1 / 28

Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices

Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices. Associate Professor Gehan Gunasekara Asian Privacy Scholars Network Conference Hong Kong 9 July2013. Introduction . Privacy public issue in NZ E.g. ACC, WINZ breaches, IRD

chogan
Download Presentation

Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy as a Stakeholder Interest in New Zealand: Transparency in Corporate Governance Practices Associate Professor Gehan Gunasekara Asian Privacy Scholars Network Conference Hong Kong 9 July2013

  2. Introduction • Privacy public issue in NZ • E.g. ACC, WINZ breaches, IRD • Business vulnerable • E.g. UMR poll (2012) 82% concerned at misuse of personal information (PI) by business • 88% thought businesses misusing PI should be “punished” • KPMG report into ACC recommends public reporting of privacy performance • Paper argues corporate governance enables same for companies through stakeholder recognition • Examines value given to privacy versus other interests, performance & best practice

  3. Paper outline • Methodology • Stakeholder principle and privacy as a right or interest • Corporate governance guidelines in NZ & Australia • Analysis of governance documents & privacy as stakeholder interest • Legal issue raised from content of documents • Overseas companies performance • Conclusions/recommendations on best practice

  4. Methodology • review of governance documents • the statistical occurrence of the words “privacy” and “confidential” and related terms such as the Privacy Act • Context in which occur • Data Set: (1) NZX and, for comparison (2) NYSE (New York Stock Exchange) • Time frame: November 2012- January 2013 • Some exclusions, e.g. non-company issuers such as income funds & trusts • 130 companies – NZ incorporated (105) + overseas incorporated (25). Comparisons between subsets

  5. Methodology cont’d • NYSE comparative snapshot: • Random selection of 10 securities out of 3258 • Further random selection of 18 from Consumer sector c.f. all 18 companies in equivalent NZ category

  6. Privacy as stakeholder interest • Stakeholder principle in management theory = broad principle informing governance • Stakeholder includes any group/individual who may be affected/harmed • Economic significance of PI • E.g. Facebook, Google • E.g. outsourcing/cloud computing • Potential harms such as identity theft, hacking

  7. Difficulty with management theory • “interests” versus legal “rights” & “remedies” • For privacy both interests & rights relevant • E.g. consumer trust important • Privacy Act 1993 (OECD model) requirements • Transparency and accountability requirements • Complaints and remedies • Section 14(a) Commissioner to balance competing interests • Principles-based approach enables bridge between legal/management theories

  8. The Information Life Cycle Collection Storage/ Disclosure/ Use Disposal Information privacy principles (IPPs) cover entire spectrum

  9. Management theory cont’d • Motivation: brand image & reputation c.f. legal sanction • Two converge with privacy: transparency is a requirement and accountability as legal consequence • Law Commission Review (NZ): • Audit power to Commissioner • Compliance orders for systemic breaches

  10. Corporate Governance Guidelines • NZX Listing Rules: Corporate Governance Best Practice Code: • Non-prescriptive re ethics code requirements • No specific mention of privacy but receipt of corporate information and conflicts of interest mentioned • Catch-all “compliance with applicable laws, regulations and rules”

  11. Corporate Governance Guidelines • ASX Corporate Governance Code: • More prescriptive e.g. recommendation 3.1: • Measure to protect company’s integrity • Measures to comply legally • Accountability measure for reporting and investigating breaches • Specific mention of privacy policy as example of responsibility to individual • Suggests measures followed to promote compliance with legislation & whether local or Australian standards followed

  12. Analysis of governance documents • Annual reports • Codes of ethics (or codes of conduct) • Board charters • Corporate governance codes or guidelines • Corporate social responsibility reports (CSR) (also sometimes labelled sustainability reports)

  13. Privacy as stakeholder interest: (all categories)

  14. Analysis • Relative importance given to privacy and confidentiality • Overseas NZX & NYSE did better across board

  15. Types of governance documents • Annual reports: shareholder constituency • Corporate social responsibility reports (CSR): aimed at community • Codes of ethics/conduct: aimed at consumers, employees and community and most useful • 54% of NZ listed entities had publicly accessible codes

