privacy commissioner office of the privacy commissioner te ......in the year to date, we received...

Privacy Commissioner Te Mana Matapono Matatapu

Office of the Privacy Commissioner

PO Box 10094, The Terrace, Wellington 6143

Level 8, 109— 111 Featherston Street

Wellington, New Zealand

P +64 4 474 7590 F +64 4 474 7595

E [email protected]

0800 803 909 Enquiries

privacy.org.nz

30 November 2016

Hon Amy Adams Minister of Justice Parliament Buildings WELLINGTON

Dear Minister

FOUR MONTHLY REPORT OF THE PRIVACY COMMISSIONER FOR THE PERIOD 1 JULY 2016 TO 31 OCTOBER 2016

Highlights

• The development and launch of an online knowledge base — AskUs. The uptake has been positive and the tool is in active development.

• We have engaged and provided detailed analysis and comment on the draft Privacy Bill. We have also prepared further analysis of other additional matters for further consideration.

Complaints and investigations

In the year to date, we received 2662 enquiries from the public, broadly in line with projected workloads. Use of our online complaints form has increased steadily. As at the end of this reporting period, 40% of complaints received were submitted online. We received 40 data breach notifications during the quarter.

In the year to 31 October we received 316 complaints. We continued in our efforts to progress complaints efficiently and with a focus on early resolution. Our settlement rate was 44% which is better than our KPI of 35%.

Policy

A key focus for our policy work in the year to date has been providing advice to government agencies on initiatives involving information sharing. We have worked with the Ministry of Justice, the State Services Commission and the Government Chief Privacy Officer (GCPO) to progress the Cabinet Directive.

We worked jointly with the GCPO's office to provide direct support to agencies on the initiatives that can be progressed immediately or that can be progressed using an AISA. For example, we have met with the Commissioner of Police to discuss information sharing about dangerous addresses. The Commissioner confirmed that his expectation is that Police will

OPC/0333 /A475434

share information about dangerous addresses with other enforcement agencies for the purpose of keeping staff safe.

Examples of other areas on which we provided advice include:

• the development of the information sharing framework for the new Family Violence Bill; • the information sharing framework for the Ministry of Vulnerable Children Oranga

Tamariki.

We made five submissions to Select Committees on the following Bills or other matters, including:

• the Enhancing Verifying Identity and Border Processes Legislation Bill; and • the New Zealand Intelligence and Security Bill.

We are on track to meet our KPIs for the year.

We have now completed detailed analysis and provided comment to the Ministry of Justice and Parliamentary Counsel Office on all of the current draft Privacy Bill; this included on data breach notifications, compliance notices and appeal provisions in respect of the Commissioner's new powers.

We also began a five yearly review of the operation of the Privacy Act pursuant to s.26 of the Act, and have furnished you with a summary of our findings. I expect to be able to provide you with a formal report for tabling in the House within the coming few weeks.

We accepted a request for an advisory opinion from the New Zealand Fire Service and began work on preparing the opinion.

We released a joint report with the Independent Police Conduct Authority reviewing the Police Vetting Service in October.

Education and communications

A major development during the reporting period was the development and launch of an online knowledge base — called AskUs. It provides users with the opportunity to find out the answer to any privacy question they might have. The AskUs FAQ tool generates a range of possible options and users select the one that provides the best answer.

Although the tool is already very effective, the utility of the resource will increase over time as we monitor the questions that are asked and provide fresh content, or tweak the search functions to ensure subsequent users get the information they need even more efficiently. It has proved to have strong benefits for staff in responding to public enquiries as well as being positively received by the general public.

We have continued to maintain an active programme of regional outreach visits to Gisborne, Queenstown, Invercargill, Christchurch, Hamilton and Dunedin. I always visit "front-line" services including NGOs and DHBs during these visits, as well as holding public events. Not only are these visits appreciated by the people in the region, they provide a very helpful opportunity for me to "reality check" issues arising with information sharing with those actually providing public and social services.

2

Codes

Two developments of note:

• We have moved to a public submission stage on a review of the operation of the major changes made 5 years ago to the Credit Reporting Privacy Code. A primary focus is to verify whether positive credit reporting has brought demonstrated benefits to New Zealanders to outweigh privacy detriments.

• We have been working with MBIE with a view to proposing a code or code amendment to facilitate the introduction of a system to automatically show the location of mobile callers to the 111 line to speed emergency response. A code amendment is expected to be released for public comment in the next reporting period.

