280 likes | 439 Views
Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices. Associate Professor Gehan Gunasekara Asian Privacy Scholars Network Conference Hong Kong 9 July2013. Introduction . Privacy public issue in NZ E.g. ACC, WINZ breaches, IRD
E N D
Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices Associate Professor Gehan Gunasekara Asian Privacy Scholars Network Conference Hong Kong 9 July2013
Introduction • Privacy public issue in NZ • E.g. ACC, WINZ breaches, IRD • Business vulnerable • E.g. UMR poll (2012) 82% concerned at misuse of personal information (PI) by business • 88% thought businesses misusing PI should be “punished” • KPMG report into ACC recommends public reporting of privacy performance • Paper argues corporate governance enables same for companies through stakeholder recognition • Examines value given to privacy versus other interests, performance & best practice
Paper outline • Methodology • Stakeholder principle and privacy as a right or interest • Corporate governance guidelines in NZ & Australia • Analysis of governance documents & privacy as stakeholder interest • Legal issue raised from content of documents • Overseas companies performance • Conclusions/recommendations on best practice
Methodology • review of governance documents • the statistical occurrence of the words “privacy” and “confidential” and related terms such as the Privacy Act • Context in which occur • Data Set: (1) NZX and, for comparison (2) NYSE (New York Stock Exchange) • Time frame: November 2012- January 2013 • Some exclusions, e.g. non-company issuers such as income funds & trusts • 130 companies – NZ incorporated (105) + overseas incorporated (25). Comparisons between subsets
Methodology cont’d • NYSE comparative snapshot: • Random selection of 10 securities out of 3258 • Further random selection of 18 from Consumer sector c.f. all 18 companies in equivalent NZ category
Privacy as stakeholder interest • Stakeholder principle in management theory = broad principle informing governance • Stakeholder includes any group/individual who may be affected/harmed • Economic significance of PI • E.g. Facebook, Google • E.g. outsourcing/cloud computing • Potential harms such as identity theft, hacking
Difficulty with management theory • “interests” versus legal “rights” & “remedies” • For privacy both interests & rights relevant • E.g. consumer trust important • Privacy Act 1993 (OECD model) requirements • Transparency and accountability requirements • Complaints and remedies • Section 14(a) Commissioner to balance competing interests • Principles-based approach enables bridge between legal/management theories
The Information Life Cycle Collection Storage/ Disclosure/ Use Disposal Information privacy principles (IPPs) cover entire spectrum
Management theory cont’d • Motivation: brand image & reputation c.f. legal sanction • Two converge with privacy: transparency is a requirement and accountability as legal consequence • Law Commission Review (NZ): • Audit power to Commissioner • Compliance orders for systemic breaches
Corporate Governance Guidelines • NZX Listing Rules: Corporate Governance Best Practice Code: • Non-prescriptive re ethics code requirements • No specific mention of privacy but receipt of corporate information and conflicts of interest mentioned • Catch-all “compliance with applicable laws, regulations and rules”
Corporate Governance Guidelines • ASX Corporate Governance Code: • More prescriptive e.g. recommendation 3.1: • Measure to protect company’s integrity • Measures to comply legally • Accountability measure for reporting and investigating breaches • Specific mention of privacy policy as example of responsibility to individual • Suggests measures followed to promote compliance with legislation & whether local or Australian standards followed
Analysis of governance documents • Annual reports • Codes of ethics (or codes of conduct) • Board charters • Corporate governance codes or guidelines • Corporate social responsibility reports (CSR) (also sometimes labelled sustainability reports)
Analysis • Relative importance given to privacy and confidentiality • Overseas NZX & NYSE did better across board
Types of governance documents • Annual reports: shareholder constituency • Corporate social responsibility reports (CSR): aimed at community • Codes of ethics/conduct: aimed at consumers, employees and community and most useful • 54% of NZ listed entities had publicly accessible codes
Annual reports • Both privacy & confidentiality minority interests • A few referred to specific policies for protecting privacy/Privacy Act compliance • Link between ideals and achievement by employees/management • Future privacy audits can focus on employee training • Accountability (KPIs) for non-compliance • Privacy policies largely omitted from all governance documents • Kircaldie & Stains Ltd was standout as referred to Global Reporting Initiative (GRI) and number of complaints regarding privacy and data loss
Corporate Social Responsibility Reports (CSR) • Only 4% of NZX had publicly accessible CSR • C.f. 24% overseas NZX and 50% for the NYSE • Tended to give equal prominence to privacy and confidentiality: • NZX 25% for both • NYSE 60% for both
NZ Codes of Ethics • Ranged from cryptic to detailed • E.g. Kathmandu Holdings Ltd’s Principle 7: “Privacy, Intellectual Property and Advantage” • PI and business information treated alongside one another • Link to employee fiduciary duties useful but danger of information overload • Several vague on applicable privacy laws
NZ Codes of Ethics cont’d • Skycity Entertainment Group Ltd • referred to Privacy Act compliance programme • Clearly differentiated privacy and confidentiality • Others less impressive: • An aged care business referred to confidential information and PI being protected by Privacy Act and requests for PI by third parties • Privacy principles cover information life-cycle and give access to individuals of own PI hence reference to requests by third parties confusing • Note: one of the reasons access to PI can be denied is information supplied by third parties in confidence
Privacy/confidentiality distinction • Confidentiality protects wider range of interests than privacy • Can be protected in multiple ways: • Contract • Equitable action for breach of confidence • PI definition: "information about an identifiable individual” wider than confidential information • Aimed at mischiefs such as aggregation, accessibility of everyday information and harms such as vulnerability, spill over risks etc
Privacy/confidentiality distinction cont’d • Two concepts intermingled. E.g.: • Nuplex Industries Ltd: “It is vital that we protect the privacy of Nuplex’s confidential information.” • Pumpkin Patch Ltd’s similar but then states:“Employees must not use confidential information for unauthorised purposes. They must also take reasonable care to protect confidential information against loss, theft, unauthorised access, alteration, or misuse.” • These are essentially requirements of the IPPs • Telecom Corporation of New Zealand Ltd also mixed concepts
Privacy/confidentiality distinction cont’d • A simple example to demonstrate distinction in everyday application • Best practice: • treat privacy and confidentiality as distinct concepts • Aspects can be duplicated but under separate headings
Overseas Companies on NZX • Examples of best practice: • Annual reports linking/referencing governance documents • Elaboration of how compliance achieved: e.g. Downer EDI Ltd’s Standards of Business Conduct refers to privacy policy, information life-cycle and examples of good/bad practice • Confidentiality and privacy treated separately, e.g. Downer EDI Ltd • Pacific Brand’s refers to privacy policy on intranet and advises contact with legal team when necessary
Overseas Companies cont’d • Telstra Corporation’s CSR: Telstra Clear Bigger Picture 2012: Sustainability Report 2012 • section on “Privacy protection” • Clear goal plus statement of how achieved AND how breaches dealt with • Link to privacy policy • Incidents in 2012, systemic changes as result • Voluntary notification to privacy authorities listed
Sector comparisons: Consumer Sector (NZ) c.f. Consumer Durables/Non-durables (USA)
Conclusions…. • Privacy protection afforded lesser status to confidential information (except CSR) • Approximately half of the NZX companies had accessible codes of ethics but only a fifth of these dealt with privacy • Content often vague/confusing • Australian companies on NZX generally exemplary • NYSE companies also superior in privacy coverage • Privacy protection as management discipline