Tag Archives: Privacy

Changing expectations of privacy

Posted on by
Reply

The BBC reports on how the expanding use of online social networking is redefining “reasonable expectations” of privacy for everyone. It cites Dr Kieron O’Hara of the University of Southhampton:

“As more private lives are exported online, reasonable expectations are diminishing. When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes”.

The reason is that the law attempts to balance the “reasonable expectations” of privacy with other considerations, such as freedom of information and free speech. In New Zealand, the Bill of Rights Act 1990, section 14, enshrines this freedom (as best it can, given the unsatisfactory state of that Act):

“14. Freedom of expression: Everyone has the right to freedom of expression, including the freedom to seek, receive, and impart information and opinions of any kind in any form”.

That right remains strong, but there is no doubt that “reasonable expectations” of privacy are rapidly shifting. In the article Dr O’Hara gives the example of an embarrassing photo taken at a party:

“A decade ago, he said, there would have been an assumption that it might be circulated among friends. But now the assumption is that it may well end up on the internet and be viewed by strangers.”

Another prime example is Google’s Street View. A decade or two ago there may have been some expectation of privacy when walking in the street (although as Katrine Evans of the University of Wellington, now Assistant Privacy Commissioner, notes there is a “considerable body of [precedent] which states that innocuous photographs of people in public places will not attract the protection of the common law”).

Today, Street View routinely photographs people in the streets; there is no doubt that this sort of occurrence will be a permanent part of our lives in some shape or form. Street View has various privacy measures in place (e.g. blurring faces) but there have been cases of people caught in compromising situations and a number of court cases have been fought or are pending.

A while ago I blogged (Don’t expect privacy in cyberspace) about a US case where a girl’s public MySpace rant – ostensibly intended only for her friends – was republished in a newspaper. She claimed a breach of privacy. The Court said:

“[The student's] affirmative act [of publishing her post on MySpace] made her article available to any person with a computer and thus opened it to the public eye. Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material”.

The US Court’s ruling was quite sensible, however it highlights the point that not only are expectations of privacy rapidly changing, but the avenues for disseminating private information (and thereby possibly redefining what constitutes reasonable expectations) are also expanding. This is happening at the same time that the law in many common law jurisdictions (e.g. UK, US, Canada, Australia & New Zealand) is still relatively unsettled and developing. The societal changes of “the Facebook generation” has already been recognised in data loss / information security incidents, and is equally relevant in privacy law.

It is worth noting that in New Zealand’s current leading case on privacy (Hosking v Runting [2005] 1 NZLR 1) the actual existence of a tort of privacy was only accepted by a 3-2 decision. Since that time, other jurisdictions have expanded their privacy laws more liberally than the Hosking case’s relatively narrow scope. Most recently the 2008 Max Mosley case in the UK (argued on the basis of breach of confidence and “unauthorised disclosure of personal information”) has thrown up a number of related issues likely to be explored in a future New Zealand case.

Due to reasons of cost, substantial court cases involving breaches of privacy are rare. It seems likely that, whatever currently a “reasonable expectation” of privacy is, it will have changed again by the time the next case is argued.

Portable storage devices & data loss

Posted on by
Reply

The Privacy Commissioner recently released a Guidance Note on the Use of Portable Storage Devices. PSDs have been the cause of some major data-loss incidents around the world in recent years, although of course people will still drop notepads in the street or lose unencrypted disks in the post. The recommended steps:

  1. Assess the risks associated with using PSDs in your organisation.
  2. Introduce and actively communicate policies that set out how staff may use PSDs.
  3. Minimise the use of personal PSDs in the workplace.
  4. Introduce software or hardware controls (or both) to restrict use of PSDs.
  5. Actively monitor the use of PSDs for compliance with policies.

A relevant item to note following the launch of Windows 7 is the new BitLocker To Go extension for encrypting USB drives. For Windows users this would surely be a key policy to introduce.

In any case, technical measures, as always, will only be part of the picture. In matters of privacy protection, data loss and DRM, technical protections will only ever be playing catch-up. What overarches all of this – which the guidance note does not cover – is the observation from the UK’s 2008 Burton Report into the loss of Ministry of Defence data, that described a “Facebook generation” as having:

“a culture where the rapid and often uninhibited exchange of information is the norm… The younger generation of MoD staff are not inculcated with the same culture of protecting information as their counterparts from previous generations.”

