Cookie time - not the delicious kind

Why AI Regulation Matters: Lessons from the EU AI Act for New Zealand

Understanding the New Biometrics Code: How the OPC's Latest Guidance Impacts Businesses and Individuals

IPP3A in Practice: What You Need to Know About Notifying Individuals When Collecting Their Data Indirectly

Privacy Law Updates in New Zealand: Key Changes and What They Mean for You

Migration 5 and privacy

So your organisation creates, holds, manages and disseminates data. Did you know that all of those actions also generate metadata, which can hide personal information? At a basic level, metadata is data that describes other data. In the context of digital files, metadata can include information such as the date and time a file was created, the location where it was created, and details about the device or software used to create it. Metadata is important for privacy because it can reveal information about the content and context of a file, even if the file itself does not contain any identifiable information. For example, metadata associated with a photo taken on a smartphone may reveal the location where the photo was taken, even if the photo itself does not show any identifiable landmarks. To protect privacy, it's important to be aware of what metadata is being generated by different types of files, and to take steps to limit or remove metadata as needed. While metadata might not directly reveal the content of the data, it can still contain valuable information that impacts privacy. Here's how metadata is relevant to privacy management: Identifying Personal Information: Metadata can help determine whether certain data falls under the definition of personal information. Metadata can reveal details about the data's source, creation, and intended use, aiding in the identification of personal information. Assessing Data Sensitivity: Metadata provides insights into the sensitivity or potential risks associated with the data. Understanding the metadata helps assess the privacy implications of different datasets and implement appropriate safeguards, controls, or consent mechanisms. Consent and Purpose Limitation: Metadata assists in ensuring compliance with the principles of consent and purpose limitation. It helps clarify the intended purposes for which personal information was collected and the scope of consent obtained from individuals. Metadata can also help track and monitor data usage to ensure it remains within the defined purpose limits. Data Retention and Disposal: Metadata aids in effective data management, including retention and disposal practices. It helps track data lifecycle information, such as creation dates, access logs, and retention periods, enabling organisations to adhere to obligations under the Privacy Act regarding data retention and secure disposal of personal information. Data Access and Security: Metadata provides insights into who accessed the data, when, and under what circumstances. It assists in monitoring data access, detecting unauthorised access attempts, and ensuring appropriate security measures are in place to protect personal information. Data Breach Management: Metadata is valuable in managing data breaches and complying with breach notification requirements. It helps in identifying the scope and impact of a breach, understanding which personal information was compromised, and evaluating the potential harm to individuals. This information is crucial for determining the appropriate actions to be taken under the Privacy Act, such as notifying affected individuals and the Privacy Commissioner. By recognising the significance of metadata in privacy management, organisations can proactively consider metadata-related implications when handling personal information, ensuring compliance with the New Zealand Privacy Act. It reinforces the need to implement privacy-aware practices across data lifecycle, including metadata handling, to protect individuals' privacy rights effectively.

So this is interesting! Did you know that personal information that can no longer be connected to a person is effectively "disposed of"? According to the New Zealand Privacy Act 2020, personal information can be considered disposed of if it is effectively de-identified. De-identification is a process that removes or modifies identifiable elements from personal information to ensure that the remaining data no longer relates to an identifiable individual. When personal information is de-identified, it means that the data has been altered or transformed in a way that makes it practically impossible to identify the individuals to whom it belongs. The Privacy Act recognises de-identified information as no longer falling under the scope of "personal information" because the risk of identifying individuals is significantly reduced. Isn't that cool? To ensure that personal information is properly de-identified, the Privacy Act provides guidance on key principles that need to be followed. These principles include: Irreversibility: The de-identification process should be irreversible. Once the personal information is de-identified, it should not be possible to re-identify individuals using the remaining data alone or in combination with other information. Reasonable means: De-identification should be carried out using reasonable means and methods appropriate to the nature of the personal information and the purpose for which it will be used. Reasonable likelihood of re-identification: The likelihood of re-identifying individuals from the de-identified information, considering the available or reasonably likely resources and techniques, should be low. By effectively de-identifying personal information, organisations can reduce the privacy risks associated with data handling. De-identified information can be used for research, statistical analysis, or other purposes without violating privacy laws, as long as the de-identification process is conducted in accordance with the principles outlined in the Privacy Act. Remember, if you are handling personal information and considering de-identification, it's important to refer to the specific provisions and guidance provided by the New Zealand Privacy Act and seek legal advice if needed to ensure compliance with the law. There is a spectrum of de-identification from pseudonymisation to anonymisation. Pseudonymisation is the process of replacing identifying information with a pseudonym or alias. For example, replacing someone's name with a unique ID number. Pseudonymisation can help protect personal information by making it more difficult to identify individuals. Replacing identifying information with pseudonyms may be considered de-identification *if* there is no longer any record of the original identity. In that way it would be similar to anonymisation, which is the process of removing all identifying information from data so that it cannot be linked back to an individual, even with additional information. For example, removing all identifying details from a medical study dataset. Anonymisation can help protect personal information while still allowing the data to be used for research or other purposes. 

