privacy as a stakeholder interest in new zealand: transparency in corporate governance practices
DESCRIPTION
Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices. Associate Professor Gehan Gunasekara Asian Privacy Scholars Network Conference Hong Kong 9 July2013. Introduction . Privacy public issue in NZ E.g. ACC, WINZ breaches, IRD - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/1.jpg)
Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices
Associate Professor Gehan Gunasekara
Asian Privacy Scholars Network ConferenceHong Kong9 July2013
![Page 2: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/2.jpg)
Introduction • Privacy public issue in NZ
– E.g. ACC, WINZ breaches, IRD• Business vulnerable
– E.g. UMR poll (2012) 82% concerned at misuse of personal information (PI) by business
– 88% thought businesses misusing PI should be “punished”
• KPMG report into ACC recommends public reporting of privacy performance
• Paper argues corporate governance enables same for companies through stakeholder recognition
• Examines value given to privacy versus other interests, performance & best practice
![Page 3: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/3.jpg)
Paper outline• Methodology• Stakeholder principle and privacy as a right or
interest• Corporate governance guidelines in NZ &
Australia• Analysis of governance documents & privacy
as stakeholder interest• Legal issue raised from content of documents• Overseas companies performance• Conclusions/recommendations on best practice
![Page 4: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/4.jpg)
Methodology • review of governance documents
– the statistical occurrence of the words “privacy” and “confidential” and related terms such as the Privacy Act
– Context in which occur• Data Set: (1) NZX and, for comparison (2) NYSE
(New York Stock Exchange)• Time frame: November 2012- January 2013• Some exclusions, e.g. non-company issuers such
as income funds & trusts• 130 companies – NZ incorporated (105) +
overseas incorporated (25). Comparisons between subsets
![Page 5: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/5.jpg)
Methodology cont’d• NYSE comparative
snapshot:– Random selection of
10 securities out of 3258
– Further random selection of 18 from Consumer sector c.f. all 18 companies in equivalent NZ category
![Page 6: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/6.jpg)
Privacy as stakeholder interest• Stakeholder principle in management theory =
broad principle informing governance• Stakeholder includes any group/individual who
may be affected/harmed• Economic significance of PI• E.g. Facebook, Google• E.g. outsourcing/cloud computing • Potential harms such as identity theft, hacking
![Page 7: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/7.jpg)
Difficulty with management theory• “interests” versus legal “rights” & “remedies”• For privacy both interests & rights relevant• E.g. consumer trust important• Privacy Act 1993 (OECD model) requirements
– Transparency and accountability requirements– Complaints and remedies
• Section 14(a) Commissioner to balance competing interests
• Principles-based approach enables bridge between legal/management theories
![Page 8: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/8.jpg)
Collection Storage/ Disclosure/Use Disposal
Information privacy principles (IPPs) cover entire spectrum
The Information Life Cycle
![Page 9: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/9.jpg)
Management theory cont’d• Motivation: brand image & reputation c.f. legal
sanction• Two converge with privacy: transparency is a
requirement and accountability as legal consequence
• Law Commission Review (NZ):– Audit power to Commissioner– Compliance orders for systemic breaches
![Page 10: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/10.jpg)
Corporate Governance Guidelines• NZX Listing Rules:
Corporate Governance Best Practice Code:– Non-prescriptive re ethics
code requirements– No specific mention of
privacy but receipt of corporate information and conflicts of interest mentioned
– Catch-all “compliance with applicable laws, regulations and rules”
![Page 11: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/11.jpg)
Corporate Governance Guidelines• ASX Corporate Governance Code:• More prescriptive e.g. recommendation 3.1:
– Measure to protect company’s integrity– Measures to comply legally– Accountability measure for reporting and
investigating breaches– Specific mention of privacy policy as example of
responsibility to individual• Suggests measures followed to promote
compliance with legislation & whether local or Australian standards followed
![Page 12: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/12.jpg)
Analysis of governance documents • Annual reports• Codes of ethics (or codes of conduct)• Board charters• Corporate governance codes or guidelines• Corporate social responsibility reports (CSR)
(also sometimes labelled sustainability reports)
![Page 13: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/13.jpg)
Privacy as stakeholder interest: (all categories)
Total number of Companies
Companies recognising “Privacy” interests
Companies recognising “Confidentiality” interests
Number % Number %
Overall 140 30 21 87 62
NZX NZ Companies 105 16 15 63 60
NZX Overseas Companies 25 6 24 14 56
NYSE Companies 10 8 80 10 100
![Page 14: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/14.jpg)
Analysis • Relative importance given to privacy and
confidentiality• Overseas NZX & NYSE did better across board
![Page 15: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/15.jpg)
Types of governance documents• Annual reports: shareholder constituency• Corporate social responsibility reports (CSR):
aimed at community• Codes of ethics/conduct: aimed at consumers,
employees and community and most useful – 54% of NZ listed entities had publicly accessible
