Another step closer to New Zealand’s new privacy landscape
Changes to the Privacy Bill (Bill) introduced by Justice Minister Andrew Little via Supplementary Order Paper (SOP) on Tuesday 17 March 2020 mean we are one step closer to firming up New Zealand’s new privacy and data management regime. This new regime is set to apply from 1 November 2020.
The recent amendments to the Bill as proposed by the SOP clarify a number of the key conceptual changes proposed under the original version of the Bill, specifically:
Notifiable privacy breaches
To the extent an agency is required to notify an affected individual of a privacy breach, that notice may include reference to the person or persons who have obtained (or may obtain) that affected individual’s personal information, if the agency believes on reasonable grounds that identification is necessary to prevent or lessen a serious threat to the life or health of the affected individual or another individual.
The SOP further clarifies that where an employee’s actions result in their employer failing to comply with their notification obligations or committing a privacy breach, the individual employee will not be held personally liable – the liability sits with the employer.
The Privacy Commissioner may now also issue (and publish) compliance notices for failure to comply with codes of practice issued under the Privacy Act.
Overseas agencies and extra-territorial impacts
The provisions of the Bill relating to the application of the Privacy Act to overseas agencies have been refined. These amendments aim to align the Bill’s application to extra-territorial agencies with the position under the GDPR, with the effect that some overseas entities may be deemed to be agencies carrying on business in New Zealand regardless of whether or not they (a) do so as a commercial operation or with an intent to make a profit, (b) have a physical presence in New Zealand, or (c) receive any payment for the supply of goods or services. The proposed provision could greatly expand the scope of application of New Zealand privacy law.
Representatives for aggrieved individuals
The revised Bill clarifies that any person can make a complaint in respect of a privacy breach on behalf of one or more aggrieved individuals, even where they themselves have not been impacted.
It also further clarifies the ability to bring class actions, by permitting proceedings in the Human Rights Review Tribunal to be commenced by a representative of a class of aggrieved individuals, as well as an aggrieved individual themselves or their representative.
Information sharing agreements
As introduced by the Bill, any agency that enters into an information sharing agreement must be named as a party to that agreement. Only specified agencies (i.e., public sector agencies / departments and specified crown entities) can be named as the lead entities to these types of agreements. Further, the SOP introduces that the Privacy Commissioner may review information sharing agreements upon receiving permission from the Minister to do so.
Want to know more?
It is important that persons doing business in New Zealand familiarise themselves with the proposed legislation. We anticipate that many businesses will need to adapt their existing data management and privacy policies and procedures in order to ensure that they continue comply with the revised Privacy Act requirements.
If you have any questions about how the proposed privacy reform may affect your business, please contact our specialist data privacy team at any time.