International

I chair the Executive Committee of the International Conference of Data Protection and Privacy Commissioners (ICDPPC) and the Office continues to provide the ICDPPC Secretariat. In this capacity, the Office was involved in preparing for the annual meeting in Marrakesh late in October. In addition to attending the Marrakesh conference and associated meetings, I took the opportunity to accept invitations to attend an International Intelligence Oversight forum in Bucharest, and to deliver a keynote address to the International Telecommunications Union Global Standards Symposium in Hamnnamet, Tunisia.

In July I participated in the twice yearly meeting of the Asia Pacific Privacy Authorities Forum in Singapore.

Financial Position

Equity continues to remain lower than Oct 2015 but is higher than at 30 June 2016. The latter is mainly due to lower liabilities than reported at June with accounts payable, accruals and employee entitlements being lower. Whilst leave accruals have increased (as would be expected prior to Christmas) the salary accrual at the end of October was considerably lower. Cash balances also remain slightly lower than at the year-end.

Revenue and Expenses

The Office is currently reporting a surplus of $10k for the 4 months to October 2016 against a budgeted deficit of $2k. This slightly improved result is due to expenditure for the 4 months being lower than budget overall.

Yours sincerely

John Edwards Privacy Commissioner

End: Appendix A: Financials for period ending 31 October 2016 Appendix B: Performance against Statements of Service Performance - Year to Date Appendix C: Trend Analysis

3

Appendix A: Financials for period ending 31 October 2016

Statement of Comprehensive Income For the 4 Months to 31 October 2016

Prey. Year YTD

Actual $000

Revenue

Oct 2016 YTD

Actual $000

Oct 2016 YTD

Budget $000

Year-End

Outlook $000

Year-End SPE

Forecast $000

YTD Var $000

YTD Var

ok

1,657 Revenue from Crown 1,657 1,657 4,970 4970 156 Other Income 104 107 (3) (3) 170 173

12 Interest 10 16 (6) (38) 42 48 1,825 Total revenue 1,771 1,780 (9) (1) 5,182 5,191

Expenditure 15 Marketing 9 19 (10) (53) 58 68

- Audit Fees 29 29 60 Depreciation 61 74 (13) (18) 209 222

134 Rental 135 135 410 410 306 Operating 296 295 1 796 794

1,313 Staff Costs 1,246 1,259 (13) (1) 3,713 3,726 1,828 Total expenditure 1,747 1,782 (35) (2) 5,215 5,249

(3) Net surplus / (deficit) 24 (2) 26 1,300 (33) (58)

Statement of Financial Position As at 31 October 2016

Oct 2016

Oct 2016

Year-End Year-End

Actual $000

Budget $000

YTD Var

$000 Outlook

$000

SPE Forecast

$000

813 1,084 (271) 798 1,080 46 40 6 61 44 22 23 (1) 22 23 21 12 9 21 12

902 1,159 (257) 902 1,159

119 163 (44) 119 163 189 225 (36) 189 225 308 388 (80) 308 388

594 771 (177) 594 771

381 412 157 538 480 58 469 412

53 65 65 - 53 1,067 1,186 (119) 1,010 1,130

1,043 1,188 (145) 1,043 1,188 24 (2) 26 (33) (58)

1,067 1,186 (119) 1,010 1,130

ASSETS

Current Assets Cash & Cash Equivalent Debtors and Other Receivables Inventory Prepayments

Total Current Assets

Current Liabilities Creditors and other payables Employee Entitlements

Total Current Liabilities

Working Capital

Non-Current Assets Property, Plant and Equipment Intangible Assets

Total Non-Current Assets

Non-current Liabilities Net Assets

Public Equity Opening Balance Accumulated Surplus

Total Public Equity

Statement of Cash Flows As at 31 October 2016

Oct 2016

Actual $000

Oct 2016

Budget $000

Year-End

Outlook $000

Year-End SPE

Forecast $000

Cash Flows from Operating Activities Cash was Provided from: Government Grant 1,657 1,657 4,970 4,970 Other Income 91 107 157 173 Interest 10 16 42 48

1,758 1,780 5,169 5,191 Cash was Applied to: Payments to Suppliers 554 460 1,432 1,325 Payments to Employees 1,270 1,260 3,737 3,726 Payments of GST (9) (8) (5) (4)

