My Grandfather’s Axe of InfoSec – Privacy Commissioner

Date
Author:
Tim Henwood, Senior Policy Adviser (Technology), Office of the Privacy Commissioner

Privacy is about control. It’s about exercising and preserving control in the face of rapid technological change. We’re surrounded by an ever-increasing number of sensors and generating a digital exhaust like never before. We’ve got computing capacity coming out our ears, and bottomless lakes to keep data in.

45 years ago – when Newsweek ran its “Privacy is Dead” cover story – technology was different.

22 years ago – when the Privacy Act was enacted in New Zealand – technology was different, and so were the conversations people were having about privacy.

Today technology and privacy conversations are still changing, and faster than ever. One thing has stayed constant over the decades – privacy’s link to security. That’s always been clear and unwavering; you need to protect the information you hold.

The Privacy Act requires you to take steps that are “reasonable in the circumstances” to ensure that information is protected against loss, unauthorised access or misuse.

The realities of changing technology mean the definition of “reasonable” is going to evolve – but the need to protect the information you hold isn’t. Like the old apocryphal ‘my grandfather’s axe’ (or, more classically, the ship of Theseus) whether we swap out the head and the handle, it’s still the same axe.

Padlocked briefcases became encrypted disks delivered in person, a couple of filing cabinets became gigabytes of data, physical delivery became PGP/GnuPG – but the need to protect the information didn’t change.

While privacy is generally about control, this part of privacy is about trust. If someone chooses to give you their personal information, they are trusting your ability to keep it safe.

We want to help you do that.

Our Office understands that privacy isn’t always number one on the agenda. For a lot of businesses it would be lucky to make the top ten. For the businesses that consider privacy regularly, there’s a good chance that it’s because something went wrong or you had a near miss – or you’ve seen a competitor get it wrong (if you’re motivated instead by a drive to ‘get privacy right’, that’s fantastic and we’d love to hear about it).

Privacy can be one of those invisible things until it’s not. One data breach and suddenly everybody is talking about it.

We want to make it easier to do the talking early. We spent some time last year talking with the technology sector to work out how we might best help. We’ve been working this year to put tools together to help:

The Priv-o-matic generates privacy statements for businesses [https://privacy.org.nz/further-resources/privacy-statement-generator/]

Privacy 101 e-learning module [https://privacy.org.nz/further-resources/online-e-learning-privacy-modules/]

And for those who want to dive a little deeper, we’ve got our privacy impact assessment toolkit: [https://privacy.org.nz/news-and-publications/guidance-resources/privacy-impact-assessment/]

If there’s some privacy help you need specifically, or if you’ve got an idea for guidance that would help a range of businesses let us know: tim.henwood@privacy.org.nz