IAPPANZ Summit Round-up

Simply Privacy sent a delegation over to the IAPPANZ Summit in Sydney in November – the first such summit since 2019.  It was a fabulous opportunity to connect with over 350 other privacy professionals and get up to speed with some of the topical privacy issues in our region.

Here are some of our key takeaways from the conference:

Māori Data Sovereignty, and tikanga Māori as a framework for privacy

We were lucky this year to have a keynote speaker from Aotearoa, Dan Te Whenua-Walker (Global Co-Chair of Indigenous at Microsoft), speak to how tikanga Māori can provide a values based framework relevant to privacy, moving the focus from ownership and control of data to the nature of our relationship with it.  This concept was illustrated beautifully by referring to data as a river / awa that runs though the digital environment, and which should be given appropriate respect and care.

The relationship between law/lore was also discussed, with the law setting out “what ought to be” while lore describes “what is” – customs and traditions built over millennia to help govern behaviour. Both are equally important, as reflected in a recent Supreme Court decision, which held that tikanga Māori has been, and will continue to be, part of the common law of New Zealand (Ellis v R [2022] NZSC 115).

This keynote was complemented by an eminent panel discussing Maori Data Soverignty, made up of Dr Karaitiana Taiuru (tikanga practitioner and Māori data expert), Associate-Professor Gehan Gunesekara (University of Auckland), and Dan Te Whenua-Walker, moderated skilfully by Megan Tapsell (Chair AI Forum NZ and Head of Pacific Tech, ANZ).

The panel generously shared their experiences and expertise, defining Māori Data Sovereignty as Māori having access to and a say in the co-governance and co-management of Māori data (which is any data or information about Māori). According to Taiuru, the most important concept is that there must be partnership and consultation with Māori. Others pointed to the collective, rather than individual, interests it embodies.

Those positions are also reflected in international law. Gunasekara referenced the UN Declaration on the Rights of Indigenous Peoples, which provides the right for indigenous people to govern their own assets. He pointed out that both sovereign states and indigenous peoples claim data sovereignty for the same reasons: to protect against harm and exploitation and to enable participation in the economic benefits.

The panel also threw out a challenge for organisations who want to partner with Māori around data issues, that this has to be more than a one-off exchange.  Rather what is required is genuine, authentic engagement over time, to create and maintain an ongoing relationship of partners – the ‘thousand cups of tea’ approach.

Privacy is like a bus…and a building

Angelene Falk, the Australian Information Commissioner and Privacy Commissioner, and Michael Webster, the New Zealand Privacy Commissioner, each used different metaphors to explain the role and value of privacy.

Questioning whether the notice and consent model is still relevant in the digital age, Commissioner Falk is pushing for a focus on accountability instead and a new “baseline standard” where all personal information handling is required to be fair and reasonable. She noted that when you buy a car, you don’t need to be an engineer capable of thoroughly checking the vehicle to trust the car will keep you safe. Commissioner Falk says we need to be able to have the same sense of assurance in the way our personal information is handled by organisations.

Commissioner Webster preferred a building metaphor and an analogy with health and safety laws. He noted that when we stay in a hotel we don’t check things like building permits and the quality of staff health & safety training. Instead, we trust those things will be in place and have been appropriately checked. Commissioner Webster wants to see privacy treated as a key issue that organisations pro-actively manage, just like they do with health and safety.

Privacy maturity

Commissioner Webster emphasised that privacy should be a core focus running through everything an organisation does. His vision and hope is that all exec teams include a champion for privacy and once a year, they ask themselves:

  • What does a mature privacy protective organisation look like?
  • Are we one?
  • If not, how do we become one?

Commissioner Webster briefly mentioned that the OPC will be providing further guidance and clarity to help organisations transition to privacy maturity through the introduction of a Privacy Risk Management System that sets out the foundations companies should be compliant with what systems to have in place for when things go wrong. The OPC will be engaging with the “privacy ecosystem” to inform the design and options.

Building a gender inclusive internet 

Spark NZ and OutLine Aotearoa presented on their collaboration ‘Beyond Binary Code’ – an HTML code that helps organisations capture gender data inclusively, and only when they need to. You can find the code and set of helpful resources here. We think this is amazing work, that can help organisations rethink their approach to collecting, retaining and using gender identity information.

And those Aussie privacy law changes…

A clear focus for our Australian colleagues were the changes to their Privacy Act, and in particular the increase of potential fines for ‘repeated or serious’ breaches – up to swingeing levels of either AU$50 million, three times the value of any benefit obtained through the breach, or 30 percent of ‘adjusted turnover’ for the financial year, whichever figure is higher (so could be more than AU$50 million).

Possibly of more interest to those of us from this side of the Tasman was the accompanying expansion of the extraterritorial provisions of the Act (and therefore potential applicability of the fines) from ‘businesses that collect or hold personal information in Australia’ to any foreign entity ‘doing business in Australia’, a broader definition which mirrors the scope of the extraterritorial provisions in our own Privacy Act.  Some serious food for thought for agencies operating across the ditch!