June 16, 2023
So your organisation creates, holds, manages and disseminates data. Did you know that all of those actions also generate metadata, which can hide personal information? At a basic level, metadata is data that describes other data. In the context of digital files, metadata can include information such as the date and time a file was created, the location where it was created, and details about the device or software used to create it. Metadata is important for privacy because it can reveal information about the content and context of a file, even if the file itself does not contain any identifiable information. For example, metadata associated with a photo taken on a smartphone may reveal the location where the photo was taken, even if the photo itself does not show any identifiable landmarks. To protect privacy, it's important to be aware of what metadata is being generated by different types of files, and to take steps to limit or remove metadata as needed. While metadata might not directly reveal the content of the data, it can still contain valuable information that impacts privacy. Here's how metadata is relevant to privacy management: Identifying Personal Information: Metadata can help determine whether certain data falls under the definition of personal information. Metadata can reveal details about the data's source, creation, and intended use, aiding in the identification of personal information. Assessing Data Sensitivity: Metadata provides insights into the sensitivity or potential risks associated with the data. Understanding the metadata helps assess the privacy implications of different datasets and implement appropriate safeguards, controls, or consent mechanisms. Consent and Purpose Limitation: Metadata assists in ensuring compliance with the principles of consent and purpose limitation. It helps clarify the intended purposes for which personal information was collected and the scope of consent obtained from individuals. Metadata can also help track and monitor data usage to ensure it remains within the defined purpose limits. Data Retention and Disposal: Metadata aids in effective data management, including retention and disposal practices. It helps track data lifecycle information, such as creation dates, access logs, and retention periods, enabling organisations to adhere to obligations under the Privacy Act regarding data retention and secure disposal of personal information. Data Access and Security: Metadata provides insights into who accessed the data, when, and under what circumstances. It assists in monitoring data access, detecting unauthorised access attempts, and ensuring appropriate security measures are in place to protect personal information. Data Breach Management: Metadata is valuable in managing data breaches and complying with breach notification requirements. It helps in identifying the scope and impact of a breach, understanding which personal information was compromised, and evaluating the potential harm to individuals. This information is crucial for determining the appropriate actions to be taken under the Privacy Act, such as notifying affected individuals and the Privacy Commissioner. By recognising the significance of metadata in privacy management, organisations can proactively consider metadata-related implications when handling personal information, ensuring compliance with the New Zealand Privacy Act. It reinforces the need to implement privacy-aware practices across data lifecycle, including metadata handling, to protect individuals' privacy rights effectively.