Communicating the risks and liabilities (and documenting them in policies and contracts) is a step often overlooked.

Privacy for company director addresses

Posted on by
Reply

From October, the UK will be restricting access to the residential addresses of company directors on new registrations (and optionally for existing registrations).

At present – as in NZ – directors must disclose their residential addresses, although – unlike in NZ – a director may apply to have that information restricted on the grounds of possible attack. Soon, residential addresses will become “protected information” by default – only disclosable to credit reference agencies and certified authorities. There will also be an option to hide the residential address from even those authorities.

The change is apparently in response to increased privacy concerns and threats of violence against directors.

In New Zealand, the law requires that company directors disclose their residential address (e.g. section 215 of the Companies Act 1993 among other sections). There is no provision for withholding an address. Interestingly, our Companies Act also requires that founding shareholders provide a residential address (section 12(2)(c)), but not subsequent shareholders (section 87 only refers to “the latest known address” which, in the case of a person, could be a non-residential postal or even electronic address. Many companies I have dealt with and managed use a non-residential person-shareholder address).

It is probable that New Zealand will eventually go the way of the UK, although there has not been any call for it yet. Australia has a provision for suppressing directors’ residential addresses which would also be a possible model to adopt.

Is this a good idea? It depends on the purpose of showing a director’s residential address. Why do we really need to know that information? If the answer is to serve documents on a director, that can be easily achieved by allowing directors to be served:

  1. At an alternative “address for service” specified by the director (the new UK model); or
  2. At the company’s “address for service” which all companies must have anyway.

Provided we have one of the above options, the residential address isn’t really needed and should be able to be suppressed. This would be consistent with the UK and Australia, and also the approach under the Electoral Act 1993. The electoral roll is open for public inspection (though not electronically) and can be used to find a residential address, but with the ability for individuals to request suppression under section 115.

The Privacy Commissioner has guidelines suggesting a model similar to Australia’s, allowing suppression on request, although for some reason its report does not mention the Companies Act at all.

In the meantime, all company records including director addresses are open to full public inspection. Is there some other reason why it should stay? Openness and transparency are always good things, but if it is not necessary to disclose this personal information, should we?

Data loss & disclosure

Posted on by
Reply

Yet another survey, this time of New Zealand firms, confirms that data loss will be the number one most important issue in IT for the near future. As reported by Computerworld, “58% of Australian and New Zealand companies suffered a data loss or breach that affected business performance”.

Interestingly, the Australia/New Zealand rate is above the US and global rates. This is despite New Zealand having very few reported incidents, while reported incidents in the UK and US seem to have reached near-epidemic levels. As the article reports, maybe this is because they are kept out of the press.

It is true that other countries have (or are implementing) mandatory data loss notification laws. Locally, the idea has been proposed by the Privacy Commissioner, which says there is a “good case” for such a law. However, this could be many years away. The issue is not currently on the Law Commission’s project list, which would probably be the first step to introducing such a law, and it is fair to say the Government has more important things to worry about at present.

It is inevitable, however, that we will implement such a law, and when we do we are likely to look to the UK as a model. The UK and EU have been particularly active in the area of data protection (for good reason). Last year, the UK passed a “reckless data loss law“, allowing their Data Protection Commissioner to impose fines on people or companies who:

“knew or ought to have known that there was a risk that [data loss] would occur, and that such a contravention would be of a kind likely to cause substantial damage or substantial distress, but failed to take reasonable steps to prevent the [data loss].”

This could even extend to personal liablity for a reckless sysadmin. Whether or not this is a good idea remains to be seen, as the law has been passed but is not yet in force. And unfortunately for victims, the UK Government gets to pocket the fine.

In the meantime, in this country the Privacy Commission should be the first stop for personal data loss issues. Beyond that, it is very much a matter of being careful with who you entrust your personal information to – bearing in mind that whoever you give it to will almost certainly involve third party contractor access at some level.

Don’t expect privacy in cyberspace

Posted on by
Reply

A recent US case is a timely reminder that when you post information to a public website, you are likely to lost any expectation of privacy regarding the contents of the information. The principles of the case are broadly equivalent to the situation in New Zealand. But it also serves a wider warning that when you entrust your information to another person (or company), you may be parting with any real control you have over that information.

Continue reading