Privacy Law and Policy Reporter
Blair StewartThis is an edited transcript of a panel session held at the Privacy Issues Forum, Christchurch, NZ, 13 June 1996. The session was chaired by Blair Stewart (Manager of Codes and Legislation, NZ Privacy Commissioner's Office) and panel participants included Elizabeth Longworth (Longworth Associates), David Flaherty (British Columbia Privacy Commissioner) and Nigel Waters (Head of Privacy Branch, Australian Privacy Commissioner's Office). Blair Stewart's article on PIAs at 3 PLPR 61 provides an introduction to this topic. (General Editor)
Before going further I should mention the terminology that I and Elizabeth Longworth used in our papers distributed in advance of this session. We've referred to the process as the privacy impact assessment or PIA's to use a three letter acronym (TLA). Others use the term privacy impact statement but, as Kevin O'Connor pointed out, its TLA may lead that term to fall into disfavour.
Following my own brief comments will be Elizabeth Longworth, an Auckland lawyer with a special expertise in technology, telecommunications and related privacy issues. Also on panel are David Flaherty from British Columbia and Nigel Waters. Nigel is the `second in command' in the Australian Privacy Commissioner's office while David is the Information and Privacy Commissioner of British Columbia.
To briefly recap on the first half of my paper I suggested that a light-handed privacy law, which I believe the Privacy Act 1993 is, will be enhanced by the use of PIAs in relation to major privacy invasive initiatives. PIAs can provide a degree of accountability to the public. A PIA makes a systematic effort to assess privacy impacts of options and identify ways to ameliorate their privacy impact or mitigate adverse affects. In my paper I suggest that PIAs may be desirable in a variety of circumstances for instance on the introduction of new information technology. In my view the PIA process should be systematic, competent and integrated into decision making processes. I take the view that PIAs should not normally be prepared by the Privacy Commissioner but should be the responsibility of the agency making the running with the new endeavour. We should expect people to take a degree of responsibility for the effects that they are going to have on privacy rather than saying an external oversight agency can just take that problem on board and provide solutions. However, I think that to provide a public and independent element I would see at some stage the Privacy Commissioner having a very suitable function of review or critique of PIAs.
I won't say any more about my paper, or the second half of the paper particularly, but I would like to draw out an analogy with environmental impact assessments, something that was only briefly touched on in my paper. It seems to me that our notions of a desirable environment or desirable level of privacy are manifestations of human emotions and aspirations, they are not simply utilitarian notions or economic notions -- although we can ,and should in appropriate cases, sometimes try to reduce environmental and privacy notions to quantifiable and economic things like stock carrying capacity of land, the capacity of a river to absorb pollution or the cost benefit of a data matching exercise. But for the most part I actually think our concerns for the environment, like our concerns for privacy, is not so much an economic matter but has a lot to do with human personal emotions.
Environmental impact assessment, which I hope some of you might be familiar with because they have been going for 15 or 20 years now, seeks to judge harm to the environment in the future if a proposal goes ahead. The objective of a PIA is similar, we try to judge what can happen in the future if a proposed option is taken. In both cases I think we often find the effects are gradual and cumulative. One more sewerage outfall in the Waikato River or a single video camera installed in The Square in Christchurch may seem minor in itself but later generations may well wake up with a very polluted river or perceive they are now living in a surveillance society. Although you don't always know when the line is crossed at the time, PIAs may help to put us on notice as to gradual degradation.
The comparison with environmental impact assessment could usefully be taken further. For now it may suffice to say that there are similarities and environmental impact assessment has turned out to be a highly effective tool in relation to identifying environmental issues and helping to inform decision makers in resource management terms. There are no absolutes in environmental terms, we are certainly willing to trade off some degradation in our natural environment for economic well-being. Privacy too involves trade offs and an assessment technique based upon one effectively used in the environmental field has a promising role to play in the privacy arena.
For some years now I've been carrying out a form of PIA in the context of my practice. One of the reasons why I have been doing that work is because there is nothing else people have been able to fall back on. It might be interesting for you to know the range of areas in which I have been hired to look at a change in activity or a new product or service and to give a view on how it sits in terms of privacy compliance and privacy issues. The list includes health services, changes in health activities, the delivery of new education programs, certain telecommunications products, banking activities, credit risk assessment activities, new marketing techniques and the use of various types of registers. That is quite a range.
