Privacy Law and Policy Reporter
Robert Stevens, Auckland Manager, Office of the NZ Privacy Commissioner, presented this paper at the Privacy Issues Forum 1995, in Wellington. In the first part of the paper, published in the previous issue, he analysed our reactions to data matching, and concluded that from this 'we should be able to map out a set of criteria for the selection of information which would be suitable for matching, and an outline for the operation of the selected information matching programs'. In this part, he compares the rules he derives with those in the NZ Act.
These rules might be developed solely from the government's self-interest, and from a reasonable forecast of how the voting public would react to certain putative procedures. I wanted to see how far one could go in developing such constraints without having to import any directive statements about what is good or bad. I came up with the following.1. The likely benefit to the government from carrying out the information match must outweigh the likely cost
As long as benefits and costs are seen in terms of the government's desire to be thought both efficient and fair, this is the overall criterion. Any other rules flow from this one.
Neither the benefit nor the cost has to be limited to monetary terms. The benefits might well include an increased perception that the government is doing an efficient and fair job, that the welfare dollar is being targeted at the most needy and not being hijacked by those prepared to cheat.
The costs, as we have seen, include a sense of outrage among the customers. The costs also include the loss of quality in data, where the quality is useful for its primary purpose. Census data is the classic example of this.
Where costs and benefits are measurable, we should take sufficient care to measure them and remeasure them on a regular basis with a degree of accuracy reflecting their importance in the decision (and reviews of the decision) as to whether this particular information- matching program is worthwhile.2. The process must minimise the risk of severe adverse action being taken erroneously
The reason for this limitation is that any severe adverse action which is taken erroneously will cause a quite extreme outrage, not only in the individual victim of that action but also among others in society who become aware of it. This is a significant cost which would tend to outweigh all the potential benefit. When I say that this cost arises from the taking of 'severe' adverse action, I mean that form of action which would be seen as harmful by a significant number of customers, and thus engender that sense of outrage which spreads beyond the individual victim. Thus the issue of a letter which advises the individual of the apparent discrepancy between two items of information, and which allows opportunity for the individual to investigate and explain it before the axe falls, may not be seen by most people as unacceptable and outrageous if it is worded appropriately, if it allows adequate time in the circumstances for a response, and if it is not made too hard for the innocent individual to correct a mistake which has been made.
On the other hand, even the issue of letters advising of an apparent discrepancy will cause some degree of 'cost' in public opinion of the government if the discrepancies are based upon avoidable mistakes and if they occur with a frequency suggesting that the agency has little or no respect for its customers. This impression, which will engender some outrage, would result from a perception that the government disregards the cost of customers having to take action (within time limits) to correct mistakes which the government could have avoided by itself taking extra care.
The operation of this rule also militates against those forms of information matching known as 'profiling.' Such matching programs might be used, say, to identify individuals who fit an established or perceived pattern of attributes associated with certain offences. One might imagine some pattern of age, gender, race and travel history which is statistically significant among those convicted of drug trafficking. That pattern could be used to select certain persons for surveillance, intensive searches at borders, etc. There is a feeling in our society that this form of profiling is as yet so imprecise and unproved that unacceptable numbers of innocent people will be subjected to surveillance, search and other intrusive harms. Thus the use of profiling could generate a cost in the form of outraging the customers.3. The operation of the information-matching program must not come as a surprise except to the degree that surprise is necessary to achieve its benefits
Again, the purpose of this rule is to minimise outrage, which is a cost of operating the program. I cannot think of any information-matching programs in the area of fraud and abuse which have to maintain an element of surprise in order to achieve their objectives. Certainly you are going to catch more cheats if they haven't had advance warning of the existence of the program, but the benefit to be gained from the program is not the catching of cheats but the reduction of cheating, and this will surely come from the deterrent effect of foreknowledge. Obviously, though, one does not announce that surnames beginning A to D will have their records checked in August; the timing and frequency of checks or the basis for selection can remain a surprise because this will have the greatest deterrent effect.
To say that the information-matching program is to come as little or no surprise is to say that the people affected, and those other people who are not directly affected but who may become aware of the program, do understand that this program will be operated. It is not sufficient to mention it obliquely in the fine print of a leaflet which few people actually read, or to embed it in an impenetrable boilerplate clause on an application form. The whole point, as with Information Privacy Principle 3, is to take steps which are in the circumstances reasonable to ensure that the individual concerned is aware of the existence and scope of the information program.
Surprise is a significant determinant of outrage, and outrage is a cost of operating an information-matching program. By the same token, foreknowledge of the fact that information matching will be done is likely to have a deterrent effect, which must be seen as a benefit of the program. Visibility of information matching programs allows the government to show itself as being both efficient (by making use of the various items of information it collects about individuals, but without having to collate them into a central database) and fair (both in the sense of being open, and in the sense of minimising the cases of benefit fraud which would otherwise abuse scarce public resources).
