Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices Associate Professor Gehan Gunasekara Asian Privacy Scholars Network Conference Hong Kong 9 July2013
Feb 24, 2016
Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices
Associate Professor Gehan Gunasekara
Asian Privacy Scholars Network ConferenceHong Kong9 July2013
Introduction • Privacy public issue in NZ
– E.g. ACC, WINZ breaches, IRD• Business vulnerable
– E.g. UMR poll (2012) 82% concerned at misuse of personal information (PI) by business
– 88% thought businesses misusing PI should be “punished”
• KPMG report into ACC recommends public reporting of privacy performance
• Paper argues corporate governance enables same for companies through stakeholder recognition
• Examines value given to privacy versus other interests, performance & best practice
Paper outline• Methodology• Stakeholder principle and privacy as a right or
interest• Corporate governance guidelines in NZ &
Australia• Analysis of governance documents & privacy
as stakeholder interest• Legal issue raised from content of documents• Overseas companies performance• Conclusions/recommendations on best practice
Methodology • review of governance documents
– the statistical occurrence of the words “privacy” and “confidential” and related terms such as the Privacy Act
– Context in which occur• Data Set: (1) NZX and, for comparison (2) NYSE
(New York Stock Exchange)• Time frame: November 2012- January 2013• Some exclusions, e.g. non-company issuers such
as income funds & trusts• 130 companies – NZ incorporated (105) +
overseas incorporated (25). Comparisons between subsets
Methodology cont’d• NYSE comparative
snapshot:– Random selection of
10 securities out of 3258
– Further random selection of 18 from Consumer sector c.f. all 18 companies in equivalent NZ category
Privacy as stakeholder interest• Stakeholder principle in management theory =
broad principle informing governance• Stakeholder includes any group/individual who
may be affected/harmed• Economic significance of PI• E.g. Facebook, Google• E.g. outsourcing/cloud computing • Potential harms such as identity theft, hacking
Difficulty with management theory• “interests” versus legal “rights” & “remedies”• For privacy both interests & rights relevant• E.g. consumer trust important• Privacy Act 1993 (OECD model) requirements
– Transparency and accountability requirements– Complaints and remedies
• Section 14(a) Commissioner to balance competing interests
• Principles-based approach enables bridge between legal/management theories
Collection Storage/ Disclosure/Use Disposal
Information privacy principles (IPPs) cover entire spectrum
The Information Life Cycle
Management theory cont’d• Motivation: brand image & reputation c.f. legal
sanction• Two converge with privacy: transparency is a
requirement and accountability as legal consequence
• Law Commission Review (NZ):– Audit power to Commissioner– Compliance orders for systemic breaches
Corporate Governance Guidelines• NZX Listing Rules:
Corporate Governance Best Practice Code:– Non-prescriptive re ethics
code requirements– No specific mention of
privacy but receipt of corporate information and conflicts of interest mentioned
– Catch-all “compliance with applicable laws, regulations and rules”
Corporate Governance Guidelines• ASX Corporate Governance Code:• More prescriptive e.g. recommendation 3.1:
– Measure to protect company’s integrity– Measures to comply legally– Accountability measure for reporting and
investigating breaches– Specific mention of privacy policy as example of
responsibility to individual• Suggests measures followed to promote
compliance with legislation & whether local or Australian standards followed
Analysis of governance documents • Annual reports• Codes of ethics (or codes of conduct)• Board charters• Corporate governance codes or guidelines• Corporate social responsibility reports (CSR)
(also sometimes labelled sustainability reports)
Privacy as stakeholder interest: (all categories)
Total number of Companies
Companies recognising “Privacy” interests
Companies recognising “Confidentiality” interests
Number % Number %
Overall 140 30 21 87 62
NZX NZ Companies 105 16 15 63 60
NZX Overseas Companies 25 6 24 14 56
NYSE Companies 10 8 80 10 100
Analysis • Relative importance given to privacy and
confidentiality• Overseas NZX & NYSE did better across board
Types of governance documents• Annual reports: shareholder constituency• Corporate social responsibility reports (CSR):
aimed at community• Codes of ethics/conduct: aimed at consumers,
employees and community and most useful – 54% of NZ listed entities had publicly accessible
codes
Codes of ethics and privacy
1955
84 9181
