privacy commissioner office of the privacy commissioner te ......in the year to date, we received...
TRANSCRIPT
Privacy Commissioner Te Mana Matapono Matatapu
Office of the Privacy Commissioner
PO Box 10094, The Terrace, Wellington 6143
Level 8, 109— 111 Featherston Street
Wellington, New Zealand
P +64 4 474 7590 F +64 4 474 7595
0800 803 909 Enquiries
privacy.org.nz
30 November 2016
Hon Amy Adams Minister of Justice Parliament Buildings WELLINGTON
Dear Minister
FOUR MONTHLY REPORT OF THE PRIVACY COMMISSIONER FOR THE PERIOD 1 JULY 2016 TO 31 OCTOBER 2016
Highlights
• The development and launch of an online knowledge base — AskUs. The uptake has been positive and the tool is in active development.
• We have engaged and provided detailed analysis and comment on the draft Privacy Bill. We have also prepared further analysis of other additional matters for further consideration.
Complaints and investigations
In the year to date, we received 2662 enquiries from the public, broadly in line with projected workloads. Use of our online complaints form has increased steadily. As at the end of this reporting period, 40% of complaints received were submitted online. We received 40 data breach notifications during the quarter.
In the year to 31 October we received 316 complaints. We continued in our efforts to progress complaints efficiently and with a focus on early resolution. Our settlement rate was 44% which is better than our KPI of 35%.
Policy
A key focus for our policy work in the year to date has been providing advice to government agencies on initiatives involving information sharing. We have worked with the Ministry of Justice, the State Services Commission and the Government Chief Privacy Officer (GCPO) to progress the Cabinet Directive.
We worked jointly with the GCPO's office to provide direct support to agencies on the initiatives that can be progressed immediately or that can be progressed using an AISA. For example, we have met with the Commissioner of Police to discuss information sharing about dangerous addresses. The Commissioner confirmed that his expectation is that Police will
OPC/0333 /A475434
share information about dangerous addresses with other enforcement agencies for the purpose of keeping staff safe.
Examples of other areas on which we provided advice include:
• the development of the information sharing framework for the new Family Violence Bill; • the information sharing framework for the Ministry of Vulnerable Children Oranga
Tamariki.
We made five submissions to Select Committees on the following Bills or other matters, including:
• the Enhancing Verifying Identity and Border Processes Legislation Bill; and • the New Zealand Intelligence and Security Bill.
We are on track to meet our KPIs for the year.
We have now completed detailed analysis and provided comment to the Ministry of Justice and Parliamentary Counsel Office on all of the current draft Privacy Bill; this included on data breach notifications, compliance notices and appeal provisions in respect of the Commissioner's new powers.
We also began a five yearly review of the operation of the Privacy Act pursuant to s.26 of the Act, and have furnished you with a summary of our findings. I expect to be able to provide you with a formal report for tabling in the House within the coming few weeks.
We accepted a request for an advisory opinion from the New Zealand Fire Service and began work on preparing the opinion.
We released a joint report with the Independent Police Conduct Authority reviewing the Police Vetting Service in October.
Education and communications
A major development during the reporting period was the development and launch of an online knowledge base — called AskUs. It provides users with the opportunity to find out the answer to any privacy question they might have. The AskUs FAQ tool generates a range of possible options and users select the one that provides the best answer.
Although the tool is already very effective, the utility of the resource will increase over time as we monitor the questions that are asked and provide fresh content, or tweak the search functions to ensure subsequent users get the information they need even more efficiently. It has proved to have strong benefits for staff in responding to public enquiries as well as being positively received by the general public.
We have continued to maintain an active programme of regional outreach visits to Gisborne, Queenstown, Invercargill, Christchurch, Hamilton and Dunedin. I always visit "front-line" services including NGOs and DHBs during these visits, as well as holding public events. Not only are these visits appreciated by the people in the region, they provide a very helpful opportunity for me to "reality check" issues arising with information sharing with those actually providing public and social services.
2
Codes
Two developments of note:
• We have moved to a public submission stage on a review of the operation of the major changes made 5 years ago to the Credit Reporting Privacy Code. A primary focus is to verify whether positive credit reporting has brought demonstrated benefits to New Zealanders to outweigh privacy detriments.
• We have been working with MBIE with a view to proposing a code or code amendment to facilitate the introduction of a system to automatically show the location of mobile callers to the 111 line to speed emergency response. A code amendment is expected to be released for public comment in the next reporting period.
