Privacy as a Stakeholder
Interest in New Zealand:
Transparency in Corporate
Governance Practices
Associate Professor
Gehan Gunasekara
Asian Privacy Scholars
Network Conference
Hong Kong
9 July2013
Introduction
• Privacy public issue in NZ
– E.g. ACC, WINZ breaches, IRD
• Business vulnerable
– E.g. UMR poll (2012) 82% concerned at misuse of
personal information (PI) by business
– 88% thought businesses misusing PI should be
“punished”
• KPMG report into ACC recommends public
reporting of privacy performance
• Paper argues corporate governance enables same
for companies through stakeholder recognition
• Examines value given to privacy versus other
interests, performance & best practice
Paper outline
• Methodology
• Stakeholder principle and privacy as a right or
interest
• Corporate governance guidelines in NZ &
Australia
• Analysis of governance documents & privacy
as stakeholder interest
• Legal issue raised from content of documents
• Overseas companies performance
• Conclusions/recommendations on best practice
Methodology
• review of governance documents
– the statistical occurrence of the words “privacy” and
“confidential” and related terms such as the Privacy Act
– Context in which occur
• Data Set: (1) NZX and, for comparison (2) NYSE
(New York Stock Exchange)
• Time frame: November 2012- January 2013
• Some exclusions, e.g. non-company issuers
such as income funds & trusts
• 130 companies – NZ incorporated (105) +
overseas incorporated (25). Comparisons
between subsets
Methodology cont’d
• NYSE comparative
snapshot:
– Random selection of
10 securities out of
3258
– Further random
selection of 18 from
Consumer sector c.f.
all 18 companies in
equivalent NZ
category
Privacy as stakeholder interest
• Stakeholder principle in management theory =
broad principle informing governance
• Stakeholder includes any group/individual who
may be affected/harmed
• Economic significance of PI
• E.g. Facebook, Google
• E.g. outsourcing/cloud computing
• Potential harms such as identity theft, hacking
Difficulty with management theory
•
•
•
•
“interests” versus legal “rights” & “remedies”
For privacy both interests & rights relevant
E.g. consumer trust important
Privacy Act 1993 (OECD model) requirements
– Transparency and accountability requirements
– Complaints and remedies
• Section 14(a) Commissioner to balance
competing interests
• Principles-based approach enables bridge
between legal/management theories
The Information Life Cycle
Collection
Storage/
Use
Disclosure/
Disposal
Information privacy principles (IPPs) cover entire
spectrum
Management theory cont’d
• Motivation: brand image & reputation c.f. legal
sanction
• Two converge with privacy: transparency is a
requirement and accountability as legal
consequence
• Law Commission Review (NZ):
– Audit power to Commissioner
– Compliance orders for systemic breaches
Corporate Governance Guidelines
• NZX Listing Rules:
Corporate Governance
Best Practice Code:
– Non-prescriptive re ethics
code requirements
– No specific mention of
privacy but receipt of
corporate information and
conflicts of interest
mentioned
– Catch-all “compliance with
applicable laws,
regulations and rules”
Corporate Governance Guidelines
• ASX Corporate Governance Code:
• More prescriptive e.g. recommendation 3.1:
– Measure to protect company’s integrity
– Measures to comply legally
– Accountability measure for reporting and
investigating breaches
– Specific mention of privacy policy as example of
responsibility to individual
• Suggests measures followed to promote
compliance with legislation & whether local or
Australian standards followed
Analysis of governance documents
•
•
•
•
•
Annual reports
Codes of ethics (or codes of conduct)
Board charters
Corporate governance codes or guidelines
Corporate social responsibility reports (CSR)
(also sometimes labelled sustainability
reports)
Privacy as stakeholder interest:
(all categories)
Total number
of Companies
Companies recognising
“Privacy” interests
Companies recognising
“Confidentiality” interests
Number
%
Number
%
Overall
140
30
21
87
62
NZX NZ
Companies
105
16
15
63
60
NZX Overseas
Companies
25
6
24
14
56
NYSE
Companies
10
8
80
10
100
Analysis
• Relative importance given to privacy and
confidentiality
• Overseas NZX & NYSE did better across board
Types of governance documents
• Annual reports: shareholder constituency
• Corporate social responsibility reports (CSR):
aimed at community
• Codes of ethics/conduct: aimed at consumers,
employees and community and most useful
– 54% of NZ listed entities had publicly accessible
codes
Codes of ethics and privacy
Percentage of companies with Codes of Ethics
that mention privacy or confidentiality
Percentage mentioned
Percentage not mentioned
16
9
45
81
84
91
55
19
New Zealand NZX