Some of the questions that I ask are listed in my paper. They are very generic questions that start off at that higher level and then you bring it down to the more specific. In an area of consumer protection laws it is absolutely foolhardy if an agency fails to address what impact the product or the change in activity will have on personal privacy. Agencies need to try to pin down exactly who will be affected and the nature of the personal information involved, how does the product or activity sit in terms of the privacy principles. What distinguishes it from a privacy compliance program is that kind of program looks at the `here and now', whereas we are trying to look into the future. Very importantly, we are trying to second guess what will be the consumer or public perceptions. The point at which I get involved is prior to the new activity going public. So there is a bit of second guessing and there is a lot of use of research analysis, and the last two questions are `are there any broader privacy implications other than just compatibility with the Privacy Act?' or rephrasing that `does the product or the service or the change in activity push the current privacy boundaries whether or not those boundaries are defined by statute?' Two points I think are extremely important because they are the drivers why people are looking at PIAs and the need for them because they realise that in some of the things they are wanting to do may be pushing the boundaries in terms of what our expectations are of privacy protection.
Why do clients come and ask for this type of work? There is no formal structure out there at the moment for PIAs, if they get this kind of assessment at an early stage they can keep it confidential. That's important because it allows the planners to change the design or the method of implementation before it has to satisfy the `front page test', and that is incredibly important because it allows the agency to change directions. But of course that is a very interesting motivation because one of the factors that Blair is talking about is the need for some kind of public scrutiny in the process.
It is also cost efficient to have a PIA because it is a hell of a lot cheaper, believe me it's a lot cheaper, to react pro-actively in terms of privacy compliance than retro-actively. It is a lot cheaper to try and second guess where you are going to have to anticipate compliance than have to turn around and re-do your forms for collecting personal information, or the way in which you are delivering a service, because the costs have already been sunk. It is a great risk management tool, the actual process that goes on in terms of building it into the critical path of the development, it pulls out all sorts of issues along the way and I believe there are many advantages to anticipating difficult privacy issues.
There are a lot of adverse consequences of getting it wrong which is why I kicked off the paper with a make-believe scenario. By the way, I apologise to any poor company that has the name Technology Incorporated because its not meant to relate to any real company. But I threw in a scenario there so that you could see what happens if the planners of a new project fail to address the wider privacy implications. In that particular case the new product, the very sexy new product, was dead in the ground for failing to have a PIA.
I can't imagine that anybody wouldn't be enthusiastic about the concept of PIA, although I am beginning to be worried that our two previous speakers are more worried about developing a suitable acronym, I didn't realise New Zealanders were so preoccupied with that particular activity.
It is inconceivable that a PIA is anything other than in the best interest of your organisation. I've looked through the list of participants and I think it is fairly common for all our organisations today, whether in the public or private sector, to be designing new information systems or new products of one sort or another. A fairly regular experience for me is to be told, as I was in the Ministry of Education of British Columbia a couple of weeks ago over lunch, `oh by the way we are designing a new central information system on primary and secondary school children in the province'. I can usually anticipate that nobody in the planning group with another new scheme will have thought about personal privacy in the equation. As a result of a casual lunch I simply invited these people in and started talking about the privacy implications.
Whether an organisation is a private company or a health agency or something in the public sector, it is so easy for your executive committee or senior executives or the product managers being pressured to generate new business or to work more effectively not to think about personal privacy. One of my ongoing efforts is to try to get public servants or employees of corporations to remember that they are also human beings and that they ought to reflect in the course of their work on what impact their activities are going to have on the lives of other individuals.
I think that what you do with a PIA is customise the information privacy principles, such as you call them in NZ, to the particular activity that you've got in mind. Take the next workshop on electronic surveillance, concerning closed circuit television in Christchurch and other parts of NZ, that again is a question of customising and applying the fair information practices that were developed in the early 1970s and on which we now have 35 years of experience. And most privacy issues are simply addressed quite satisfactorily by taking these kind of fair information practices or information privacy principles into effect.
I would urge you to take back to your organisations the kind of consideration on PIAs based on the environmental model, that these two excellent papers have been addressing today. I am astonished that Elizabeth Longworth who is a private consultant has been giving away so much free information here, you can simply take it and go to work with it.