International
I chair the Executive Committee of the International Conference of Data Protection and Privacy Commissioners (ICDPPC) and the Office continues to provide the ICDPPC Secretariat. In this capacity, the Office was involved in preparing for the annual meeting in Marrakesh late in October. In addition to attending the Marrakesh conference and associated meetings, I took the opportunity to accept invitations to attend an International Intelligence Oversight forum in Bucharest, and to deliver a keynote address to the International Telecommunications Union Global Standards Symposium in Hamnnamet, Tunisia.
In July I participated in the twice yearly meeting of the Asia Pacific Privacy Authorities Forum in Singapore.
Financial Position
Equity continues to remain lower than Oct 2015 but is higher than at 30 June 2016. The latter is mainly due to lower liabilities than reported at June with accounts payable, accruals and employee entitlements being lower. Whilst leave accruals have increased (as would be expected prior to Christmas) the salary accrual at the end of October was considerably lower. Cash balances also remain slightly lower than at the year-end.
Revenue and Expenses
The Office is currently reporting a surplus of $10k for the 4 months to October 2016 against a budgeted deficit of $2k. This slightly improved result is due to expenditure for the 4 months being lower than budget overall.
Yours sincerely
John Edwards Privacy Commissioner
End: Appendix A: Financials for period ending 31 October 2016 Appendix B: Performance against Statements of Service Performance - Year to Date Appendix C: Trend Analysis
3
Appendix A: Financials for period ending 31 October 2016
Statement of Comprehensive Income For the 4 Months to 31 October 2016
Prey. Year YTD
Actual $000
Revenue
Oct 2016 YTD
Actual $000
Oct 2016 YTD
Budget $000
Year-End
Outlook $000
Year-End SPE
Forecast $000
YTD Var $000
YTD Var
ok
1,657 Revenue from Crown 1,657 1,657 4,970 4970 156 Other Income 104 107 (3) (3) 170 173
12 Interest 10 16 (6) (38) 42 48 1,825 Total revenue 1,771 1,780 (9) (1) 5,182 5,191
Expenditure 15 Marketing 9 19 (10) (53) 58 68
- Audit Fees 29 29 60 Depreciation 61 74 (13) (18) 209 222
134 Rental 135 135 410 410 306 Operating 296 295 1 796 794
1,313 Staff Costs 1,246 1,259 (13) (1) 3,713 3,726 1,828 Total expenditure 1,747 1,782 (35) (2) 5,215 5,249
(3) Net surplus / (deficit) 24 (2) 26 1,300 (33) (58)
Statement of Financial Position As at 31 October 2016
Oct 2016
Oct 2016
Year-End Year-End
Actual $000
Budget $000
YTD Var
$000 Outlook
$000
SPE Forecast
$000
813 1,084 (271) 798 1,080 46 40 6 61 44 22 23 (1) 22 23 21 12 9 21 12
902 1,159 (257) 902 1,159
119 163 (44) 119 163 189 225 (36) 189 225 308 388 (80) 308 388
594 771 (177) 594 771
381 412 157 538 480 58 469 412
53 65 65 - 53 1,067 1,186 (119) 1,010 1,130
1,043 1,188 (145) 1,043 1,188 24 (2) 26 (33) (58)
1,067 1,186 (119) 1,010 1,130
ASSETS
Current Assets Cash & Cash Equivalent Debtors and Other Receivables Inventory Prepayments
Total Current Assets
Current Liabilities Creditors and other payables Employee Entitlements
Total Current Liabilities
Working Capital
Non-Current Assets Property, Plant and Equipment Intangible Assets
Total Non-Current Assets
Non-current Liabilities Net Assets
Public Equity Opening Balance Accumulated Surplus
Total Public Equity
Statement of Cash Flows As at 31 October 2016
Oct 2016
Actual $000
Oct 2016
Budget $000
Year-End
Outlook $000
Year-End SPE
Forecast $000
Cash Flows from Operating Activities Cash was Provided from: Government Grant 1,657 1,657 4,970 4,970 Other Income 91 107 157 173 Interest 10 16 42 48
1,758 1,780 5,169 5,191 Cash was Applied to: Payments to Suppliers 554 460 1,432 1,325 Payments to Employees 1,270 1,260 3,737 3,726 Payments of GST (9) (8) (5) (4)
1,815 1,712 5,164 5,047 Net Cash Flow applied to Operating Activities (57) 68 5 144
Cash Flows from Investment Activities Cash was applied to Purchase of Fixed Assets 15 65 92 145 Net Cash flows applied to Investing Activities (15) (65) (92) (145)
Cash was Provided from: Sale of Fixed Assets 0
Net Cash Flow from Investment Activities (16) (65) (92) (145)
Net Increase/(Decrease) in Cash Held (72) 3 (87) (1) Cash brought forward 885 1,081 885 1,081 Closing cash carried forward 813 1,084 798 1,080
Cash made up of: Cash on hand - - - National Bank-Cheque 213 284 198 80 National Bank - Deposit 600 800 600 1,000
813 1,084 798 1,080
2
Achieved As at 31 Oct
Expectation As at 31 Oct (as per SPE)
Measure
Evaluations following on-line training indicate increased understanding by the participant in 80% of evaluations.