  16. Codes of ethics and privacy

  17. Annual reports • Both privacy & confidentiality minority interests • A few referred to specific policies for protecting privacy/Privacy Act compliance • Link between ideals and achievement by employees/management • Future privacy audits can focus on employee training • Accountability (KPIs) for non-compliance • Privacy policies largely omitted from all governance documents • Kircaldie & Stains Ltd was standout as referred to Global Reporting Initiative (GRI) and number of complaints regarding privacy and data loss

  18. Corporate Social Responsibility Reports (CSR) • Only 4% of NZX had publicly accessible CSR • C.f. 24% overseas NZX and 50% for the NYSE • Tended to give equal prominence to privacy and confidentiality: • NZX 25% for both • NYSE  60% for both

  19. NZ Codes of Ethics • Ranged from cryptic to detailed • E.g. Kathmandu Holdings Ltd’s Principle 7: “Privacy, Intellectual Property and Advantage” • PI and business information treated alongside one another • Link to employee fiduciary duties useful but danger of information overload • Several vague on applicable privacy laws

  20. NZ Codes of Ethics cont’d • Skycity Entertainment Group Ltd • referred to Privacy Act compliance programme • Clearly differentiated privacy and confidentiality • Others less impressive: • An aged care business referred to confidential information and PI being protected by Privacy Act and requests for PI by third parties • Privacy principles cover information life-cycle and give access to individuals of own PI hence reference to requests by third parties confusing • Note: one of the reasons access to PI can be denied is information supplied by third parties in confidence

  21. Privacy/confidentiality distinction • Confidentiality protects wider range of interests than privacy • Can be protected in multiple ways: • Contract • Equitable action for breach of confidence • PI definition: "information about an identifiable individual” wider than confidential information • Aimed at mischiefs such as aggregation, accessibility of everyday information and harms such as vulnerability, spill over risks etc

  22. Privacy/confidentiality distinction cont’d • Two concepts intermingled. E.g.: • Nuplex Industries Ltd: “It is vital that we protect the privacy of Nuplex’s confidential information.” • Pumpkin Patch Ltd’s similar but then states:“Employees must not use confidential information for unauthorised purposes. They must also take reasonable care to protect confidential information against loss, theft, unauthorised access, alteration, or misuse.” • These are essentially requirements of the IPPs • Telecom Corporation of New Zealand Ltd also mixed concepts

  23. Privacy/confidentiality distinction cont’d • A simple example to demonstrate distinction in everyday application • Best practice: • treat privacy and confidentiality as distinct concepts • Aspects can be duplicated but under separate headings

  24. Overseas Companies on NZX • Examples of best practice: • Annual reports linking/referencing governance documents • Elaboration of how compliance achieved: e.g. Downer EDI Ltd’s Standards of Business Conduct refers to privacy policy, information life-cycle and examples of good/bad practice • Confidentiality and privacy treated separately, e.g. Downer EDI Ltd • Pacific Brand’s refers to privacy policy on intranet and advises contact with legal team when necessary

  25. Overseas Companies cont’d • Telstra Corporation’s CSR: Telstra Clear Bigger Picture 2012: Sustainability Report 2012 • section on “Privacy protection” • Clear goal plus statement of how achieved AND how breaches dealt with • Link to privacy policy • Incidents in 2012, systemic changes as result • Voluntary notification to privacy authorities listed

  26. Sector comparisons: Consumer Sector (NZ) c.f. Consumer Durables/Non-durables (USA)

  27. Sector comparisons cont’d

  28. Conclusions…. • Privacy protection afforded lesser status to confidential information (except CSR) • Approximately half of the NZX companies had accessible codes of ethics but only a fifth of these dealt with privacy • Content often vague/confusing • Australian companies on NZX generally exemplary • NYSE companies also superior in privacy coverage • Privacy protection as management discipline

More Related