The privacy statements on many New Zealand web sites fail to adequately inform users about how personal information is collected, stored and used, says the Office of the Privacy Commissioner.
The commissioner surveyed a sample of New Zealand web sites for its contribution to an annual survey carried out by the Global Privacy Enforcement Network (GPEN), which for its 2017 edition focused on website privacy notices.
The Office of the Privacy Commissioner surveyed eight New Zealand websites. It said six of the eight websites failed to explain how personal information was stored; four websites failed to adequately explain whether they shared data with third parties; and three of the websites failed to provide users with a clear means for deleting personal information collected by the website.
“One clear observation which emerged from the survey of New Zealand website privacy notices was there seemed to be a general trend in retail sector websites of not advising consumers about how their information would be stored,” the Office of the Privacy Commissioner said.
“There were also a significant number of observations of residual discretion by the website owners to share information with third parties.”
Privacy Commissioner John Edwards said online retailers and other organisations that interact with the public through their websites had no excuse for not having a clear privacy statement explaining what happens with personal information.
To help web sites create adequate notices, the Office of the Privacy Commissioner’s website has a free online tool, the Priv-o-matic privacy statement generator.
For the 2017 GPEN report 24 data protection and privacy regulators from around the world examined the privacy notices, communications and practices of 455 websites and apps in sectors including retail, finance and banking, travel, social media, gaming/gambling, education and health.
Overall, GPEN concluded that:
- Privacy communications across the various sectors tended to be vague, lacked specific detail and often contained generic clauses
- The majority of organisations failed to inform the user what would happen to their information once it had been provided
- Organisations generally failed to specify with whom data would be shared
- Many organisations failed to refer to the security of the data collected and held - it was often unclear in which country data was stored or whether any safeguards were in place
- Just over half the organisations examined made reference to how users could access the personal data held about them.