Trust & Safety Blog

Trade Me 2016 Transparency Report

Click here to download the Transparency Report as a PDF.

Introduction

We’re serious about keeping members’ personal information safe and using it responsibly (see our value around being trusted and straight up), and we know actions speak louder than words. 

Kevin -nest -trademeTrade Me’s annual transparency report sets out information about requests for personal information we have received, and our response.

This is our fourth transparency report, and sets out statistics for the year from 1 July 2015 through to 30 June 2016.

We sense a growing buzz around the importance of privacy and the appropriate protection and use of personal information, so we’ve also taken the opportunity to outline some broader thoughts on Trade Me’s approach to privacy.

Transparency reporting forces us to think hard about our own privacy processes.

We believe all New Zealand companies being asked to share member and customer personal information should be explaining what they do and why via some form of transparency reporting

What’s new this year?

Before getting into the stats, we’ve outlined a few new and interesting privacy things from the past year.

We now have a dedicated Privacy Operations Officer

We already have three Privacy Officers (who also cover legal roles), and in January we created a new role, dedicated to championing privacy.

This includes looking at ways to improve our handling of member data, and growing a company-wide culture promoting privacy best practice.

Easily download your personal information

We’re currently developing a tool to allow members to easily download their key personal information. This should be released towards the end of 2016.

The Office of the Privacy Commissioner (OPC) transparency trial

Kudos to the OPC, who actively promoted transparency reporting this year by running a three-month trial involving 10 businesses. We didn’t take part as we already do these reports, but take a read of the Commissioner’s report.

We support the continuation of the OPC’s work in this area.

Review of the Privacy Act

In May this year, Hon. Amy Adams confirmed progress on the Ministry of Justice’s review of the Privacy Act, and how it will be fit for purpose in the digital age.

We are looking forward to providing feedback on a draft Bill at the end of this year before it’s introduced to Parliament in 2017.

How and when does Trade Me disclose personal information to government agencies?

 A government agency can request that we disclose member information via:

> our Privacy Act powers to disclose information

> a compulsion order (e.g. a warrant or production order).

We may disclose information if we think the exceptions in Principle 11 of the Privacy Act apply to the request, or if a release is permitted under our terms and conditions.

Usually we rely on a “law enforcement” exception in Principle 11.

To chin this bar, the requesting agency must clearly demonstrate the law under which they are operating and provide us information on the subject matter of the investigation. Trade Me then makes the call whether a release of information is appropriate and legal.

In many ways, it’s better for our members when we work under the Privacy Act as it gives us the ability to better control the amount and relevance of information released. T

his ensures irrelevant member data isn’t caught up in the release and the requester only gets what’s really useful.1 Put another way, this approach allows us to use a scalpel rather than a chainsaw.

Compulsion orders, on the other hand, can be wide in scope and will often require the release of information that may not be directly relevant to the matter under investigation.

We’re legally required to comply with compulsion orders, regardless of scope. 2

In other cases, we may release information proactively when we become aware of offending on the site, or where we believe public safety is at risk. This is also done under the Privacy Act.

By agreeing to our terms and conditions, our members consent to us releasing data where it is legal and appropriate to do so. Our privacy policy provides more detail and is worth a read.

We notified our members of a few privacy policy changes during the past 12 months – these are set out at the end of this report.

Do we notify members when we release their information?

Trade Me doesn’t have a blanket policy of notifying individuals when their information is released. While the Privacy Act doesn’t require us to disclose, we want to do the right thing.

We have re-examined our existing policy, and considered whether we should change our approach.

There are different scenarios to consider. In some cases, we do notify members when their information is released. This includes when it is released to other members for Disputes Tribunal proceedings, or to insurance investigators with members’ consent.

However, when it comes to law enforcement and there is no legal obligation to notify, we consider whether the risk of compromising legitimate investigations outweighs the desire to notify.

Trade Me regularly receives requests from law enforcement which could involve investigations into stolen goods, fraud, drugs, firearms, animal welfare and child exploitation, to name a few.

In light of the obvious sensitivities and the impossibility of knowing when notification could jeopardise the outcome of an investigation, a notification policy here is impractical.

We are maintaining our existing policy of not proactively advising members that their information has been released to a government agency

What stats are covered in this report?

This report covers requests for, or releases of, members’ personal information to government agencies between 1 July 2015 and 30 June 2016.

It also outlines the requests made to Trade Me in the reporting period by other members, and requests made by third parties where members have provided consent for their information to be released.

The following graph outlines the total number of requests we’ve received for members’ information from government agencies. The data is split into police and all other government agencies to provide more detail.

Government Requests Year On Year

New Zealand Police enquiries

We work productively with police to keep the site trusted and safe. Police often help us ensure fraudsters (e.g. sellers that intentionally don’t deliver their items) are held to account. Beyond the keyboards and smartphones, our relationship also helps keep local communities safe.

We have a formal Letter of Agreement with NZ Police in place. 3

Police Enquiry By Type Break Down Trade Me

Police Request By Geographic Region

Government agency enquiries

During the reporting period, we liaised with 26 government agencies, across more than 30 different pieces of legislation.

Enquiries may be a request for member information, advice that a listing be withdrawn from the site, or a request for us to pass on educational information to a member.

Transparency Report Trade Me Govt Request

Full List - Government Requests Transparency Report Trade Me

Push-backs

We work hard to ensure member information is released only when it’s legal and we are satisfied it is appropriate.

Sometimes we don’t release information, even though we may have been entitled to under the Privacy Act.

Following a request, we carefully examine whether the information is required for the purpose stated by the requesting agency.