I suggest that these three rules would dictate the constraints to which a reasonable government would want to subject its information-matching activities. Would the existing law need to be changed to enforce these rules? No, if only because we are only talking about information-matching programs which are run by public sector agencies, and it doesn't take statute power for the government to constrain them.
Do the present information-matching programs comply with these rules? Not wholly, I think, but I believe that we are moving in the right direction.
To what extent does the Privacy Act 1993 (NZ) already embody the rules outlined above? I should explain here that the Privacy Act deals with information matching essentially by the assumption that any such program would involve a collection or use or disclosure of personal information which would breach the information privacy principles. Section 7 of the Act provides that the ordinary operation of those principles is displaced by any other statute which authorises or requires personal information to be dealt with in some other way. Certain of those other statutory authorisations or requirements are referred to as Ôinformation-matching provisions' and listed in the Third Schedule of the Privacy Act. The operation of the 'authorised information-matching programs' which are conducted under those 'information matching provisions' is subjected to the additional controls and reporting requirements set out in Pt X of the Privacy Act.
Section 98 of the Privacy Act contains guidelines which the Privacy Commissioner has to consider when reporting to the government on any proposed legislation which provides for collection or disclosure by public sector agencies of personal information which might be used for an information-matching program. The guidelines are:
(a) whether or not the objective of the program relates to a matter of significant public importance;
(b) whether or not the use of the program to achieve that objective will result in monetary savings that are both significant and quantifiable, or in other comparable benefits to society;
(c) whether or not the use of an alternative means of achieving that objective would give either of the results referred to in paragraph (b) of this section;
(d) whether or not the public interest in allowing the program to proceed outweighs the public interest in adhering to the information privacy principles that the program would otherwise contravene;
(e) whether or not the program involves information matching on a scale that is excessive, having regard to:
(i) the number of agencies that will be involved in the program; and
(ii) the amount of detail about an individual that will be matched under the program;
(f) whether or not the program will comply with the information-matching rules.
I cannot say that these guidelines really embody my first rule or that they help significantly with the calculation of the broadly categorised costs and benefits as I postulated them. I note that these guidelines are set not only for considering proposals for information-matching programs as such, but also for considering legislation providing for the collection of personal information which might be used for an information program. My own starting point was somewhat further down the track, for I have dealt with the situation of matching information which the government, through one or more of its agencies, already held. However, when the Privacy Commissioner considers 'monetary savings' and 'other comparable benefits to society' which can be achieved from the proposed information-matching program, and when he considers the public interest in the program and whether or not its scale is excessive, he would be thinking along the same sort of lines as my broad costs and benefits to the Government would require.
Section 103 of the Act provides (with limited exceptions that I believe have never been used in practice) that no adverse action is to be taken against an individual on the basis of a discrepancy produced by information matching unless the agency has first given the individual five working days' notice in writing, during which the individual can show reason why the action should not be taken. The notice must give particulars of the discrepancy and of the adverse action which the agency proposes to take.
Section 103 can be seen as a procedural application of the rule that an information-matching process must minimise the risk of severe adverse action being taken erroneously.
I think that my third rule is reasonably applied by Rule 1 of the Information-Matching Rules (which are contained in the Fourth Schedule of the Act). It provides that agencies involved in information-matching programs 'shall take all reasonable steps (which may consist of or include public notification) to ensure that the individuals who will be affected by the program are notified of the program.' There is an exemption from this obligation to give notification where it would be likely to frustrate the objective of the program.' My rule said that the operation of the program must not come as a surprise except to the degree that surprise is necessary to achieve the program's benefits.
So I think that all three of my rules are reflected in the provisions of the Privacy Act somehow. The overall rule is approximated by some of the criteria by which new program proposals are to be judged, and the second and third rules are largely embodied in constraints which must be applied to any information matching program unless there is a specific statutory exemption.
This analysis has not assumed any moral precepts. It proceeded from the government's interest in being seen as both efficient and fair, and from that it developed some rules by which the government could evaluate potential information matching programs and the constraints under which such a program should operate. It did so largely by recognising as a 'cost' the potential to outrage significant numbers of people by the way in which information matching is conducted, and by recognising as a 'benefit' any enhancement of the public perception of the government as being efficient.
I must conclude with some caveats and a disclaimer. First, my analysis proceeds from a very informally surveyed impression of public opinions and sensitivities in this area, and from my own subjective reactions to examples I have conjured. I could be wrong about the generality of these reactions. Second, even if I am right about these triggers of relative degrees of outrage, that would probably be a situation specific to one society at one time. Third, this is the first occasion on which I have set out these ideas on paper, or in any ordered way exposed them to an audience, and they might turn out to be logically, factually or even politically flawed! Finally, they are my own thoughts, and are neither the policy nor the stance of the Privacy Commissioner.
Robert Stevens, Auckland Manger, Office of the NZ Privacy Commissioner.