1,815 1,712 5,164 5,047 Net Cash Flow applied to Operating Activities (57) 68 5 144

Cash Flows from Investment Activities Cash was applied to Purchase of Fixed Assets 15 65 92 145 Net Cash flows applied to Investing Activities (15) (65) (92) (145)

Cash was Provided from: Sale of Fixed Assets 0

Net Cash Flow from Investment Activities (16) (65) (92) (145)

Net Increase/(Decrease) in Cash Held (72) 3 (87) (1) Cash brought forward 885 1,081 885 1,081 Closing cash carried forward 813 1,084 798 1,080

Cash made up of: Cash on hand - - - National Bank-Cheque 213 284 198 80 National Bank - Deposit 600 800 600 1,000

813 1,084 798 1,080

2

Achieved As at 31 Oct

Expectation As at 31 Oct (as per SPE)

Measure

Evaluations following on-line training indicate increased understanding by the participant in 80% of evaluations.

Currently 47% have increased their

understanding in the Health 101, Privacy 101

and PIA modules. A further 22% scored 100% in the tests both

80%

Website contains up-to-date copies of all current guidance from the Privacy Commissioner, and additional resources to support compliance with the Act.

The office engages with a wide range of stakeholders both nationally and internationally through our policy, dispute resolution and public affairs work.

The percentage of respondents to the annual stakeholder survey who indicate, where applicable, that the guidance materials reviewed on the website were useful and met their needs.

Provide advice and training to key stakeholders regarding information sharing to provide an understanding across the public sector of how information can be shared to achieve results and minimise risks, including the use of technology.

Achieved

Achieved. The Office runs a programme of

regional outreach visits; is readily accessible to

media; is active on social media; runs a

well-used public enquiry line and online help;

leads and engages in a number of international privacy organisations

and forums.

Measured at year end.

Achieved

Achieved

Achieved

85%

Achieved

Appendix B: Performance against Statements of Service Performance - Year to Date

Output I - Guidance, education and awareness

Guidance, education and awareness: Quantity

Number of people completing education modules on the new on-line system

Presentations at conferences / seminars

Public enquiries received and answered

Media enquiries received and answered

779 Completion has been

assessed as those who have completed the post

course quiz in the quarter.

40

2,662

62

834

30

2,500

84

Guidance, education and awareness: Quality

Guidance, education and awareness: Timeliness

Respond to all enquiries within 1 working day. 93%

100%

Guidance materials are produced within agreed timelines as Achieved Achieved

3

Measure Achieved As at 31 Oct




set out in the work plan.

Output 2 - Policy and Research

Policy and Research: Quantity

The number of the following pieces of work completed during the year:

Proposals involving the use of personal information or 51

33 other privacy issues, received for consultation or advice from the public and private sectors; Submissions and other formal reports, including 7

5

submissions to select committees; and Office projects, including research projects. 4

3

Identifiable progress in international efforts in which we are actively engaged to work towards more sustainable platforms for cross border co-operation.

Achieved In October a resolution

on International Enforcement Co-

operation was adopted at the ICDPPC annual

conference.

Achieved

Policy and Research: Quality

The percentage of recipients of policy advice who are satisfied with the service they received from the Privacy Commissioner.

Our participation in the law reform process is valued by the Ministry of Justice.

The percentage of externally reviewed policy files that are rated 3.5 out of 5 or better for quality.




85%

Achieved

85%

Policy and Research: Timeliness

The percentage of policy files where advice was delivered

97%

100% within agreed timeframes

Requests for input into the law reform are made available Measured at year end. 90% within agreed timeframes.

Output 3— Information sharing/matching



Information sharing/matching: Quantity

The number of information matching programmes 54

56

4


Achieved As at 31 Oct Measure

1

3 1

14 3

0 There are a number of AISAs in the pipeline that are coming to the Office for consultation

under s96(0), but as the consultation process is not yet complete, "0" is

being reported.

