Privacy and remediating the technology debt

Dunedin Railway Station mid-evening. PHOTO: STEPHEN JAQUIERY
Dunedin Railway Station mid-evening. PHOTO: STEPHEN JAQUIERY
Privacy was on my mind when I was plunged into darkness in the Dunedin Railway Station women’s toilet this week.

Should I sit tight and wait who knows how long for another person to come through the door to activate the light at the restroom entrance, or make a partially clad dash for the light switch?

Nah, falling over and crashing to the floor with my pants around my ankles would be the likely result.

I had a hmmmm, in fine ACC style, and scrabbled around in my handbag for the burner phone and its trusty torch. The offspring have mocked said torch, assaulting the night sky with their smartphones’ glare to highlight its feebleness.

But in the Dunedin Railway Station toilet gloom, it came into its own, allowing me to find my way out.

Crisis averted with dignity intact. But I wonder why the station needs the loo light timer and whether I am the only person who has encountered this embarrassment.

Have parents dealing with children’s toileting requirements been caught short?

Around the time of this almost-ignominy, I had been thinking about how our attitudes to privacy can seem contradictory.

People wandering around the supermarket bellowing into their mobile phones seem happy for us to learn about their personal lives.

Similarly, in cafes, we can be bombarded with conversations unsuitable for a public setting. Once, I witnessed a hapless employee undergo their annual work performance review. Seated tables away, I could hear every word.

But when it comes to sharing our information with health service providers or government agencies, we are not so blase.

We expect our information to be kept securely, used only for the purpose for which it was gathered and not shared with anyone not entitled to it.

The results from the Privacy Commissioner’s latest biennial privacy survey bear that out.

The survey, involving nearly 1200 participants, showed the percentage of people saying they had become more concerned about privacy over the last few years was 55%, up from 41%, two years ago.

What’s more, the survey showed that Māori (who made up around 320 of the total participants) had higher levels of concern about privacy.

This should matter to government agencies. One in three Māori participants (33%) said in the past year they had avoided contacting a government department due to privacy concerns. For non-Māori the figure was one in seven (14%).

The commissioner says the number and size of privacy breaches, combined with the increasing reach of technology into people’s daily lives, are two reasons people are more concerned now about privacy issues.

None of this seems good news for the government’s enthusiasm for social investment which presumably, if we ever get to find out exactly what it means, involves the use of big data.

There will be considerable interest in the various investigations into the allegations made by a group of Manurewa Marae ex-workers about Te Pāti Māori’s alleged use of private data from census forms during last year’s election and other concerns about the management of immunisation and Covid-19 data and Oranga Tamariki information. Te Pāti Māori has denied the claims.

Whatever the investigations reveal, I wonder if government agencies could be more upfront about their privacy practices.

Last December, after a Te Whatu Ora/Health New Zealand data breach, allegedly involving a person with authorised access to the information, I asked whether there were regular privacy audits of access to databases where sensitive information was held.

But I was told it could not be answered then because an investigation was under way to identify "any learnings from this incident" and the matter was before the courts.

I pointed out this was nonsensical. My question was not related to the alleged breach or the internal investigation.

Either there was a process or there wasn’t.

I complained to the Ombudsman, and last month I got an apology from HNZ using the excuse it had treated the question as a media inquiry rather than an Official Information Act inquiry (despite me pointing out in December I regarded their response as a refusal under the Act).

It told me there are a variety of audit processes in place including automated monitoring, monthly audits, and reviewing of platform event logs to see who viewed what and when, and where data was accessed and exported.

It pointed out the bringing together of district health boards meant HNZ took on responsibility for an extremely large number of IT systems and data bases. These were in varying states of capability or maturity, with some lacking robust access controls.

"Remediating this tech debt will be a multi-year journey" and part of that would involve strengthening oversight and access controls as appropriate.

Just between us, I hope HNZ is better at managing private information than it is with the official stuff.

 - Elspeth McLean is a Dunedin writer.