We’re serious about keeping members’ personal information safe and using it responsibly (see our value around being trusted and straight up), and we know actions speak louder than words.
Trade Me’s annual transparency report sets out information about requests for personal information we have received, and our response.
This is our fourth transparency report, and sets out statistics for the year from 1 July 2015 through to 30 June 2016.
We sense a growing buzz around the importance of privacy and the appropriate protection and use of personal information, so we’ve also taken the opportunity to outline some broader thoughts on Trade Me’s approach to privacy.
Transparency reporting forces us to think hard about our own privacy processes.
We believe all New Zealand companies being asked to share member and customer personal information should be explaining what they do and why via some form of transparency reporting
What’s new this year?
Before getting into the stats, we’ve outlined a few new and interesting privacy things from the past year.
We now have a dedicated Privacy Operations Officer
We already have three Privacy Officers (who also cover legal roles), and in January we created a new role, dedicated to championing privacy.
This includes looking at ways to improve our handling of member data, and growing a company-wide culture promoting privacy best practice.
Easily download your personal information
We’re currently developing a tool to allow members to easily download their key personal information. This should be released towards the end of 2016.
The Office of the Privacy Commissioner (OPC) transparency trial
Kudos to the OPC, who actively promoted transparency reporting this year by running a three-month trial involving 10 businesses. We didn’t take part as we already do these reports, but take a read of the Commissioner’s report.
We support the continuation of the OPC’s work in this area.
Review of the Privacy Act
In May this year, Hon. Amy Adams confirmed progress on the Ministry of Justice’s review of the Privacy Act, and how it will be fit for purpose in the digital age.
We are looking forward to providing feedback on a draft Bill at the end of this year before it’s introduced to Parliament in 2017.
How and when does Trade Me disclose personal information to government agencies?
A government agency can request that we disclose member information via:
> our Privacy Act powers to disclose information
> a compulsion order (e.g. a warrant or production order).
We may disclose information if we think the exceptions in Principle 11 of the Privacy Act apply to the request, or if a release is permitted under our terms and conditions.
Usually we rely on a “law enforcement” exception in Principle 11.
To chin this bar, the requesting agency must clearly demonstrate the law under which they are operating and provide us information on the subject matter of the investigation. Trade Me then makes the call whether a release of information is appropriate and legal.
In many ways, it’s better for our members when we work under the Privacy Act as it gives us the ability to better control the amount and relevance of information released. T
his ensures irrelevant member data isn’t caught up in the release and the requester only gets what’s really useful.1 Put another way, this approach allows us to use a scalpel rather than a chainsaw.
Compulsion orders, on the other hand, can be wide in scope and will often require the release of information that may not be directly relevant to the matter under investigation.
We’re legally required to comply with compulsion orders, regardless of scope. 2
In other cases, we may release information proactively when we become aware of offending on the site, or where we believe public safety is at risk. This is also done under the Privacy Act.
Do we notify members when we release their information?
Trade Me doesn’t have a blanket policy of notifying individuals when their information is released. While the Privacy Act doesn’t require us to disclose, we want to do the right thing.
We have re-examined our existing policy, and considered whether we should change our approach.
There are different scenarios to consider. In some cases, we do notify members when their information is released. This includes when it is released to other members for Disputes Tribunal proceedings, or to insurance investigators with members’ consent.
However, when it comes to law enforcement and there is no legal obligation to notify, we consider whether the risk of compromising legitimate investigations outweighs the desire to notify.
Trade Me regularly receives requests from law enforcement which could involve investigations into stolen goods, fraud, drugs, firearms, animal welfare and child exploitation, to name a few.
In light of the obvious sensitivities and the impossibility of knowing when notification could jeopardise the outcome of an investigation, a notification policy here is impractical.
We are maintaining our existing policy of not proactively advising members that their information has been released to a government agency
What stats are covered in this report?
This report covers requests for, or releases of, members’ personal information to government agencies between 1 July 2015 and 30 June 2016.
It also outlines the requests made to Trade Me in the reporting period by other members, and requests made by third parties where members have provided consent for their information to be released.
The following graph outlines the total number of requests we’ve received for members’ information from government agencies. The data is split into police and all other government agencies to provide more detail.
New Zealand Police enquiries
We work productively with police to keep the site trusted and safe. Police often help us ensure fraudsters (e.g. sellers that intentionally don’t deliver their items) are held to account. Beyond the keyboards and smartphones, our relationship also helps keep local communities safe.
We have a formal Letter of Agreement with NZ Police in place. 3
Government agency enquiries
During the reporting period, we liaised with 26 government agencies, across more than 30 different pieces of legislation.
Enquiries may be a request for member information, advice that a listing be withdrawn from the site, or a request for us to pass on educational information to a member.
We work hard to ensure member information is released only when it’s legal and we are satisfied it is appropriate.
