Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices Associate Professor Gehan Gunasekara Asian Privacy Scholars Network Conference Hong Kong 9 July2013
Introduction Privacy public issue in NZ –E.g. ACC, WINZ breaches, IRD Business vulnerable –E.g. UMR poll (2012) 82% concerned at misuse of personal information (PI) by business –88% thought businesses misusing PI should be “punished” KPMG report into ACC recommends public reporting of privacy performance Paper argues corporate governance enables same for companies through stakeholder recognition Examines value given to privacy versus other interests, performance & best practice
Paper outline Methodology Stakeholder principle and privacy as a right or interest Corporate governance guidelines in NZ & Australia Analysis of governance documents & privacy as stakeholder interest Legal issue raised from content of documents Overseas companies performance Conclusions/recommendations on best practice
Methodology review of governance documents –the statistical occurrence of the words “privacy” and “confidential” and related terms such as the Privacy Act –Context in which occur Data Set: (1) NZX and, for comparison (2) NYSE (New York Stock Exchange) Time frame: November January 2013 Some exclusions, e.g. non-company issuers such as income funds & trusts 130 companies – NZ incorporated (105) + overseas incorporated (25). Comparisons between subsets
Methodology cont’d NYSE comparative snapshot: –Random selection of 10 securities out of 3258 –Further random selection of 18 from Consumer sector c.f. all 18 companies in equivalent NZ category
Privacy as stakeholder interest Stakeholder principle in management theory = broad principle informing governance Stakeholder includes any group/individual who may be affected/harmed Economic significance of PI E.g. Facebook, Google E.g. outsourcing/cloud computing Potential harms such as identity theft, hacking
Difficulty with management theory “interests” versus legal “rights” & “remedies” For privacy both interests & rights relevant E.g. consumer trust important Privacy Act 1993 (OECD model) requirements –Transparency and accountability requirements –Complaints and remedies Section 14(a) Commissioner to balance competing interests Principles-based approach enables bridge between legal/management theories
CollectionStorage/Disclosure/ UseDisposal Information privacy principles (IPPs) cover entire spectrum The Information Life Cycle
Management theory cont’d Motivation: brand image & reputation c.f. legal sanction Two converge with privacy: transparency is a requirement and accountability as legal consequence Law Commission Review (NZ): –Audit power to Commissioner –Compliance orders for systemic breaches
Corporate Governance Guidelines NZX Listing Rules: Corporate Governance Best Practice Code: –Non-prescriptive re ethics code requirements –No specific mention of privacy but receipt of corporate information and conflicts of interest mentioned –Catch-all “compliance with applicable laws, regulations and rules”
Corporate Governance Guidelines ASX Corporate Governance Code: More prescriptive e.g. recommendation 3.1: –Measure to protect company’s integrity –Measures to comply legally –Accountability measure for reporting and investigating breaches –Specific mention of privacy policy as example of responsibility to individual Suggests measures followed to promote compliance with legislation & whether local or Australian standards followed
Analysis of governance documents Annual reports Codes of ethics (or codes of conduct) Board charters Corporate governance codes or guidelines Corporate social responsibility reports (CSR) (also sometimes labelled sustainability reports)
Privacy as stakeholder interest: (all categories) Total number of Companies Companies recognising “Privacy” interests Companies recognising “Confidentiality” interests Number% % Overall NZX NZ Companies NZX Overseas Companies NYSE Companies
Analysis Relative importance given to privacy and confidentiality Overseas NZX & NYSE did better across board
Types of governance documents Annual reports: shareholder constituency Corporate social responsibility reports (CSR): aimed at community Codes of ethics/conduct: aimed at consumers, employees and community and most useful –54% of NZ listed entities had publicly accessible codes
Codes of ethics and privacy
Annual reports Both privacy & confidentiality minority interests A few referred to specific policies for protecting privacy/Privacy Act compliance –Link between ideals and achievement by employees/management –Future privacy audits can focus on employee training –Accountability (KPIs) for non-compliance Privacy policies largely omitted from all governance documents Kircaldie & Stains Ltd was standout as referred to Global Reporting Initiative (GRI) and number of complaints regarding privacy and data loss
Corporate Social Responsibility Reports (CSR) Only 4% of NZX had publicly accessible CSR C.f. 24% overseas NZX and 50% for the NYSE Tended to give equal prominence to privacy and confidentiality: –NZX 25% for both –NYSE 60% for both
NZ Codes of Ethics Ranged from cryptic to detailed E.g. Kathmandu Holdings Ltd’s Principle 7: “Privacy, Intellectual Property and Advantage” PI and business information treated alongside one another Link to employee fiduciary duties useful but danger of information overload Several vague on applicable privacy laws
NZ Codes of Ethics cont’d Skycity Entertainment Group Ltd –referred to Privacy Act compliance programme –Clearly differentiated privacy and confidentiality Others less impressive: –An aged care business referred to confidential information and PI being protected by Privacy Act and requests for PI by third parties –Privacy principles cover information life-cycle and give access to individuals of own PI hence reference to requests by third parties confusing –Note: one of the reasons access to PI can be denied is information supplied by third parties in confidence
Privacy/confidentiality distinction Confidentiality protects wider range of interests than privacy Can be protected in multiple ways: –Contract –Equitable action for breach of confidence PI definition: "information about an identifiable individual” wider than confidential information Aimed at mischiefs such as aggregation, accessibility of everyday information and harms such as vulnerability, spill over risks etc
Privacy/confidentiality distinction cont’d Two concepts intermingled. E.g.: –Nuplex Industries Ltd: “It is vital that we protect the privacy of Nuplex’s confidential information.” –Pumpkin Patch Ltd’s similar but then states:“Employees must not use confidential information for unauthorised purposes. They must also take reasonable care to protect confidential information against loss, theft, unauthorised access, alteration, or misuse.” –These are essentially requirements of the IPPs –Telecom Corporation of New Zealand Ltd also mixed concepts
Privacy/confidentiality distinction cont’d A simple example to demonstrate distinction in everyday application Best practice: –treat privacy and confidentiality as distinct concepts –Aspects can be duplicated but under separate headings
Overseas Companies on NZX Examples of best practice: –Annual reports linking/referencing governance documents –Elaboration of how compliance achieved: e.g. Downer EDI Ltd’s Standards of Business Conduct refers to privacy policy, information life-cycle and examples of good/bad practice –Confidentiality and privacy treated separately, e.g. Downer EDI Ltd –Pacific Brand’s refers to privacy policy on intranet and advises contact with legal team when necessary
Overseas Companies cont’d Telstra Corporation’s CSR: Telstra Clear Bigger Picture 2012: Sustainability Report 2012 –section on “Privacy protection” –Clear goal plus statement of how achieved AND how breaches dealt with –Link to privacy policy –Incidents in 2012, systemic changes as result –Voluntary notification to privacy authorities listed
Sector comparisons: Consumer Sector (NZ) c.f. Consumer Durables/Non-durables (USA)
Sector comparisons cont’d
Conclusions…. Privacy protection afforded lesser status to confidential information (except CSR) Approximately half of the NZX companies had accessible codes of ethics but only a fifth of these dealt with privacy Content often vague/confusing Australian companies on NZX generally exemplary NYSE companies also superior in privacy coverage Privacy protection as management discipline