Currently 47% have increased their
understanding in the Health 101, Privacy 101
and PIA modules. A further 22% scored 100% in the tests both
80%
Website contains up-to-date copies of all current guidance from the Privacy Commissioner, and additional resources to support compliance with the Act.
The office engages with a wide range of stakeholders both nationally and internationally through our policy, dispute resolution and public affairs work.
The percentage of respondents to the annual stakeholder survey who indicate, where applicable, that the guidance materials reviewed on the website were useful and met their needs.
Provide advice and training to key stakeholders regarding information sharing to provide an understanding across the public sector of how information can be shared to achieve results and minimise risks, including the use of technology.
Achieved
Achieved. The Office runs a programme of
regional outreach visits; is readily accessible to
media; is active on social media; runs a
well-used public enquiry line and online help;
leads and engages in a number of international privacy organisations
and forums.
Measured at year end.
Achieved
Achieved
Achieved
85%
Achieved
Appendix B: Performance against Statements of Service Performance - Year to Date
Output I - Guidance, education and awareness
Guidance, education and awareness: Quantity
Number of people completing education modules on the new on-line system
Presentations at conferences / seminars
Public enquiries received and answered
Media enquiries received and answered
779 Completion has been
assessed as those who have completed the post
course quiz in the quarter.
40
2,662
62
834
30
2,500
84
Guidance, education and awareness: Quality
Guidance, education and awareness: Timeliness
Respond to all enquiries within 1 working day. 93%
100%
Guidance materials are produced within agreed timelines as Achieved Achieved
3
Measure Achieved As at 31 Oct
Expectation As at 31 Oct (as per SPE)
Expectation As at 31 Oct (as per SPE)
Measure Achieved As at 31 Oct
set out in the work plan.
Output 2 - Policy and Research
Policy and Research: Quantity
The number of the following pieces of work completed during the year:
Proposals involving the use of personal information or 51
33 other privacy issues, received for consultation or advice from the public and private sectors; Submissions and other formal reports, including 7
5
submissions to select committees; and Office projects, including research projects. 4
3
Identifiable progress in international efforts in which we are actively engaged to work towards more sustainable platforms for cross border co-operation.
Achieved In October a resolution
on International Enforcement Co-
operation was adopted at the ICDPPC annual
conference.
Achieved
Policy and Research: Quality
The percentage of recipients of policy advice who are satisfied with the service they received from the Privacy Commissioner.
Our participation in the law reform process is valued by the Ministry of Justice.
The percentage of externally reviewed policy files that are rated 3.5 out of 5 or better for quality.
Measured at year end.
Measured at year end.
Measured at year end.
85%
Achieved
85%
Policy and Research: Timeliness
The percentage of policy files where advice was delivered
97%
100% within agreed timeframes
Requests for input into the law reform are made available Measured at year end. 90% within agreed timeframes.
Output 3— Information sharing/matching
Measure Achieved As at 31 Oct
Expectation As at 31 Oct (as per SPE)
Information sharing/matching: Quantity
The number of information matching programmes 54
56
4
Expectation As at 31 Oct (as per SPE)
Achieved As at 31 Oct Measure
1
3 1
14 3
0 There are a number of AISAs in the pipeline that are coming to the Office for consultation
under s96(0), but as the consultation process is not yet complete, "0" is
being reported.
The number of new Approved Information Sharing Agreements received for consultation under 596(0) of the Privacy Act
The number of formal reports produced that relate to information sharing or information matching programmes, under sections 960, 96P, 96X or 106 of the Privacy Act
The number of proposals consulted on involving information sharing or matching between government agencies, completed during the year
monitored under Part 10 of the Privacy Act
Better Public Services: Quality
The percentage of recipients of information sharing and matching advice that are satisfied with the service they received from the Privacy Commissioner
The percentage of externally reviewed information sharing and matching files that are rated as 3.5 out of 5 or better for quality
Measured at year end.