4516 9
Percentage of companies with Codes of Ethics that mention privacy or confidentiality
Percentage mentioned Percentage not mentioned
Annual reports• Both privacy & confidentiality minority interests• A few referred to specific policies for protecting
privacy/Privacy Act compliance– Link between ideals and achievement by
employees/management– Future privacy audits can focus on employee training– Accountability (KPIs) for non-compliance
• Privacy policies largely omitted from all governance documents
• Kircaldie & Stains Ltd was standout as referred to Global Reporting Initiative (GRI) and number of complaints regarding privacy and data loss
Corporate Social Responsibility Reports (CSR)• Only 4% of NZX had publicly accessible CSR• C.f. 24% overseas NZX and 50% for the NYSE• Tended to give equal prominence to privacy and
confidentiality:– NZX 25% for both– NYSE 60% for both
NZ Codes of Ethics• Ranged from cryptic to detailed• E.g. Kathmandu Holdings Ltd’s Principle 7:
“Privacy, Intellectual Property and Advantage”• PI and business information treated alongside
one another• Link to employee fiduciary duties useful but
danger of information overload• Several vague on applicable privacy laws
NZ Codes of Ethics cont’d • Skycity Entertainment Group Ltd
– referred to Privacy Act compliance programme – Clearly differentiated privacy and confidentiality
• Others less impressive:– An aged care business referred to confidential
information and PI being protected by Privacy Act and requests for PI by third parties
– Privacy principles cover information life-cycle and give access to individuals of own PI hence reference to requests by third parties confusing
– Note: one of the reasons access to PI can be denied is information supplied by third parties in confidence
Privacy/confidentiality distinction• Confidentiality protects wider range of
interests than privacy• Can be protected in multiple ways:
– Contract– Equitable action for breach of confidence
• PI definition: "information about an identifiable individual” wider than confidential information
• Aimed at mischiefs such as aggregation, accessibility of everyday information and harms such as vulnerability, spill over risks etc
Privacy/confidentiality distinction cont’d• Two concepts intermingled. E.g.:
– Nuplex Industries Ltd: “It is vital that we protect the privacy of Nuplex’s confidential information.”
– Pumpkin Patch Ltd’s similar but then states:“Employees must not use confidential information for unauthorised purposes. They must also take reasonable care to protect confidential information against loss, theft, unauthorised access, alteration, or misuse.”
– These are essentially requirements of the IPPs– Telecom Corporation of New Zealand Ltd also mixed
concepts
Privacy/confidentiality distinction cont’d• A simple example to demonstrate distinction in
everyday application• Best practice:
– treat privacy and confidentiality as distinct concepts– Aspects can be duplicated but under separate
headings
Overseas Companies on NZX• Examples of best practice:
– Annual reports linking/referencing governance documents
– Elaboration of how compliance achieved: e.g. Downer EDI Ltd’s Standards of Business Conduct refers to privacy policy, information life-cycle and examples of good/bad practice
– Confidentiality and privacy treated separately, e.g. Downer EDI Ltd
– Pacific Brand’s refers to privacy policy on intranet and advises contact with legal team when necessary
Overseas Companies cont’d• Telstra Corporation’s CSR: Telstra Clear Bigger
Picture 2012: Sustainability Report 2012– section on “Privacy protection”– Clear goal plus statement of how achieved AND how
breaches dealt with– Link to privacy policy– Incidents in 2012, systemic changes as result– Voluntary notification to privacy authorities listed
Sector comparisons: Consumer Sector (NZ) c.f. Consumer Durables/Non-durables (USA)
Annual Reports Board Charter Code of Ethics Corp Gov Code CSR
3
0
3
0 0
2
0
8
0
4
Total number of companies that mention privacy in publicly available documents
NZX NZ Companies NYSE Companies
Sector comparisons cont’d
Annual Reports
Board Charter
Code of Ethics
Corp Gov Code
CSR
7
2
64
0
54
17
12
Total number of companies that mention confidentiality in publicly available docu-
mentsNZX NZ Companies NYSE Companies
Conclusions….• Privacy protection afforded lesser status to
confidential information (except CSR)• Approximately half of the NZX companies had
accessible codes of ethics but only a fifth of these dealt with privacy
• Content often vague/confusing• Australian companies on NZX generally
exemplary• NYSE companies also superior in privacy
coverage• Privacy protection as management discipline