistical analysis, or other purposes without violating privacy laws, as long as the de-identification process is conducted in accordance with the principles outlined in the Privacy Act.

Remember, if you are handling personal information and considering de-identification, it's important to refer to the specific provisions and guidance provided by the New Zealand Privacy Act and seek legal advice if needed to ensure compliance with the law.

There is a spectrum of de-identification from pseudonymisation to anonymisation. Pseudonymisation is the process of replacing identifying information with a pseudonym or alias. For example, replacing someone's name with a unique ID number. Pseudonymisation can help protect personal information by making it more difficult to identify individuals. Replacing identifying information with pseudonyms may be considered de-identification *if* there is no longer any record of the original identity. In that way it would be similar to anonymisation, which is the process of removing all identifying information from data so that it cannot be linked back to an individual, even with additional information. For example, removing all identifying details from a medical study dataset. Anonymisation can help protect personal information while still allowing the data to be used for research or other purposes.

What on earth is data mapping?

Fri, 16 Jun 2023 02:41:04 GMT

Data mapping is one of those new buzzwords that's been rattling around the information community for a while now. At its most basic level, data mapping is figuring out where your information is and where it goes.

In order to map your data, you'll have to take a close look at all the personal information that your organisation collects, processes, and stores. This might include things like customer names and addresses, employee contact details, financial information, and more. The idea is to create a comprehensive picture of how personal information flows through your organisation, from the moment it's collected to the moment it's deleted or destroyed.

During the data mapping process, it might be useful to create a visual map or diagram that shows all the different systems, applications, and databases that handle personal information. You might also look at things like who has access to personal information, how long it's kept for, and what security measures are in place to protect it.

Why is this important?

Well, understanding how personal information is handled is essential for ensuring that it's being protected properly. It can also help identify any potential risks or vulnerabilities, such as systems that might be more prone to security breaches, or areas where personal information might be accidentally disclosed.

Overall, data mapping is a valuable tool for any organisation that handles personal information. By taking the time to map out all the data you collect and process, you can better understand privacy risks and take steps to ensure that personal information is being handled in a responsible and secure way.

We're experts at finding out where data is hiding in your organisation, but if you just need some quick guidance you can check out the guidance here at data.govt.nz .

How do I know if I'm dealing with a breach?

Fri, 16 Jun 2023 01:56:02 GMT

Privacy breaches happen all the time to organisations all over the world. We've had some notable ones here in NZ which provide some good 'what not to do' examples, but chances are, your organisation will experience at least a few in its lifetime! They key thing is how you manage them.

Before we jump into managing a breach, it's useful to explain the difference between an incident and a breach. A privacy incident refers to any situation where there is a potential unauthorised access, use, or disclosure of personal information. This might be an unsecured system or an HR file left on a copier.

On the other hand, a privacy breach occurs when there is an actual unauthorised access, use, or disclosure of personal information. This can happen if a hacker breaks into a database, if an employee accidentally sends an email to the wrong person, or if a physical document goes missing. Basically, any time personal information is exposed in a way that wasn't supposed to happen, it's considered a privacy breach. This is a big deal because personal information is sensitive and can be used for things like identity theft. If you think there's been a privacy breach, it's important to take action right away to protect people's privacy.

To determine if a privacy incident is a breach under the New Zealand Privacy Act, you should consider the following factors:

Nature of the information: Personal information includes details like names, contact information, financial data, or any other data that identifies an individual. If the incident involves unauthorised access to this kind of information, it raises concerns for a potential breach.
Unauthorised access or disclosure: A privacy breach occurs when there is an unauthorised access or disclosure of personal information. If someone gains access to or shares personal information without proper authorization, it could be considered a breach.
Likelihood of harm: The Privacy Act considers the potential harm or adverse effects that could result from a privacy breach. If there is a risk of harm to individuals, such as identity theft, financial loss, or reputational damage, it strengthens the case for a breach.
Steps taken to mitigate harm: If an organisation takes prompt action to minimise the impact of the incident and protect individuals affected by the privacy incident, it demonstrates commitment to handling the situation responsibly.
Reporting obligations: Organisations are required by law to notify the Privacy Commissioner and affected individuals in the event of a privacy breach that could cause serious harm. Compliance with these reporting obligations is an important factor in determining if an incident qualifies as a breach.

Breaches can be a really scary time for the victims of the breach and the people who (hopefully unwittingly) caused the breach. This can be magnified if the breach reaches the threshold of being notifiable under the Privacy Act. We can help figure out your threshold and identify whether you need to get the Privacy Commission involved.

We're experts at dealing with breaches (we love a little drama in our lives!) and have a strong belief in a no-blame culture, unless the breach is caused by malicious activity of course. If you need some help figuring out whether you're dealing with an incident or a breach or maybe you just need a calming pat on the head, we're here to help! We also recommend checking out the OPC guidance on managing breaches .

What’s the GDPR and why should I care?

Sun, 11 Jun 2023 22:34:13 GMT

The GDPR, or the General Data Protection Regulation, is a data protection law that was introduced in the European Union in 2018. It sets out strict rules for how organisations should collect, use, and protect personal information, and includes provisions for things like obtaining consent, data subject rights, and breach notifications.

While GDPR is a European law, it can be relevant in a New Zealand context for a few reasons. First, if your organisation handles personal information from people in the EU, you may need to comply with GDPR regardless of where you're located. Second, GDPR has set a new standard for data protection globally, and many countries, including New Zealand, are taking inspiration from it as they develop their own privacy laws. Finally, even if you don't have any direct connection to the EU, complying with GDPR can be a good way to demonstrate to your customers or users that you take their privacy seriously, and that you're committed to protecting their personal information.

