Transparency Report 2017

Click here to download the Transparency Report as a PDF. We are pleased to have been awarded a Trust Mark by the OPC for our reporting.

Introduction

Our members place a lot of trust in us to protect their personal information, and keeping their information safe is a priority.

Our members’ personal information has continued to be of interest to government agencies over the last 12 months.

As a responsible company we sometimes need to release information to third parties, and we are upfront about how and when we share data because we value our members’ trust.

Our fifth annual Transparency Report details the requests we’ve received, and our responses, over the last 12 months (1 July 2016 through to 30 June 2017).

We’ve also taken the opportunity to set out our thoughts on several privacy-related issues, and what we think about them. Being ‘honest and straight up’ is enshrined in our company values, and we think this report helps our community understand our approach to privacy.

Releasing information – when we have to and when we choose to

In last year’s report, we discussed the fine line between information releases where we’re compelled under law to release information, and where we choose to release it under the Privacy Act.

A compulsory release might occur when the Ministry of Social Development is investigating benefit fraud, and compels us to share everything we have on a member under its statutory powers. In this case, we must comply.

On the other hand, when the Accident Compensation Corporation investigates the same kind of behaviour, they have no such powers and therefore need to request that we voluntarily release information under principle 11(e) of the Privacy Act (the “law enforcement” exception).

In the latter case, we make the call to release information if the requesting agency satisfies us that the exception applies. This is our call to make. Agencies have no powers to force us to release information under the Privacy Act.

We regularly reject requests for voluntary disclosure if we’re not satisfied the requirements in the Privacy Act have been met. We call this ‘pushing back’. We may ask the agency to refine their request so it’s more targeted or relevant, or reject the request altogether.

It’s also common to receive legitimate requests (i.e. where the Privacy Act permits disclosure), where we do not release any information in response to that request. This differs from a push-back and could be in circumstances where no information exists, or the information Trade Me holds falls outside the scope of the request.

Based on the total number of requests we received in the reporting period, we released information for 13% of enquiries pursuant to a compulsion order, 62% under the Privacy Act, and nothing was released in relation to the remaining 25%.

We’ve broken it down into requests from the New Zealand Police and government agencies below.

This is a call for more transparency reporting in New Zealand

As far as we can tell, we’re still the only New Zealand-based company regularly publishing a transparency report. This is despite encouragement and assistance offered by Internet NZ to other businesses, and the results of a transparency reporting trial run in 2016 by the Office of the Privacy Commissioner (OPC).

We get approached relatively regularly by businesses interested in taking the plunge and getting into transparency reporting. Based on this interest, we’re surprised more businesses aren’t following through and starting to report.

Admittedly, it’s a big decision for businesses to make, especially if they have concerns their users will not support the choices they’re making around data releases to government agencies. We had the same concern before we published our first report but having opened up about what we do, we’ve never looked back.

We think there are solid benefits to transparency reporting. We firmly believe that telling our members how their data is used actually gives them confidence we’re doing the right thing by them.

In addition to providing important disclosure to our members, the process of pulling a transparency report together helps to remind us that we’re guardians of our members’ data and is a handy annual check-in on our own culture around privacy. The process of transparency reporting influences our company culture and brand.

But it’s not just businesses and their customers that could benefit from greater transparency.

We believe that government agencies, which request information from businesses and other private organisations (such as NGOs), should also be regularly publishing the number of requests they make.

We think New Zealanders should have a right to know how, how often and for what reasons government agencies are requesting their information from businesses and other private organisations.

With an accurate picture of the extent of requests and releases being made, a healthy debate could take place on whether the existing checks and balances on government agencies, businesses and others adequately protect the privacy of individuals.

We think some sunlight on this issue would be a good thing.

Privacy Act reform

The Privacy Act came into force in 1993. That’s nearly a quarter of a century ago, well before the internet got any real traction in New Zealand and some six years before Trade Me was founded. It goes without saying that the world has changed a bit in the last 24 years, especially in the way New Zealanders manage and use personal information.

We believe it’s time New Zealand’s privacy laws were freshened up.

In February this year the Privacy Commissioner, John Edwards, published six recommended amendments to the Privacy Act for the Government to consider.

If these recommendations are implemented, the OPC will receive further statutory powers

to improve enforcement of the Privacy Act. We’re cautiously supportive of this, but the devil is likely to be in the detail. There are some meaty recommendations which require lawmakers to balance the carrot to encourage compliance and the big stick of enforcement.

