Video transcript: Data in the public sector – Part 1: Privacy by design
Title: Data in the public sector – An interview with the Government Chief Privacy Officer – Part 1: Privacy by design
Karen Smith (Director, Research and Development, Office of the Auditor-General)
Thank you, Russell, for coming today.
Russell Cooke (Government Chief Privacy Officer)
That’s okay, great.
Karen
It’s really nice to have you here to talk about using data in the public sector and to get a bit more information about privacy and how we use that in the public sector.
Russell
Sure.
Karen
So Chief Government Privacy Officer. It’s quite a long…
Russell
Long title, yeah.
Karen
So what is your role; what sort of things do you do?
Russell
Well, the fastest way and the easiest way to describe our role is a coach for the system for privacy. When you think about all the things a coach does in terms of individual performance, collective performance, expectations and standards, working together as a team, learning the trade, learning the craft, not falling foul of the referee, understanding the rules of the game, having a good game for spectators – which is an equivalent of the public we serve – our role as a coach to help the system to do privacy stuff better. Our primary role is working alongside Privacy Officers in the system but not exclusively. We work with chief executives and ELTs; we’ll work with everybody across the system.
Karen
So when you say system, what does that mean?
Russell
So our mandate extends over the core public service, seven Crown entities and the 20 DHBs. Our role is to have direct support for those agencies, but our advice and guidance is available for everybody.
Karen
How would I know to contact you? How would I know what to do?
Russell
How do you know? So a couple of things: first of all, if you worked in an agency, I’d ask you to seek out your Privacy Officer. Every entity must have a Privacy Officer; it’s in the legislation. And so you will have one. So my suggestion: if you can’t find them, go look up your directory and go find your Privacy Officer and go talk to them. They should always be your first port of call. And then the Privacy Officers know about us; we have really good contact with them, and there’s no problem getting hold of us through them or us directly if you’ve spoken to them, if that’s appropriate. Again, our first port of call, say, is that we’re there to help coach the system, but there are others in the organisations that will be able to help you.
Karen
Because I may not even know about what the Privacy Officer does.
Russell
Does, yeah.
Karen
So, if I was going to be looking at using some… or collaborate with another agency to improve services in some way to perform, I would think, ‘I need to consider privacy.’ Do people consider that? How do they know it’s important?
Russell
Well, obviously we try and do that. We really want agencies to consider privacy by design and by default. So it’s really important that, when you say, “I want to share some information or collect some information,” one of your first questions has to be, “Well, what am I trying to achieve with that?” And, “Does it need to be personal information; does it need to be Karen’s details, need to be name, address, etcetera. Does it need to be that to do the job, or can I get away with using information that I already have that’s not personal?” That’s the very, very question you should have. If you say, “No, I don’t think I can use that information,” then your next stage as well, “Then how do I go about collecting it? Do I have it, or do I have permission to use it?” And then that’s obviously where your Privacy Officers would start to come in.
Karen
So they would help me understand this?
Russell
They would help you.
Karen
When you said “privacy by design”, I’m not sure what that…
Russell
What that really means? Yeah. So they’ll guide you through the necessary steps to ask questions about what you’re trying to do. And they will help elicit what sort of information you actually need, the sensitivity of that information, the grounds on which it’s being collected, the ability for it to be shared. Because actually, that’s the other thing as well, that, even if others have that information, you may not be able to get access to it. Even if you’re in the same organisation, you can be covered by different legislation. So a number of agencies that we know of have personal information collected under one legislative code, but it’s not able to be shared because it’s not actually able to be utilised under another legislative lever.
Karen
You mean like for different purposes?
Russell
Yeah, different purposes.
Karen
So I might collect it to help get this person some particular service but…
Russell
Some service, yeah. But a service that’s governed by another law, the fact that you’ve got information over here, and some information is required, unless you’ve got an information sharing agreement between those entities, or even inside, you can’t really share it. So it’s pretty important that you understand, I guess, both the legislative framework – not just the Privacy Act but your own legislation as well – and some of the mechanisms for collection and sharing. And that’s where the Privacy Officer comes in.
Karen
They would help me to…
Russell
They’d guide you through that. So they might need to do a Privacy Threshold Assessment, which looks at, “Do I need to go to the next stage, which is a Privacy Impact Assessment?” And they start to look at things such as, “Why am I collecting this level of specific information? How long do I intend to keep it for?” And they look at things against the 12 principles of the Privacy Act. And it’s really important those Privacy Act principles are well understood by the Privacy Officers, but they’ll guide you through from principles to practice. They’ll help you with the questions you need to ask yourself to get that assurance that you’re going to do this lawfully, but also with respect. I think the other thing is it’s not just about the law; it’s actually about what’s doing right here. So a lot of it is around, “Do I have the public confidence and understanding to go do this? Do I need to have a licence conversation?” You need to go and say, “Actually, can I, should I, do this? Is this going to jeopardise my relationship with them, even if it’s lawful? How does it look in the public eye? How do I deal with disclosure and modification?” And those things which are really, really important in terms of the law, but also in terms of people’s perceptions of what the Government should be doing with my information.
Karen
Because my next question was, I’m giving my information to an agency; how do I know that it’s going to be protected? You see on the media that sometimes there’s things that go on; how can I trust agencies to be handling privacy?
Russell
Well, quite simply, the role of the Privacy Commissioner is probably a good thing to bring in here. So the Privacy Commissioner’s role is to ensure that agencies, public and private sector, are actually doing the right thing. So, if you have concerns about anything, you have a right to go to the Privacy Commissioner and complain, and say, “Agency X is doing something odd. I can’t get access to my information. I can’t amend it; I don’t know what they’re doing with it.” And the Privacy Commissioner can go ask further questions of the agency and ask more about why can’t they get it. Because there are certain rights that people have enshrined in there. The important thing is that what we’re trying to do is get agencies to be more proactive and more transparent about what they’re doing with information.
Because one of the things we think’s also really, really important is, the more that you can tell people you serve about what you’re doing with that information – how it’s being used, how it’s being cared for, how it’s being disposed of, about how I’ve got a right to see it, amend it, all those sorts of things, and we can public that information upfront and it should be in your Privacy Statement – the stronger the level of trust should be in your organisation. And it’s really important that you have well-defined and very, very easily accessible Privacy Statements from your homepage.
But I think, when you’re starting to get into more about the detailed use of information, then I think disclosing a how we use that, how we assess it, how we store it and that, is really, really important. What I really emphasise, along with the privacy by design thing, is, if you’re building new services, be prepared and do it upfront. Disclose all the information you need about how we collect that information, how we use it, how we store it, how we share it. Put that upfront. That’s an adjunct to the Privacy Statement; it’s not a replacement for it, but it should go with every service, so you’re building that trust.
Karen
And my Privacy Officer would help me to understand that and do that?
Russell
Absolutely, yeah. For sure.
Karen
That’s great. So that makes that more transparent, what I’ll be doing and saying with that information.
Russell
Exactly. Because the worst thing that I think agencies can do is not be transparent about that. It’s really, really imperative that, if we want trust and confidence of the people we serve, you’ve got to tell them what we’re doing. It’s got to be open to scrutiny; it’s got to be open for critique; it’s got to be open for complaints. So you’re far better off to do that upfront. Before you’re intending to do something, have a conversation. Before you go and do something, put it on the public domain. Before you’re going to do something, put it up on the site. Actually, even if you’ve done it, put it up there. Get the information out there; show people that you have actually taken the time to understand and ask yourself these questions and that you’re wanting to be transparent about that; it’s really, really vital. So we think that’s really, really important.
Title: Visit oag.govt.nz to read more about the Office's work.