We're experts in figuring out whether the GDPR applies to your organisation so if you're worried about it, get in touch with us!

What is personal information?

Sun, 11 Jun 2023 22:24:50 GMT

Basically, personal information is any information that can be linked to a specific individual, whether directly or indirectly.

Under the Privacy Act 2020 in New Zealand, personal information is defined as any information about an identifiable individual. This might sound straightforward but in practice it is a lot murkier.

Personal information can include the obvious stuff like a person's name, address, phone number, email address, date of birth, financial information or medical history. But it also includes opinions or evaluative comments (like about their performance at work or why someone was or wasn't chosen to do something)a bout an individual, as well as any information that relates to an individual's race, ethnicity, religion, political views, sexual orientation, or other personal characteristics. You can see how this starts to get complicated.

Because personal information can be so tricky to pin down, we can often fall into the trap of assuming that personal information only includes things like names and contact information. In reality, personal information can include a wide range of details, including opinions, preferences, and even some forms of anonymous data.

Another thing to keep in mind is that just because information has been made public, doesn't remove the fact that it still counts as personal information. While some information may become less sensitive if it's been made public, it can still be considered personal information if it can be linked to an identifiable individual. This means organisations and businesses still need to think carefully before collecting, holding and sharing publicly available personal information.

The other key thing to remember is that information that has been anonymised or pseudonymised, may still count as personal information.

Overall, it's important to take a comprehensive and thoughtful approach to figuring out what is and isn't personal information. That's where pros like Wrybill come in!

Swiping Left on Privacy - the Cost of Finding Love in the Digital age

Sun, 11 Jun 2023 22:06:45 GMT

Watch Caitlin talk about dating apps and privacy during Privacy Week

What is a privacy policy?

Sun, 11 Jun 2023 21:40:29 GMT

A privacy policy is a document that outlines an organisation's practices and procedures for handling personal information.

It's basically a set of rules that tells people what information you're collecting from them, how you're using that information, who you're sharing it with (if anyone), and how you're protecting it. Privacy policies are really important because they help build trust between organisations and their customers or users.

By being transparent about your data practices, you can show people that you take their privacy seriously and that you're committed to keeping their information safe. Plus, in many countries, having a privacy policy is required by law, so it's always a good idea to make sure you have one in place if you're collecting any kind of personal information from people.

What is a Privacy Impact Assessment and how do I do one?

Sun, 11 Jun 2023 21:38:20 GMT

A Privacy Impact Assessment (PIA) is an evaluation of the potential impact that a new project, program, or policy may have on individuals' privacy. Essentially, it's a way to identify and address any privacy risks or concerns before they become a problem.

By conducting a PIA, you can ensure that you're being transparent and accountable to the people whose data you're handling, while also avoiding costly data breaches or regulatory penalties. It's kind of like a check-up for your privacy practices, and just like with any other check-up, it's better to catch any potential issues early on rather than waiting until they become serious problems.

So I know what they are now, how do I start?

Define the scope: Start by identifying the specific project, system, or process that you will be assessing. This will help you to focus your efforts and ensure that you are addressing the right issues.
Map data flows: Identify all of the personal information that will be collected, used, or shared as part of the project. This includes data that will be collected directly from individuals, as well as data that may be obtained from other sources.
Identify privacy risks: Consider how the personal information that you have identified could be misused, disclosed, or otherwise compromised. Think about the potential impact on individuals and the organization.
Evaluate privacy controls: Review the existing controls that are in place to protect personal information. This includes technical controls, administrative controls, and physical controls.
Identify additional controls: Determine whether additional controls are needed to address the privacy risks that you have identified. This may include changes to processes, policies, or technology.
Develop a mitigation plan: Create a plan to address any privacy risks that you have identified. This should include specific steps that will be taken to reduce the risk and protect personal information.
Monitor and review: Once the project is implemented, continue to monitor and review its impact on privacy. This will help you to identify any new risks that may arise and ensure that your privacy controls remain effective.

Obviously, we'd love to help you out with a PIA but if you're looking for general information, the Privacy Commissioner has a useful toolkit to get you started.

Giving Good People Bad News

Sat, 04 Mar 2023 00:23:23 GMT

How to tell someone you breached their privacy

Throughout your career, if you deal with personal information at all, you will probably breach someone’s privacy or be involved in responding to a breach. It’s not fun to think about but it’s worth being prepared so when the inevitable happens, you know what to do!

Often a breach will go undetected and you might not even know it’s happened and if it’s low-level enough, you won’t need to the tell the victim that their privacy was breached.

A breach may be alerted to you by the staff member who made the error and accidentally sent a sensitive email containing someone’s mental health information to thirteen random people or it may be the recipients of the email or a member of the public if someone was lucky enough to leave a bunch of documents with personal information in it on the top of their car while they went for a surf! Either way, it’s action stations for everyone involved.

There are countless guides on how to respond to a breach - prepare, contain, eradicate, recover, evaluate etc etc - the point of this blog isn’t to rehash that but instead to give you some really practical, real world suggestions for how to tell the victim(s) of the breach.

Saying sorry is scary but it doesn’t have to be.

The Privacy Commissioner is a big advocate of saying sorry and having it come from the heart . If your privacy has been breached, you don’t really want to hear a “sorry this happened to you” from an organisation, you want your hurt, worry and embarrassment to be heard and understood and most importantly, you want to know what the agency will do to fix it.

Do

Say sorry

Keep it simple

Acknowledge hurt and distress

Have an action plan

Don't

Justify your actions

Overexplain

Gaslight

Make empty promises

Here’s an example of how to tell someone the bad news in a good way. In this case, an unlucky staff member has accidentally left sensitive documents containing personal information on a train.