A good example is Law Commission’s recommendation to make it mandatory to report privacy breaches. Currently there is no statutory requirement for businesses, other types of private organisations, or government agencies to report a privacy breach (either to OPC or their customers).

Is this a good thing? We think reasonable arguments could be made both ways.

One of our core privacy values is to be straight up. This includes when privacy breaches occur. We reckon being transparent about breaches actually builds trust. But, while we would typically notify a member if their personal information was involved in a privacy breach, is it fair to impose a statutory requirement on us to also report this to the regulator?

On one hand, such a requirement could promote social responsibility, increase awareness that breaches happen, and assist in resolving issues that may not have otherwise been identified.

On the other, it could encourage businesses to withhold information they might normally have reported to the affected customer for fear of being pinged by the regulator. It’s important to remember that while breaches are not good, not all breaches are equal.

We’re looking forward to participating in the debate on whether the recommendations should become law. We understand the Government is still developing an exposure draft of a new Privacy Bill.

What stats are covered in this report?

This report covers requests for, or releases of, members’ personal information

to government agencies between 1 July 2016 and 30 June 2017.

It also outlines the requests made to us in the reporting period by other members, and requests made by third parties where members have provided consent for their information to be released.

The following graph outlines the total number of requests we’ve received for members’ information from government agencies. The data is split between the NZ Police and all other government agencies to provide more detail.

New Zealand Police enquiries

We work productively with the police to keep our site trusted and safe.

Police often help us ensure fraudsters (e.g. sellers that intentionally don’t deliver items) are held to account.

Beyond the keyboards and smartphones, our relationship also helps keep local communities safe.

Breaking down the police enquiries during the reporting period:

• 8% of releases were made under a production order.
• 65% were made under the Privacy Act.
• 27% resulted in no release.

Government agency enquiries

Enquiries may be a request for member information, advice that a listing be withdrawn from the site without the need for the release of information, or a request for us to pass on educational information to a member.

During the reporting period, we liaised with 36 government agencies on 541 occasions:

• 28% of those enquiries were compulsory information requests.

• 51% of enquiries resulted in information releases under the Privacy Act.

• The remainder resulted in no release of information.

Push-backs

We work hard to ensure member information is released only when it’s legal and we’re satisfied it’s appropriate. Sometimes we don’t release information, even though we may have been permitted to under the Privacy Act.

Following a request, we examine whether the information is required for the purpose stated by the requesting agency. If the scope of the request is too broad, we might ‘push back’ to ensure the information released is as sharply focussed as possible.

On the following page we compare our push-backs in the current period, against our prior reporting.

We have regular discussions with the police and government agencies to maintain a focus on quality requests. This increased focus results in the increased scrutiny of requests by our staff.

Police push-backs have decreased from 4.0% to 3.4% year-on-year in the 2017 reporting period, and government push-backs increased from 1.8% to 2.6%.

Consented releases & Disputes Tribunal

Consented releases

While we can make authorised disclosures under Principle 11(d) of the Privacy Act, we insist that the member’s consent be in writing and signed.

To ensure the scope of the consent an individual is providing is always fully explained to them by the requesting agency, we introduced our own privacy waiver template this year as a mandatory step in the consented release process.

Since we’ve introduced the waiver, requests for member information from the insurance industry have dropped from 72 to 20 – a rather drastic 260% decrease since 2015!

The introduction of a more informative and precise waiver has raised consumer awareness and caused insurance companies to be more circumspect with their requests, which is a great result.

Disputes Tribunal

Under the Privacy Act, we release information relating to a trade if a member can demonstrate that tribunal (or court) proceedings are being reasonably contemplated and the information is necessary for those proceedings.

Members must provide us with a completed statutory declaration witnessed by a Court Registrar before we release any information.

The establishment of a dedicated Disputes team within Trade Me’s Trust & Safety team in January 2017 has helped members resolve disputes before they even make it to a hearing.

Because of this, and the introduction of our Buyer Protection policy, we’ve seen a 12% reduction in information releases required for Disputes Tribunal proceedings.

Members requesting their own information

As our members become more aware of privacy, they continue to request their personal information in reasonable numbers. The graph below shows the level of requests by Trade Me members for their personal information under Principle 6 of the Privacy Act.