Companies - Privacy
Overseas-Incorporated
Companies - Privacy
New Zealand NZX
Overseas-Incorporated
Companies - Confidentiality Companies - Confidentiality
Annual reports
• Both privacy & confidentiality minority interests
• A few referred to specific policies for protecting
privacy/Privacy Act compliance
– Link between ideals and achievement by
employees/management
– Future privacy audits can focus on employee training
– Accountability (KPIs) for non-compliance
• Privacy policies largely omitted from all
governance documents
• Kircaldie & Stains Ltd was standout as referred
to Global Reporting Initiative (GRI) and number
of complaints regarding privacy and data loss
Corporate Social Responsibility
Reports (CSR)
• Only 4% of NZX had publicly accessible CSR
• C.f. 24% overseas NZX and 50% for the NYSE
• Tended to give equal prominence to privacy
and confidentiality:
– NZX 25% for both
– NYSE  60% for both
NZ Codes of Ethics
• Ranged from cryptic to detailed
• E.g. Kathmandu Holdings Ltd’s Principle 7:
“Privacy, Intellectual Property and Advantage”
• PI and business information treated alongside
one another
• Link to employee fiduciary duties useful but
danger of information overload
• Several vague on applicable privacy laws
NZ Codes of Ethics cont’d
• Skycity Entertainment Group Ltd
– referred to Privacy Act compliance programme
– Clearly differentiated privacy and confidentiality
• Others less impressive:
– An aged care business referred to confidential
information and PI being protected by Privacy Act and
requests for PI by third parties
– Privacy principles cover information life-cycle and
give access to individuals of own PI hence reference
to requests by third parties confusing
– Note: one of the reasons access to PI can be denied
is information supplied by third parties in confidence
Privacy/confidentiality distinction
• Confidentiality protects wider range of
interests than privacy
• Can be protected in multiple ways:
– Contract
– Equitable action for breach of confidence
• PI definition: "information about an
identifiable individual” wider than confidential
information
• Aimed at mischiefs such as aggregation,
accessibility of everyday information and
harms such as vulnerability, spill over risks etc
Privacy/confidentiality distinction
cont’d
• Two concepts intermingled. E.g.:
– Nuplex Industries Ltd: “It is vital that we protect the
privacy of Nuplex’s confidential information.”
– Pumpkin Patch Ltd’s similar but then
states:“Employees must not use confidential
information for unauthorised purposes. They must
also take reasonable care to protect confidential
information against loss, theft, unauthorised access,
alteration, or misuse.”
– These are essentially requirements of the IPPs
– Telecom Corporation of New Zealand Ltd also mixed
concepts
Privacy/confidentiality distinction
cont’d
• A simple example to demonstrate distinction
in everyday application
• Best practice:
– treat privacy and confidentiality as distinct concepts
– Aspects can be duplicated but under separate
headings
Overseas Companies on NZX
• Examples of best practice:
– Annual reports linking/referencing governance
documents
– Elaboration of how compliance achieved: e.g. Downer
EDI Ltd’s Standards of Business Conduct refers to
privacy policy, information life-cycle and examples of
good/bad practice
– Confidentiality and privacy treated separately, e.g.
Downer EDI Ltd
– Pacific Brand’s refers to privacy policy on intranet and
advises contact with legal team when necessary
Overseas Companies cont’d
• Telstra Corporation’s CSR: Telstra Clear Bigger
Picture 2012: Sustainability Report 2012
– section on “Privacy protection”
– Clear goal plus statement of how achieved AND how
breaches dealt with
– Link to privacy policy
– Incidents in 2012, systemic changes as result
– Voluntary notification to privacy authorities listed
Sector comparisons: Consumer
Sector (NZ) c.f. Consumer
Durables/Non-durables (USA)
Total number of companies that mention privacy in
publicly available documents
NZX NZ Companies
NYSE Companies
8
4
3
3
2
0
Annual
Reports
0
Board
Charter
0
Code of
Ethics
0
Corp Gov
Code
0
CSR
Sector comparisons cont’d
Total number of companies that mention
confidentiality in publicly available documents
NZX NZ Companies
NYSE Companies
17
7
6
5
4
4
2
Annual
Reports
Board
Charter
1
Code of
Ethics
Corp Gov
Code
2
0
CSR
Conclusions….
• Privacy protection afforded lesser status to
confidential information (except CSR)
• Approximately half of the NZX companies had
accessible codes of ethics but only a fifth of these
dealt with privacy
• Content often vague/confusing
• Australian companies on NZX generally
exemplary
• NYSE companies also superior in privacy
coverage
• Privacy protection as management discipline