Data mapping is one of those new buzzwords that's been rattling around the information community for a while now. At its most basic level, data mapping is figuring out where your information is and where it goes. In order to map your data, you'll have to take a close look at all the personal information that your organisation collects, processes, and stores. This might include things like customer names and addresses, employee contact details, financial information, and more. The idea is to create a comprehensive picture of how personal information flows through your organisation, from the moment it's collected to the moment it's deleted or destroyed. During the data mapping process, it might be useful to create a visual map or diagram that shows all the different systems, applications, and databases that handle personal information. You might also look at things like who has access to personal information, how long it's kept for, and what security measures are in place to protect it. Why is this important? Well, understanding how personal information is handled is essential for ensuring that it's being protected properly. It can also help identify any potential risks or vulnerabilities, such as systems that might be more prone to security breaches, or areas where personal information might be accidentally disclosed. Overall, data mapping is a valuable tool for any organisation that handles personal information. By taking the time to map out all the data you collect and process, you can better understand privacy risks and take steps to ensure that personal information is being handled in a responsible and secure way. We're experts at finding out where data is hiding in your organisation, but if you just need some quick guidance you can check out the guidance here at data.govt.nz .

Privacy breaches happen all the time to organisations all over the world. We've had some notable ones here in NZ which provide some good 'what not to do' examples, but chances are, your organisation will experience at least a few in its lifetime! They key thing is how you manage them. Before we jump into managing a breach, it's useful to explain the difference between an incident and a breach. A privacy incident refers to any situation where there is a potential unauthorised access, use, or disclosure of personal information. This might be an unsecured system or an HR file left on a copier. On the other hand, a privacy breach occurs when there is an actual unauthorised access, use, or disclosure of personal information. This can happen if a hacker breaks into a database, if an employee accidentally sends an email to the wrong person, or if a physical document goes missing. Basically, any time personal information is exposed in a way that wasn't supposed to happen, it's considered a privacy breach. This is a big deal because personal information is sensitive and can be used for things like identity theft. If you think there's been a privacy breach, it's important to take action right away to protect people's privacy. To determine if a privacy incident is a breach under the New Zealand Privacy Act, you should consider the following factors: Nature of the information: Personal information includes details like names, contact information, financial data, or any other data that identifies an individual. If the incident involves unauthorised access to this kind of information, it raises concerns for a potential breach. Unauthorised access or disclosure: A privacy breach occurs when there is an unauthorised access or disclosure of personal information. If someone gains access to or shares personal information without proper authorization, it could be considered a breach. Likelihood of harm: The Privacy Act considers the potential harm or adverse effects that could result from a privacy breach. If there is a risk of harm to individuals, such as identity theft, financial loss, or reputational damage, it strengthens the case for a breach. Steps taken to mitigate harm: If an organisation takes prompt action to minimise the impact of the incident and protect individuals affected by the privacy incident, it demonstrates commitment to handling the situation responsibly. Reporting obligations: Organisations are required by law to notify the Privacy Commissioner and affected individuals in the event of a privacy breach that could cause serious harm. Compliance with these reporting obligations is an important factor in determining if an incident qualifies as a breach. Breaches can be a really scary time for the victims of the breach and the people who (hopefully unwittingly) caused the breach. This can be magnified if the breach reaches the threshold of being notifiable under the Privacy Act. We can help figure out your threshold and identify whether you need to get the Privacy Commission involved. We're experts at dealing with breaches (we love a little drama in our lives!) and have a strong belief in a no-blame culture, unless the breach is caused by malicious activity of course. If you need some help figuring out whether you're dealing with an incident or a breach or maybe you just need a calming pat on the head, we're here to help! We also recommend checking out the OPC guidance on managing breaches .