by 
Introduction
Given that it’s Privacy Week 2021, I thought I’d jot down my thoughts on 40 common privacy potholes. I’ve described them as potholes because it’s not uncommon for agencies to think they’re doing the right thing or to be going about their business as usual, only to find themselves stumbling due to a pothole they didn’t see or were not aware of. It’s rare for agencies to deliberately do things that breach people’s privacy, but it’s not that uncommon for agencies to fall foul of the Privacy Act unwittingly. Sometimes that’s because they haven’t taken enough care, but other times it’s because they were not aware of a particular legal requirement, or had simply misunderstood what the law requires, or had relied on someone else who has made a mistake.
All of the potholes listed below are capable of resulting in some or all of the following:
- an agency breaching the Privacy Act or acting unethically or, for public sector agencies, acting contrary to government guidance
- increased risk of an agency doing these things
- some kind of harm to affected individuals
- investigation and potentially adverse findings by the Privacy Commissioner
- damage to an agency’s reputation.
In the interests of:
- supporting Privacy Week’s theme of making privacy a priority, and
- ensuring one’s house is in order,
agencies that handle personal information may wish to ask themselves whether there’s any risk that they too may stumble on any of these potholes.
References below to “IPPs” are to information privacy principles in section 22 of the Privacy Act 2020.
The 40 potholes
Collection of personal information, purpose, and transparency
1. Insufficient clarity or understanding of an agency’s purpose for collecting personal information
2. Insufficient consideration of whether an agency needs to collect all the information it collects
3. Collecting identifying information (such as name and address) when the lawful purpose for collecting personal information does not require the collection of individuals’ identifying information
4. Over-collection of other kinds of personal information
5. Insufficient care with evolving purposes of collection during project design and implementation
6. Taking a kitchen sink – “just in case” – approach to collections of personal information
7. Poor transparency with individuals as to why their personal information is being collected and what will be done with it
8. Insufficient clarity in privacy statements / privacy disclosures as to who will see an individual’s sensitive information
9. Forgetting to tell people about their rights to access and request correction of the personal information your agency holds
10. Collecting information from another agency without being clear with them about all your agency’s purposes of collection
11. Obscure, cookie-cutter-copied, or otherwise inadequate privacy statements
Statutory operating environments
12. For agencies in the public sector and regulated sectors, not understanding the range of specific statutory provisions in other legislation under which personal information may be collected, used or disclosed
13. Misunderstanding the interaction between specific statutory provisions and the Privacy Act, including not appreciating that usually a specific statutory provision will only override some but not all IPPs (for example, it is extremely rare for any such law to override IPP3, which sets out transparency requirements where agencies collect personal information from individuals)
Security
14. Insufficient physical or electronic security safeguards to protect the personal information an agency holds against loss and against unauthorised access, use, modification or disclosure
15. Collecting personal information from people, orally or in writing, when other people could hear or see the personal information being collected
16. Insufficient care when sending personal information by email, resulting in personal information being sent to the wrong people
Access and correction
17. Ignoring or otherwise responding inappropriately to requests by people for access to or correction of their personal information
Retention and disposal
18. Holding on to personal information for longer than your agency needs it
19. Disposing of personal information in an insecure way, such as throwing hard copy documents into the trash, or insecurely ‘deleting’ electronic files
20. Destroying documents containing personal information to avoid having to comply with a request for access to personal information (this is now an offence under the Privacy Act 2020)
Using personal information
21. Using personal information for a purpose it was not collected for, when this isn’t permitted by IPP10 (Limits on use of personal information) or another law
22. As an example of the above, using personal information for a purpose it was not collected for in the belief that a consent somewhere covers the use when it doesn’t (for example, a consent in a consent form may be too narrow to permit the use, or the consent may not have been informed, or a consent clause may have been submerged in the small print of a privacy statement that ordinary humans can’t and won’t read and/or were not asked to read and accept)
23. Using personal information without taking steps that, in the circumstances, might be important to ensure the information is accurate and up to date
Sharing of personal information
24. Disclosing personal information to another agency or person for a purpose it was not collected for, when this isn’t permitted by IPP11 (Limits on disclosure of personal information) or another law
25. Assuming that a voluntary information-sharing MOU or agreement between agencies can, by itself, be the source of legal authority to share personal information, when that is not the case
26. When an agency shares personal information with a service provider for processing, not putting contractual controls in place that limit use or disclosure for any other purpose
27. Not including privacy breach notification obligations in contracts with service providers under which an agency discloses personal information to the service providers for processing
28. Sending personal information to a foreign person or entity (i.e., overseas), in reliance on certain exceptions in IPP11 (Limits on use of personal information), without considering whether IPP12 (Disclosure of personal information outside New Zealand) allows the offshoring or when IPP12 does not allow the offshoring
29. Disclosing personal information to another agency without taking steps that, in the circumstances, might be important to ensure the information is accurate and up to date
30. Publishing data that an agency considers to be de-identified when it has not been fully de-identified or when there is a material risk of re-identification through a combination of the published data with other data
31. Disclosing sensitive information to another agency without putting any controls in place as to how that information can be used
32. Disclosing sensitive personal information about people (e.g., health-related information, victim-related information, or information about their religious or political beliefs or sexual life or orientation) to others without those people’s knowledge (to be clear, there are circumstances where this is lawful but where it may still be unethical and/or contrary to government guidance and/or contrary to a profession’s ethical guidelines or code of ethics)
33. Allowing personal information to be accessed for research purposes when that is undesirable (there are cases where this is permitted by law but clearly unethical or inappropriate)
Privacy Act codes of practice
34. Considering a proposed collection, use or sharing of, say, health information or telecommunications information, under the Privacy Act’s IPPs, in circumstances where the Health Information Privacy Code or the Telecommunications Information Privacy Code applies in place of the IPPs
Threshold privacy assessments and privacy impact assessments
35. Not undertaking a threshold privacy assessment or a privacy impact assessment when it’s desirable to do so in the circumstances (the law does not require either of these assessments, but it’s good practice to do them in a range of contexts, and not doing them may result in privacy risks being missed)
36. Having such an assessment done by someone who doesn’t have a sufficiently good understanding of privacy law and practice (this is not to say a lawyer needs to do it, but having this understanding can be particularly important in some contexts, such as certain public sector contexts where there is a range of specific statutory provisions that interact with or override the Privacy Act in various ways; sometimes assessors are not aware of these or do not understand how they apply)
Privacy breach
37. Having no process in place to respond to privacy breaches and, when required, to notify the Privacy Commissioner and affected individuals of notifiable privacy breaches
38. Failing to notify notifiable privacy breaches when required to do so
Training and governance
39. For agencies that handle significant amounts of personal information, having no privacy-related training for staff
40. Senior management having insufficient knowledge or oversight of privacy-related issues and risks
(The image for this post is a modified version of a Privacy Week 2021 image released by the Office of the Privacy Commissioner, and licensed under a Creative Commons Attribution 3.0 New Zealand licence.)