codes
![Page 16: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/16.jpg)
Codes of ethics and privacy
1955
84 9181
4516 9
Percentage of companies with Codes of Ethics that mention privacy or confidentiality
Percentage mentioned Percentage not mentioned
![Page 17: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/17.jpg)
Annual reports• Both privacy & confidentiality minority interests• A few referred to specific policies for protecting
privacy/Privacy Act compliance– Link between ideals and achievement by
employees/management– Future privacy audits can focus on employee training– Accountability (KPIs) for non-compliance
• Privacy policies largely omitted from all governance documents
• Kircaldie & Stains Ltd was standout as referred to Global Reporting Initiative (GRI) and number of complaints regarding privacy and data loss
![Page 18: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/18.jpg)
Corporate Social Responsibility Reports (CSR)• Only 4% of NZX had publicly accessible CSR• C.f. 24% overseas NZX and 50% for the NYSE• Tended to give equal prominence to privacy and
confidentiality:– NZX 25% for both– NYSE 60% for both
![Page 19: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/19.jpg)
NZ Codes of Ethics• Ranged from cryptic to detailed• E.g. Kathmandu Holdings Ltd’s Principle 7:
“Privacy, Intellectual Property and Advantage”• PI and business information treated alongside
one another• Link to employee fiduciary duties useful but
danger of information overload• Several vague on applicable privacy laws
![Page 20: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/20.jpg)
NZ Codes of Ethics cont’d • Skycity Entertainment Group Ltd
– referred to Privacy Act compliance programme – Clearly differentiated privacy and confidentiality
• Others less impressive:– An aged care business referred to confidential
information and PI being protected by Privacy Act and requests for PI by third parties
– Privacy principles cover information life-cycle and give access to individuals of own PI hence reference to requests by third parties confusing
– Note: one of the reasons access to PI can be denied is information supplied by third parties in confidence
![Page 21: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/21.jpg)
Privacy/confidentiality distinction• Confidentiality protects wider range of
interests than privacy• Can be protected in multiple ways:
– Contract– Equitable action for breach of confidence
• PI definition: "information about an identifiable individual” wider than confidential information
• Aimed at mischiefs such as aggregation, accessibility of everyday information and harms such as vulnerability, spill over risks etc
![Page 22: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/22.jpg)
Privacy/confidentiality distinction cont’d• Two concepts intermingled. E.g.:
– Nuplex Industries Ltd: “It is vital that we protect the privacy of Nuplex’s confidential information.”
– Pumpkin Patch Ltd’s similar but then states:“Employees must not use confidential information for unauthorised purposes. They must also take reasonable care to protect confidential information against loss, theft, unauthorised access, alteration, or misuse.”
– These are essentially requirements of the IPPs– Telecom Corporation of New Zealand Ltd also mixed
concepts
![Page 23: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/23.jpg)
Privacy/confidentiality distinction cont’d• A simple example to demonstrate distinction in
everyday application• Best practice:
– treat privacy and confidentiality as distinct concepts– Aspects can be duplicated but under separate
headings
![Page 24: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/24.jpg)
Overseas Companies on NZX• Examples of best practice:
– Annual reports linking/referencing governance documents
– Elaboration of how compliance achieved: e.g. Downer EDI Ltd’s Standards of Business Conduct refers to privacy policy, information life-cycle and examples of good/bad practice
– Confidentiality and privacy treated separately, e.g. Downer EDI Ltd
– Pacific Brand’s refers to privacy policy on intranet and advises contact with legal team when necessary
![Page 25: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/25.jpg)
Overseas Companies cont’d• Telstra Corporation’s CSR: Telstra Clear Bigger
Picture 2012: Sustainability Report 2012– section on “Privacy protection”– Clear goal plus statement of how achieved AND how
breaches dealt with– Link to privacy policy– Incidents in 2012, systemic changes as result– Voluntary notification to privacy authorities listed
![Page 26: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/26.jpg)
Sector comparisons: Consumer Sector (NZ) c.f. Consumer Durables/Non-durables (USA)
Annual Reports Board Charter Code of Ethics Corp Gov Code CSR
3
0
3
0 0
2
0
8
0
4
Total number of companies that mention privacy in publicly available documents
NZX NZ Companies NYSE Companies
![Page 27: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/27.jpg)
Sector comparisons cont’d
Annual Reports
Board Charter
Code of Ethics
Corp Gov Code
CSR
7
2
64
0
54
17
12
Total number of companies that mention confidentiality in publicly available docu-
mentsNZX NZ Companies NYSE Companies
![Page 28: Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices](https://reader035.vdocument.in/reader035/viewer/2022062521/568168af550346895ddf6dc1/html5/thumbnails/28.jpg)
Conclusions….• Privacy protection afforded lesser status to
confidential information (except CSR)• Approximately half of the NZX companies had
accessible codes of ethics but only a fifth of these dealt with privacy
• Content often vague/confusing• Australian companies on NZX generally
exemplary• NYSE companies also superior in privacy
coverage• Privacy protection as management discipline