Measured at year end.
85%
85%
Better Public Services: Timeliness
The percentage of information sharing and matching files 87%
100% where advice was delivered within agreed timeframes
Output 4 - Compliance
Measure
Compliance: Quantity
Number of complaints received
Number of data breach notifications received
Compliance: Quality
The percentage of complainants' and respondents' who rate their satisfaction with the complaints handling process as "satisfactory" or better
The percentage of complaints files closed by settlement between the parties
Achieved As at 31 Oct
Expectation As at 31 Oct (as per SPE)
316
40
300
34
Measured at year end.
44%
65%
40%
5
Measure Achieved As at 31 Oct
Expectation As at 31 Oct (as per SPE)
Amendments to Codes of Practice meet all statutory Not applicable during 100% requirements this 4 month period.
The percentage of externally reviewed complaints External review of first
85% investigations that are rated as 3.5 out of 5 or better for quarter of the year quality currently on-going.
Compliance: Timeliness
The percentage of open files greater than 6 months old at the year end.
Review of the operation of Credit Reporting Code substantially progressed.
Measured at year end.
Ongoing - the public submission progress
began.
10%
Achieved
6
SP OTLIGHT REPORTING
OFFICE OF THE PRIVACY COMMISSIONER TREND ANALYSIS - OCTOBER 2016
Prepared 14 November 2016
• 120 Numbed% % closed by settlement El % closed by settlement target Total complaints closed • Clos etgement
48
24
OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16 OCT 16 OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16 OCT 16
120 Number II Complaints received • Complaints received mthly target 20
OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16
16
12
4
OCT 16
96
R % complaints files • Target
OFFICE OF THE PRIVACY COMMISSIONER -TREND ANALYSIS - OCTOBER 2016
NON - FINANCIAL KPIS - INVESTIGATIONS AND ENQUIRIES
Complaints received % complaints greater than 6 mths old Closure through settlement
To show the trend in complaints received on a monthly basis across the To show the % of complaints work in progress greater than 6 months old To show the number and % of files closed through settlement between the year. against target and the previous year. parties.
Media Enquiries received
30 Number
24
18
12
6
0
• Media enquiries received
OCT 15 DEC 15 FEB 16 APR 16
JUN 16 AUG 16 OCT 16
To show the number of media enquiries by month.
The figures above have been compiled from information provided to us. The compilation of figures has not involved the venficat Page 2 of 3 This report and the contents herein are the property of Office of the Privacy Commissioner and cannot be used or copied with:
Policy files closed by category Policy files completed within timeframes Number of on-line module completions
AISA • PIA 300 Numbers of users • Privacy 101 • Health 10 25 Numberrolftwsals • Submissions to ISM files • Office projects Ii'fliiiittwork delivered on time • Target at IM/IS advice delivered on time
20 80
15 60
111 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN
10
240
180
120
60
40_
20
OFFICE OF THE PRIVACY COMMISSIONER - TREND ANALYSIS - OCTOBER 2016 NON-FINANCIAL KPIS - POLICY, COMMUNICATIONS AND BREACHES
To show the number of policy files that have been completed during the month. The categorisation of these is as per the SPE.
% completion of on-line modules
To highlight the timeliness of completion of the Offices policy work. The target (as set in the SPE) is 100%.
Visits to the website
To identify the numbers of users on a monthly basis who have completed the on-line modules. For the AISA on-line module the figure just represents numbers registering as it is not possible to ascertain
Breach notifications
100 % EX Health 101 % completions It PIA % completions -Macy 101 % completed
80
60
40
Ii 1i1 JUL AUG SEP III NOV DEC JAN FEB MAR APR MAY UN
25 Numbers of visa a3e6 number of visitors I Number of unique visitors 10 Number of files • Public • Private
20 8
15 6
4
2
0 OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16 OCT 16 OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16 OCT 16
To give an indication of the % of users completing the on-line modules To show the number of visitors to the website on a monthly basis over the This shows the trend in breach notifications relating to public and private after registering. past 12 months. entities. This result will be shown on a cumulative basis over the course of the year
The figures above nave been compiled from information provided to us. The compilation of figures has not involved the venfication of the information. Page 3 of 3 This report and the contents herein are the property of Office of the Privacy Commissioner and cannot be used or copied without express permission