I think the issue here is how much more formal should we make it, how systematic can you be in setting down some guidelines and some processes to go through? I think one of the reasons why governments find it difficult to adopt a more formalised and open privacy impact process is that it doesn't fit easily into the decision-making processes of government. There is in the absence of a statutory requirement such as you get in the environmental area. The whole process of government decision-making policy formulation leading through to a Cabinet submission and Cabinet approval doesn't really lend itself to an open public document assessing the pros and cons from any perspective, let alone just the privacy ones, to be exposed before the decision is made by government by which time it is usually too late to revisit some of the fundamental assumptions. I think if we are serious about the more formalised and public privacy impact process then there may have to be some adjustment to the underlying decision-making processes of government to accommodate it, otherwise you are only going to get at best a rather messy partial assessment of the implications.
The other point I will make is that in relation to who should do the assessment. I think essentially it has got to be a collaborative process. While the organisation that's developing the initiative is the only one that really knows what they've got in mind and therefore it is difficult for somebody like the Privacy Commissioner's office to come in from outside to try to do the assessment without understanding where they are coming from. However, equally if you just leave it to the organisation, they don't usually understand all of the privacy angles. We've asked a number of agencies to do what we call compliance statements with the information privacy principles and bring that to us and you usually find that they've covered some of the principles quite well but they have just totally missed some very important privacy angles. So I think with whatever degree of formality we are talking about the organisations concerned are going to need some help whether it be from the Privacy Commissioner's office or from an outside consultant who understands the privacy principles well in order to make sure that they cover all the angles.
I also think that agencies are only just coming to grips with the need for privacy compliance programs. They have had to get to come up to speed with the various consumer protection compliance programs and now there is another one, privacy, and oh no we don't just have to do a privacy compliance program we've got to start looking to the future? So it's just slow upwards haul. I believe that the smart agencies -- there are a number of them around -- are taking PIAs as far as they can within the existing structures. I find that their responses depend a lot on the awareness levels of the key executives who call for the PIAs are sufficiently smart and aware and alert to see the need for it, because they can see the downside for their organisation if they ignore this issue. And it also relies on a level of privacy awareness among the public and the media and I like to think that is an informed awareness rather than a knee-jerk awareness. That is because of the front page test again, because if you have a very aware public then of course the front page test has a bit of bite to it and that becomes one of the drivers to do something about anticipating difficult privacy issues in the planning stages.
The second thing that the questioner said he did was to get a lawyer's opinion. Again the lawyer is going to give an opinion primarily going back to this idea of compliance. What I'm suggesting is that while lawyers have a role, so also others have a role, such as privacy officers and those who work with the Privacy Act. Sometimes you might go to someone for help or you might have the expertise in-house to prepare a PIA. The lawyer may have to do at least the compliance exercise but there is going to be other things: what are the technical options? What value do we put on school children's records? Is this something that the parents and children are going to be expecting is going to happen? Is there another way of achieving the same objective?
I'm also discouraged by the notion that you need legal advice. Common sense is at the heart of privacy protection and if you are doing what makes common sense to you and what is ethical and moral the likelihood is you are in compliance with every Act in the western world on privacy. So I think that going to lawyers is an invitation, with all due respect to lawyers in the world, to big legal bills, more than anything else and most of them don't know anything more than you do about it. You have to generate your own in-house expertise rather than paying several hundred dollars an hour for some lawyer consultant (including me in my previous incarnation) to learn about your system when they knew nothing about it when they started.
I am well aware that in NZ you did not have prior to 1990 substantial privacy expertise. Liz Longworth and Tim McBride were two of the few people that I knew here who had some knowledge on information privacy. There is only 3.5 million people here, you don't have 25 experts. There aren't 25 privacy experts in the entire US -- with negative consequences for that society. You are left with a dozen or so in Canada except for the people who work for privacy commissions. You can do an awful lot of this work yourself using common sense and then when you've got your own assessment done, it doesn't have to be any fancier than a couple of pages of notes or descriptive information, then you talk to the Privacy Commissioner's office, then you can talk to your local consultants and you'll be well ahead of the game in my view.
Edited by Blair Stewart.