ACC won't be the last mass privacy violator

21:24, May 06 2012
woman laptop
DON'T GET TOO COMFORTABLE: ACC's privacy breaches are unlikely to be the last.

Fo an online guy, my mate Jimmy has a fabulous ability to injure himself in the offline world. All too aware that he's bearing down on the age of 40 at a rapid rate, he's thrown himself passionately into social football.

Unfortunately, he recently also threw his face passionately into the head of another player, breaking a number of facial bones in the process.

As a result of this, Jimmy found himself a client of ACC. As if the original whack wasn't unfortunate enough, Jimmy recently had a second sock in the face, this one from ACC. Jimmy was one of the 6500 ACC clients whose details were sent to fellow claimant and former National Party stalwart Bronwyn Pullar.

Jimmy showed me the letter ACC sent him in the wake of the abysmal privacy bungle. The first thing that surprised me was that it was sent more than a week after the first wave of media coverage. I would have thought good practice would be to alert all victims of the privacy breach in writing as soon as possible. The second thing that surprised me was that nowhere in the letter was there anything approaching an apology. Not even a statement of mild concern.

For an organisation whose stated purpose is to make New Zealand safer, and support people who have been hurt, ACC's recent work has got a few people scratching their heads. And, if Jimmy's letter is anything to go by, the lack of humility in their client communications won't win them friends.

The ACC privacy blunder is tiny in comparison to the likes of Google's infamous sampling of personal wifi networks, Facebook's censure by the Federal Trade Commission, or Sony's loss of data for 77 million PlayStation clients, but by New Zealand standards it's right up there.


It's not surprising then that ACC was a popular subject of conversation at the Office of the Privacy Commissioner's annual Privacy Awareness Week. One of the key themes at the event last week was privacy in the age of big data, and how to mitigate the risks.

"Big Data" has already become one of the buzzwords of 2012. In simple terms, it's the trend towards truly vast collections of data (typically relating to human behaviour), the meaningful analysis of that data (often with artificial or augmented intelligence), and using that data for predictive purposes.

That could be a bank adding together three pieces of data to decide if a credit card transaction is fraudulent or genuine, Facebook deciding the most effective advertisement to serve up to you, or the exact point at which you would be most susceptible to buying a new car. It can also have more altruistic benefits, such as working out when people are most at risk to health ills, or intervening when children are at risk.

Technology, and specifically the web, continues to be a game-changer for privacy. Never before has so much data been so concentrated in its storage, so broad in its capture and so instantly transmittable. Two years ago, Facebook founder Mark Zuckerberg tried to suggest the age of privacy was over, that privacy was no longer a social norm.

The backlash to that statement, together with highly publicised data breaches, and the chilling effect of overzealous application of prescriptive data sampling, have made clear he was wrong.

As search engine algorithms improve, social networks data become bigger and more rigorously analysed, and our online lives increasingly blend seamlessly into offline lives, privacy will only become more important. Indeed, as we head into the 21st century, privacy (and the components of individual identity) is what everyone is after, whether it's to serve you, sell to you or seduce you.

Ten months ago, the Law Commission delivered the final part of its substantial review of the Privacy Act. After a public submission process, Justice Minister Judith Collins recently announced the old Privacy Act will be replaced by one along the lines recommended by the Law Commission review, with further announcements due from the Justice Ministry in August.

I sincerely hope the new act will incorporate the clear and strong direction on data-breach notifications suggested by the review. This should require direct notification to every person whose privacy rights have been violated, as well as minimum standards around speed of advisory and the detail of what has been shared.

It is essential that individuals who have had their data compromised be given the opportunity to mitigate the risks of identity theft and worse.

ACC is the latest, but sadly will not be the last, bulk violator of New Zealanders' privacy rights. Let's hope the new Privacy Act ensures victims are communicated with promptly. To not do so would be another kick in the head to good folks like Jimmy.

Mike "MOD" O'Donnell is an eCommerce manager, author and professional director. His Twitter tag is @modsta. Disclosure of interest - MOD was independent chair of the new media session of the Privacy Awareness Week conference in Wellington last week.

The Dominion Post