Sometimes we don’t release information, even though we may have been entitled to under the Privacy Act.
Following a request, we carefully examine whether the information is required for the purpose stated by the requesting agency.
If the scope of request is too broad, we might ‘push-back’ to ensure the information released is as sharply focussed as possible.
On the following page we compare our push-backs in the current period, against our 2015 report.
We have regular discussions with the police and government agencies to foster a continued focus on the quality of requests. This increased focus naturally results in the increased scrutiny of requests by Trade Me staff and, in the last reporting period, we have seen this result in an increased number of push-backs.
Police push-backs have increased from 1.6% to 4% in the 2016 reporting period.
Consented releases & Disputes Tribunal
Sometimes organisations contact us seeking information on a member’s behalf (with the member’s permission).
Usually these requests come from insurers investigating insurance claims.
While we can make authorised disclosures under Principle 11(d) of the Privacy Act, we insist that the member’s consent be in writing and signed.
To ensure the scope of consent is always clear, we introduced our own privacy waiver template this year.
This is now mandatory for all insurance investigators to complete before requesting information on behalf of a member.
We routinely notify members when their data is released as part of this process. Since we’ve introduced the waiver, requests for member information from the insurance industry have reduced significantly.
Members must complete and provide us with a statutory declaration witnessed by a Court Registrar before we release any information
Members occasionally choose to resolve trade disputes through the Disputes Tribunal.
Under the Privacy Act, we release information relating to a trade if a member can prove that tribunal (or court) proceedings are reasonably contemplated and the information is necessary for those proceedings.
Members must complete and provide us with a statutory declaration witnessed by a Court Registrar before we release any information.
This year we increased our engagement with members to help resolve disputes. Because of this, and other marketplace trends, we’ve seen a 26% reduction in information releases for the Disputes Tribunal.
Members requesting their own information
As Kiwis become more privacyaware, we’ve noticed an increase in members asking for a record of the information we hold about them.
We expect this trend to continue, and we’re building tools to help members access their personal information more efficiently. The graph to the right shows the level of requests by Trade Me members for their personal information under the Privacy Act 1993.
We noticed a high level of information requests received during OPC’s promotion of Privacy Awareness Week in early May, which focussed heavily on an individual’s right to access personal information from agencies.
We put any new products and services through a rigorous process to ensure we’re always looking out for our members’ interests, while still allowing us to be innovative and deliver awesome online experiences.
Here are the changes we’ve made during the reporting period:
We updated our policy on 7 July 2015 to let members know we were using a new remarketing provider, called DoubleClick.
We updated our policy on 15 September 2015, emailed all members and notified them via a Trade Me homepage banner, that rather than showing the same advertising to all members, we were going to start using their personal information to show members customised advertising that should be more relevant to them.
If members didn't want us using their information for this purpose, they could opt out.
New services for members
We updated our policy on 2 November 2015 to tell members about some new services we were offering.
We began working with a shipping aggregator to offer members the ability to book a courier on Trade Me.
We also started using an email marketing tool to deliver more efficient, relevant and timely emails.
Protecting consumers, and more customised advertising
Most recently, we updated our policy on 31 May 2016 to let members know our Trust & Safety team could now access vehicle ownership information on the Motor Vehicle Register for fraud prevention purposes.
We also let members know we’d be taking more action to investigate suspicious credit card transactions, such as sharing information about those transactions with the card holder and their bank.
Finally, we updated members on our work in the customised advertising space, including now working with Google.
Frequently asked questions
What is meant by ‘enquiry’?
Enquiries cover a range of activity, such as:
> an information request where an agency has sought information about a membership (e.g. contact information or sales data)
> information that a listing may be in breach of the law (or our terms and conditions)
> highlighting an issue with a member which is then taken care of by us
> a request to pass on a message directly to members.
Does Trade Me need members’ permission to release information?
How safe is member data?
Very safe! We follow industry best practice methods to keep data safe. However, we are paranoid and are constantly working on ways to make it safer.
How often will this report be released?
We aim to publish this data annually.
How do I access my own data?
Our dedicated help page provides members with a list of the type of information we might hold about them, and who they need to contact in order to access this information. Once our personal information download tool is up and running, members will be able to access some of this information automatically.
Until the tool is released, members can email us at email@example.com and one of our Privacy Officers will respond.
1. As an example, if MBIE was investigating a car seller to determine if they should be registered under the Motor Vehicle Sales Act, a Privacy Act release would allow us to
only release sales data that covered motor vehicle sales, not the seller’s full sales history which could be legally required under a compulsion order.
2. Note that we would work with an agency to tighten the focus of a wide-ranging compulsion order. We have done this in the past, including with Inland Revenue in 2014.
3. The Letter of Agreement between Trade Me and New Zealand Police is set to be renewed in August 2016.