The Citizen and the Automated State: Exploring the Implications of Algorithmic Decision-making in the New Zealand Public Sector

<p>Algorithms increasingly influence how the state treats its citizens. This thesis examines how the New Zealand public sector’s use of algorithms in decision-making brings benefits, but also invites risks of discrimination, bias, intrusion into privacy and unfair decision-making. This thesis’s central conclusion is that these risks require a new response. New Zealand currently has a patchwork of existing protections which provide some deterrent against poor algorithmic decision-making. The Privacy Act 1993, Official Information Act 1982, New Zealand Bill of Rights Act 1990, Human Rights Act 1993 and applicable administrative law principles can provide remedies and correct agencies’ poor behaviour in certain cases. But important gaps remain. This thesis examines these protections to show that they do not adequately stem cumulative and systemic harms, and suffer from important practical drawbacks. They do not provide the sound preventative framework that is needed; that is, one which ensures good public sector practice. This thesis proposes a new regulatory model for public sector use of algorithms. It argues that a key element of any effective regulatory response is the use of “algorithmic impact assessments”. These assessments would mitigate potential risks, and legitimise proportionate public sector use, of algorithms. It is also proposed that an independent regulator complements these assessments by issuing guidance, undertaking algorithm audits, and ensuring political accountability through annual reporting to Parliament. Agencies would have new obligations to disclose how and when algorithms are used in decision-making. Meanwhile, citizens would gain an enhanced right to reasons for algorithmic decisions affecting them and a right to human review. Together these measures would establish a model which would safeguard responsible and effective use of algorithms in New Zealand’s public sector.</p>

The Citizen and the Automated State: Exploring the Implications of Algorithmic Decision-making in the New Zealand Public Sector

<p>Algorithms increasingly influence how the state treats its citizens. This thesis examines how the New Zealand public sector’s use of algorithms in decision-making brings benefits, but also invites risks of discrimination, bias, intrusion into privacy and unfair decision-making. This thesis’s central conclusion is that these risks require a new response. New Zealand currently has a patchwork of existing protections which provide some deterrent against poor algorithmic decision-making. The Privacy Act 1993, Official Information Act 1982, New Zealand Bill of Rights Act 1990, Human Rights Act 1993 and applicable administrative law principles can provide remedies and correct agencies’ poor behaviour in certain cases. But important gaps remain. This thesis examines these protections to show that they do not adequately stem cumulative and systemic harms, and suffer from important practical drawbacks. They do not provide the sound preventative framework that is needed; that is, one which ensures good public sector practice. This thesis proposes a new regulatory model for public sector use of algorithms. It argues that a key element of any effective regulatory response is the use of “algorithmic impact assessments”. These assessments would mitigate potential risks, and legitimise proportionate public sector use, of algorithms. It is also proposed that an independent regulator complements these assessments by issuing guidance, undertaking algorithm audits, and ensuring political accountability through annual reporting to Parliament. Agencies would have new obligations to disclose how and when algorithms are used in decision-making. Meanwhile, citizens would gain an enhanced right to reasons for algorithmic decisions affecting them and a right to human review. Together these measures would establish a model which would safeguard responsible and effective use of algorithms in New Zealand’s public sector.</p>

Setting the Bar Low: Are Websites Complying With the Minimum Requirements of the CCPA?

On June 28, 2018, the California State Legislature passed the California Consumer Privacy Act (CCPA), arguably the most comprehensive piece of online privacy legislation in the United States. Online services covered by the CCPA are required to provide a hyperlink on their homepage with the text “Do Not Sell My Personal Information” (DNSMPI). The CCPA went into effect on January 1, 2020, a date that was chosen to give data collectors time to study the new law and bring themselves into compliance. In this study, we begin the process of investigating whether websites are complying with the CCPA by focusing on DNSMPI links. Using longitudinal data crawled from the top 1M websites in the Tranco ranking, we examine which websites are including DNSMPI links, whether the websites without DNSMPI links are out of compliance with the law, whether websites are using geofences to dynamically hide DNSMPI links from non-Californians, how DNSMPI adoption has changed over time, and how websites are choosing to present DNSMPI links (e.g., in terms of font size, color, and placement). We argue that the answers to these questions are critical for spurring enforcement actions under the law, and helping to shape future privacy laws and regulations, e.g., rule making that will soon commence around the successor to the CCPA, known as the CPRA.