The number of new Approved Information Sharing Agreements received for consultation under 596(0) of the Privacy Act

The number of formal reports produced that relate to information sharing or information matching programmes, under sections 960, 96P, 96X or 106 of the Privacy Act

The number of proposals consulted on involving information sharing or matching between government agencies, completed during the year

monitored under Part 10 of the Privacy Act

Better Public Services: Quality

The percentage of recipients of information sharing and matching advice that are satisfied with the service they received from the Privacy Commissioner

The percentage of externally reviewed information sharing and matching files that are rated as 3.5 out of 5 or better for quality



85%

85%

Better Public Services: Timeliness

The percentage of information sharing and matching files 87%

100% where advice was delivered within agreed timeframes

Output 4 - Compliance

Measure

Compliance: Quantity

Number of complaints received

Number of data breach notifications received

Compliance: Quality

The percentage of complainants' and respondents' who rate their satisfaction with the complaints handling process as "satisfactory" or better

The percentage of complaints files closed by settlement between the parties

Achieved As at 31 Oct


316

40

300

34


44%

65%

40%

5



Amendments to Codes of Practice meet all statutory Not applicable during 100% requirements this 4 month period.

The percentage of externally reviewed complaints External review of first

85% investigations that are rated as 3.5 out of 5 or better for quarter of the year quality currently on-going.

Compliance: Timeliness

The percentage of open files greater than 6 months old at the year end.

Review of the operation of Credit Reporting Code substantially progressed.


Ongoing - the public submission progress

began.

10%

Achieved

6

SP OTLIGHT REPORTING

OFFICE OF THE PRIVACY COMMISSIONER TREND ANALYSIS - OCTOBER 2016

Prepared 14 November 2016

• 120 Numbed% % closed by settlement El % closed by settlement target Total complaints closed • Clos etgement

48

24

OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16 OCT 16 OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16 OCT 16

120 Number II Complaints received • Complaints received mthly target 20

OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16

16

12

4

OCT 16

96

R % complaints files • Target

OFFICE OF THE PRIVACY COMMISSIONER -TREND ANALYSIS - OCTOBER 2016

NON - FINANCIAL KPIS - INVESTIGATIONS AND ENQUIRIES

Complaints received % complaints greater than 6 mths old Closure through settlement

To show the trend in complaints received on a monthly basis across the To show the % of complaints work in progress greater than 6 months old To show the number and % of files closed through settlement between the year. against target and the previous year. parties.

Media Enquiries received

30 Number

24

18

12

6

0

• Media enquiries received

OCT 15 DEC 15 FEB 16 APR 16

JUN 16 AUG 16 OCT 16

To show the number of media enquiries by month.

The figures above have been compiled from information provided to us. The compilation of figures has not involved the venficat Page 2 of 3 This report and the contents herein are the property of Office of the Privacy Commissioner and cannot be used or copied with:

Policy files closed by category Policy files completed within timeframes Number of on-line module completions

AISA • PIA 300 Numbers of users • Privacy 101 • Health 10 25 Numberrolftwsals • Submissions to ISM files • Office projects Ii'fliiiittwork delivered on time • Target at IM/IS advice delivered on time

20 80

15 60

111 JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC JAN FEB MAR APR MAY JUN

10

240

180

120

60

40_

20

OFFICE OF THE PRIVACY COMMISSIONER - TREND ANALYSIS - OCTOBER 2016 NON-FINANCIAL KPIS - POLICY, COMMUNICATIONS AND BREACHES

To show the number of policy files that have been completed during the month. The categorisation of these is as per the SPE.

% completion of on-line modules

To highlight the timeliness of completion of the Offices policy work. The target (as set in the SPE) is 100%.

Visits to the website

To identify the numbers of users on a monthly basis who have completed the on-line modules. For the AISA on-line module the figure just represents numbers registering as it is not possible to ascertain

Breach notifications

100 % EX Health 101 % completions It PIA % completions -Macy 101 % completed

80

60

40

Ii 1i1 JUL AUG SEP III NOV DEC JAN FEB MAR APR MAY UN

25 Numbers of visa a3e6 number of visitors I Number of unique visitors 10 Number of files • Public • Private

20 8

15 6

4

2

0 OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16 OCT 16 OCT 15 DEC 15 FEB 16 APR 16 JUN 16 AUG 16 OCT 16

To give an indication of the % of users completing the on-line modules To show the number of visitors to the website on a monthly basis over the This shows the trend in breach notifications relating to public and private after registering. past 12 months. entities. This result will be shown on a cumulative basis over the course of the year

The figures above nave been compiled from information provided to us. The compilation of figures has not involved the venfication of the information. Page 3 of 3 This report and the contents herein are the property of Office of the Privacy Commissioner and cannot be used or copied without express permission

privacy commissioner office of the privacy commissioner te ......in the year to date, we received...

Documents