If the scope of request is too broad, we might ‘push-back’ to ensure the information released is as sharply focussed as possible.

On the following page we compare our push-backs in the current period, against our 2015 report.

We have regular discussions with the police and government agencies to foster a continued focus on the quality of requests. This increased focus naturally results in the increased scrutiny of requests by Trade Me staff and, in the last reporting period, we have seen this result in an increased number of push-backs.

Police push-backs have increased from 1.6% to 4% in the 2016 reporting period.

Pushbacks - Trade Me Transparency Report

Consented releases & Disputes Tribunal

Consented releases

Sometimes organisations contact us seeking information on a member’s behalf (with the member’s permission).

Usually these requests come from insurers investigating insurance claims.

While we can make authorised disclosures under Principle 11(d) of the Privacy Act, we insist that the member’s consent be in writing and signed.

To ensure the scope of consent is always clear, we introduced our own privacy waiver template this year.

This is now mandatory for all insurance investigators to complete before requesting information on behalf of a member.

Consented Releases Trade Me

We routinely notify members when their data is released as part of this process. Since we’ve introduced the waiver, requests for member information from the insurance industry have reduced significantly.

Members must complete and provide us with a statutory declaration witnessed by a Court Registrar before we release any information

Disputes Tribunal

Members occasionally choose to resolve trade disputes through the Disputes Tribunal.

Under the Privacy Act, we release information relating to a trade if a member can prove that tribunal (or court) proceedings are reasonably contemplated and the information is necessary for those proceedings.

Members must complete and provide us with a statutory declaration witnessed by a Court Registrar before we release any information.

This year we increased our engagement with members to help resolve disputes. Because of this, and other marketplace trends, we’ve seen a 26% reduction in information releases for the Disputes Tribunal.

Disputes Tribunal Releases Trade Me

Members requesting their own information

As Kiwis become more privacyaware, we’ve noticed an increase in members asking for a record of the information we hold about them.

We expect this trend to continue, and we’re building tools to help members access their personal information more efficiently. The graph to the right shows the level of requests by Trade Me members for their personal information under the Privacy Act 1993.

We noticed a high level of information requests received during OPC’s promotion of Privacy Awareness Week in early May, which focussed heavily on an individual’s right to access personal information from agencies.

Personal Information Requests Trade Me

Changes to our privacy policy

Our privacy policy is how we get members’ consent to collect their personal information, and sets out how we use, hold and disclose any personal information.

Sometimes new products or services require a privacy policy change if we’re using members’ personal information in a different way.

We put any new products and services through a rigorous process to ensure we’re always looking out for our members’ interests, while still allowing us to be innovative and deliver awesome online experiences.

Here are the changes we’ve made during the reporting period:

Cookie remarketing

We updated our policy on 7 July 2015 to let members know we were using a new remarketing provider, called DoubleClick.

Customised advertising

We updated our policy on 15 September 2015, emailed all members and notified them via a Trade Me homepage banner, that rather than showing the same advertising to all members, we were going to start using their personal information to show members customised advertising that should be more relevant to them.

If members didn't want us using their information for this purpose, they could opt out.

New services for members

We updated our policy on 2 November 2015 to tell members about some new services we were offering.

We began working with a shipping aggregator to offer members the ability to book a courier on Trade Me.

We also started using an email marketing tool to deliver more efficient, relevant and timely emails.

Protecting consumers, and more customised advertising

Most recently, we updated our policy on 31 May 2016 to let members know our Trust & Safety team could now access vehicle ownership information on the Motor Vehicle Register for fraud prevention purposes.

We also let members know we’d be taking more action to investigate suspicious credit card transactions, such as sharing information about those transactions with the card holder and their bank.

Finally, we updated members on our work in the customised advertising space, including now working with Google.

Members can still opt out in the same way as before. You can find a record of any other privacy policy changes on our site announcements page.

Frequently asked questions

What is meant by ‘enquiry’?

 Enquiries cover a range of activity, such as:

> an information request where an agency has sought information about a membership (e.g. contact information or sales data)

> information that a listing may be in breach of the law (or our terms and conditions)

> highlighting an issue with a member which is then taken care of by us

> a request to pass on a message directly to members.

Does Trade Me need members’ permission to release information?

When joining Trade Me, we advise members via our terms and conditions that we release account and other personal information when we believe release is appropriate to comply with the law, facilitate court proceedings, enforce or apply our terms and conditions, or protect the rights, property, or safety of Trade Me Limited, our users, or others. Our privacy policy provides more detail on this.

How safe is member data?

Very safe! We follow industry best practice methods to keep data safe. However, we are paranoid and are constantly working on ways to make it safer.

How often will this report be released?

We aim to publish this data annually.

How do I access my own data?

Our dedicated help page provides members with a list of the type of information we might hold about them, and who they need to contact in order to access this information. Once our personal information download tool is up and running, members will be able to access some of this information automatically.

Until the tool is released, members can email us at privacy@trademe.co.nz and one of our Privacy Officers will respond.

Foot notes

1. As an example, if MBIE was investigating a car seller to determine if they should be registered under the Motor Vehicle Sales Act, a Privacy Act release would allow us to
only release sales data that covered motor vehicle sales, not the seller’s full sales history which could be legally required under a compulsion order.

2. Note that we would work with an agency to tighten the focus of a wide-ranging compulsion order. We have done this in the past, including with Inland Revenue in 2014.

3. The Letter of Agreement between Trade Me and New Zealand Police is set to be renewed in August 2016.

Further reading

Archives

RSS