NZ privacy commissioner recommends Australia's data re-identification criminalisation lead

The Commissioner wants to see harsher penalties in place for data re-identification, such as a NZ$1 million fine for breaching privacy-related laws.
Written by Asha Barbaschow, Contributor

New Zealand Privacy Commissioner John Edwards has recommended a new privacy principle be introduced that criminalises the re-identification of de-identified datasets.

The criminalisation would be coupled with a penalty of up to NZ$100,000 for individuals and up to NZ$1 million for public and private sector organisations -- similar to what has been proposed in Australia.

"A new privacy principle would reassure people that they have a means of redress if they suffer harm as a result of being re-identified from supposedly anonymous data," Edwards said. "This would act as a necessary incentive to data holders and users to maintain the integrity of the de-identified data set."

In his Report to the Minister of Justice Under Section 26 of The Privacy Act: Six Recommendations for Privacy Act Reform, Edwards said that public trust and confidence is a critical consideration in this context, and that it is vital for all parties to ensure that when personal information is anonymised, anonymity is preserved and maintained.

"I am concerned any significant loss of public trust could jeopardise the ability to sustain social license in the widespread use of personal information along with the various public benefits from that use," he said.

In the report [PDF], the commissioner explained that data sharing is more readily accepted where personal information is anonymised and aggregated, and that an individual's confidence in the use of de-identified information is in part determined by their belief that they will not be able to be re-identified or singled out from the crowd.

In another recommendation, Edwards suggests that the government provide an update to the Privacy Act that protects individuals against the risk that they could be unexpectedly identified from personally identifiable information that was meant to be anonymised.

Additionally, Edwards wants to introduce data portability as a consumer right, with the report stating the right of portability would allow individuals to request an agency to provide their personal information in a suitable electronic format.

"This will reduce the current friction in transferring services to another provider," the report said, noting that the concept would strengthen consumer choice and help to prevent provider lock-in.

Edwards also wants to make it a requirement in New Zealand that an agency must demonstrate its ongoing compliance, while also narrowing the defences available to agencies that obstruct the privacy commissioner, or fail to comply with a lawful requirement of the commissioner.

The sixth and final recommendation made by Edwards is to reform the public register principles in the Privacy Act and provide for the suppression of personal information in public registers where there is a safety risk.

The recommendations were made in response to the government's intention to reform New Zealand's Privacy Act, which has been on the cards since 1998, according to Edwards, who also noted that a lot has changed since the Law Commission's 2011 review of the Act.

"Important developments since 2011 that impact on the operation and adequacy of the privacy legislation include developments in data science and information technology, and new business models built on data-driven enterprise," the commissioner said in a statement.

He said that while the Privacy Act had already been the subject of thorough review, in light of later rapid changes in information technology and data science, and significant developments in international frameworks, his recommendations would help to ensure that New Zealand's privacy framework is "fit for purpose" in the current environment and for foreseeable developments in the future.

In making his recommendations, Edwards referenced the laws introduced to the Australian Senate in October that will see intentionally re-identifying a de-identified dataset punishable by up to two years' imprisonment, with the laws to be retrospectively applied from September 29, 2016.

Those exempt from the laws would include researchers at a university or other state government body, or those who have a contract with the federal government that allows such work to be conducted.

When announcing the proposed legislation in September, Australian Attorney-General George Brandis said open data was a vital part of modern government, and claimed "privacy of citizens is of paramount importance" to the government.

Earlier this week, an Australian Senate committee recommended the legislation be passed through Parliament despite concerns about the scope of the law, its reversal of the burden of proof, exemptions under it, and the retrospective nature of it.

The committee's report outlined several key issues with the Bill: The release of de-identified information; the criminalisation of re-identifying data; the scope of the offences; the scope of the minister's exemption powers; the retrospective application of the laws; and the reversed burden of proof from the prosecution to the defendant.

Editorial standards