Knowing what data you have, understanding its purpose and having strong privacy practices in place to manage and protect its use will go a long way to helping you ensure you can use data to its full potential, writes Privacy Commissioner, Michael Webster.
“Data is like garbage. You’d better know what you are going to do with it before you collect it.” Mark Twain’s analogy may have preceded our current times of mass collection and collation of data, but it does serve as a cautionary reminder that collecting data without a clear purpose, or not having a retrieval and deletion strategy, can lead to clutter and confusion and heightened risk of misuse or missed opportunities.
The Office of the Privacy Commissioner recently provided an update on Police’s progress on a Compliance Notice, requiring them to stop unlawfully collecting photographs and biometric prints from members of the public, particularly young people, and to delete unlawfully collected material stored on their systems, including mobile phones.
We noted that Police have completed all but one of the original requirements of the Compliance Notice and that they’ve made good progress around how they collect information. However, deleting unlawfully collected material is proving problematic.
Police face a very different operating environment to most organisations, but there are some widely applicable privacy principles involved.
“Many images have historically been stored on their systems without the labels that would allow them to be searched automatically…”
A key problem Police face is that many images have historically been stored on their systems without the labels that would allow them to be searched automatically.
In these cases, Police can’t tell what an image is of without opening each image file manually, and unless key information has been recorded with the photo it may be difficult know the purpose and rationale for collecting and retaining it.
It’s like going to the pantry and realising that all the labels and use-by dates have been taken off the cans of food. You can’t tell what something is until you open it and even then, you may not be able to tell if it is safe to use.
The development and implementation of a digital evidence management system was presented to us as a potential solution to these issues.
Had they had that, Police could have stored and identified photos and linked them to specific cases, which would have also meant staff would have documented the lawful purpose for taking the photo.
One of the first steps any organisation can take in preparing to plan and implement a privacy programme is to understand what personal information you collect, use, store and disclose.
Knowing your personal information, and assessing your organisation’s privacy risks, will help you work out how best to apply the guidance in our Poupou Matatapu framework of how to do privacy well, which is found on our website.
Key objectives of knowing your personal information include:
- Your organisation having a data inventory and using this to assess its risk profile.
- Staff understand what personal information is and how they can use it in their role.
- There is a central log or record of current data/information sharing agreements.
- Policies for data classification, including handling and retention, are documented and compliance with these policies is assessed.
Knowing what data you have, understanding its purpose and having strong privacy practices in place to manage and protect its use will go a long way to helping you ensure you can use data to its full potential.
Michael Webster is New Zealand’s Privacy Commissioner.