Protection of privacy in Malaysia: A law for the future

<p>In Malaysia, the rights and liberties of the individual are recognised in the Federal Constitution of Malaysia. However, the right to privacy does not have the express constitutional recognition enjoyed by other rights such as the right to life and liberty and freedom of expression. This thesis identifies gaps in the protection of privacy interests in the current legal framework. There is no self-standing law on privacy in Malaysia, though there are several laws which provide limited rights to privacy such as the laws on data protection and criminal law. The existing laws are inadequate to protect private information and to protect against the intrusion of privacy. The importation of foreign principles through the reception of English Common Law offers only limited protection. Malaysia should, therefore, have a specific law to protect privacy. With a view to attaining that goal for Malaysia, this thesis undertakes a comparative analysis of two different experiences of the development of the law of privacy. They are the privacy law in England, which is largely based on the law of breach of confidence, and the privacy law in New Zealand, which has a distinct privacy tort recognised in its case law. The conclusion is that those countries’ experience can inform developments in Malaysia, and that the best way for Malaysia to develop its law now is by the enactment of a specific Privacy Act.</p>

Protection of privacy in Malaysia: A law for the future

<p>In Malaysia, the rights and liberties of the individual are recognised in the Federal Constitution of Malaysia. However, the right to privacy does not have the express constitutional recognition enjoyed by other rights such as the right to life and liberty and freedom of expression. This thesis identifies gaps in the protection of privacy interests in the current legal framework. There is no self-standing law on privacy in Malaysia, though there are several laws which provide limited rights to privacy such as the laws on data protection and criminal law. The existing laws are inadequate to protect private information and to protect against the intrusion of privacy. The importation of foreign principles through the reception of English Common Law offers only limited protection. Malaysia should, therefore, have a specific law to protect privacy. With a view to attaining that goal for Malaysia, this thesis undertakes a comparative analysis of two different experiences of the development of the law of privacy. They are the privacy law in England, which is largely based on the law of breach of confidence, and the privacy law in New Zealand, which has a distinct privacy tort recognised in its case law. The conclusion is that those countries’ experience can inform developments in Malaysia, and that the best way for Malaysia to develop its law now is by the enactment of a specific Privacy Act.</p>

Dude, Where’s My Data? The Effectiveness of Laws Governing Data Breaches in Australia

The increasing prevalence of large-scale data breaches prompted Australia to strengthen the Privacy Act by enacting the Privacy Amendment (Notifiable Data Breaches) Act to regulate the behaviour of entities entrusted with personal data. However, this paper argues that these legislative instruments are ineffective when dealing with data breaches and their associated problems. In supporting this conclusion, this paper first develops a criterion for effective data breach law, and then evaluates the Australian framework against this criterion to determine its operational effectiveness. In addition, this paper analyses practical developments in the area of data-breach law to garner insights as to how the Australian framework can be made more effective. Ultimately, this paper concludes that the Australian framework is ineffective when dealing with large-scale data breaches, and recommends future legislative amendment as a means of bolstering its effectiveness.

Privacy Laws and Privacy by Design Schemes for the Internet of Things

Internet of Things applications have the potential to derive sensitive information about individuals. Therefore, developers must exercise due diligence to make sure that data are managed according to the privacy regulations and data protection laws. However, doing so can be a difficult and challenging task. Recent research has revealed that developers typically face difficulties when complying with regulations. One key reason is that, at times, regulations are vague and could be challenging to extract and enact such legal requirements. In this article, we have conducted a systematic analysis of the privacy and data protection laws that are used across different continents, namely (i) General Data Protection Regulations, (ii) the Personal Information Protection and Electronic Documents Act, (iii) the California Consumer Privacy Act, (iv) Australian Privacy Principles, and (v) New Zealand’s Privacy Act 1993. Then, we used framework analysis method to attain a comprehensive view of different privacy and data protection laws and highlighted the disparities to assist developers in adhering to the regulations across different regions, along with creating a Combined Privacy Law Framework (CPLF). After that, the key principles and individuals’ rights of the CPLF were mapped with Privacy by Design (PbD) schemes (e.g., privacy principles, strategies, guidelines, and patterns) developed previously by different researchers to investigate the gaps in existing schemes. Subsequently, we have demonstrated how to apply and map privacy patterns into IoT architectures at the design stage and have also highlighted the complexity of doing such mapping. Finally, we have identified the major challenges that should be addressed and potential research directions to take the burden off software developers when applying privacy-preserving techniques that comply with privacy and data protection laws. We have released a companion technical report [3] that comprises all definitions, detailed steps on how we developed the CPLF, and detailed mappings between CPLF and PbD schemes.

Counseling Preparation

All counselors have to start somewhere, so Chapter 3 opens by describing the broader ethical and legal considerations an effective school-based practitioner must understand before initiating cognitive behavioral therapy (CBT). Special attention is paid to the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPAA), in addition to the careful attention practitioners must pay to these laws when serving students with medical needs. Chapter 3 highlights important ethical principles that school psychologists often abide by, including confidentiality and mandated reporting. Next, Chapter 3 introduces basic counseling skills that all practitioners can benefit from. These micro skills, like how to build a strong therapeutic alliance and how to listen, observe, and ask questions, are essential to maximizing CBT’s effectiveness.