3News reports that NZ’s new privacy commissioner, John Edwards, is concerned – and disturbed – by how people respond to privacy breaches involving others’ information, such as misaddressed mail that they receive.
“No right minded member of the community would think when they stumbled across a wallet containing identifying details and $1000 that they had a right to keep that,” Mr Edwards said.
“We are instilled as children with the moral obligation that we must return this to its rightful owner and not take advantage of that accident.”
However, Mr Edwards said there seems to be an increasing trend that when somebody receives information mistakenly that they are “entitled to give some publicity to it or use it as a mechanism for obtaining some advantage or creating some stress or drama for the organisation with which they may be in conflict”.
“I’m as disturbed by that I think as I am by the weakness at the other end,” he said.
That’s an interesting observation about a shift in behavior, but could there be other explanations or motivations? Yes, some people may be in conflict with an entity and want to exact revenge by embarrassing them publicly, but in other cases, could running to the media to report the breach just be the public’s way of saying that they don’t want privacy breaches swept under a rug or covered up? Certainly we’ve seen cases here and elsewhere where people initially refuse to return documents or files they should not have received. Often it seems their motivation is to simply ensure that the breach will not be ignored.
So… are more New Zealand residents going public in a “naming and shaming” strategy to try to effect more responsible data protection? And is their behavior an almost predictable response to a culture or society in which there’s no law requiring data breach disclosures?
I don’t have any answers, but it’s an intriguing question and it will be interesting to see how Privacy Commissioner Edwards attempts to address his observations.
Update: Fairfax NZ has additional reporting on the Commissioner’s concerns that provide important context. As seen on Stuff:
The privacy breaches were often used by people who were frustrated and locked into a struggle with a big organisation, such as ACC or the Earthquake Commission. “They [the organisations] tend to put a lot of effort into getting their business through and maybe need to think about how do we deal with people who feel they are mistreated. How do we give them a fair go?”
In 2011, ACC claimant Bronwyn Pullar received the personal details of 6000 sensitive ACC clients by accident via email.
ACC later accused her of attempting to use the information as leverage in her battle for ACC cover, a claim she denied and was later proven untrue.
Last year, EQC accidentally sent one of its biggest critics, Christchurch independent assessor Bryan Staples, the details of 83,000 of its clients.
Marc Krieger, a blogger and former EQC employee who also got hold of the information, published it online. EQC eventually went to court, spending $150,000 to prevent the further release of the information.
Okay, posting personal info of private individuals to score points or embarrass an organization would not be acceptable behavior according to my own ethics code. But does that mean you need to remain quiet when you have evidence of a breach? I don’t think so, although I do believe in responsible disclosure.