Rejig of Privacy Law

9 Apr 18

Privacy has been in the news lately with Cambridge Analytica use of Facebook data. Facebook was not imagined when the current Privacy Act was enacted in 1993. Despite the technological changes the Privacy Commissioner held that the current Privacy Act has been breached by Facebook because that Act contains principles that can be applied to a wide range of technologies. However the Privacy Commissioner lacks clout and the Act does need to be updated to better address changing technologies. In 2011 the Law Commission reviewed the Act and recommended a replacement act. A replacement Bill, worked on by the past National-Led Government and continued by the current Labour-Led Government, has been introduced to Parliament and the Bill is now at select committee stage with public submissions due by 24 May.

How the current Act works

The 1993 Act established the Privacy Commissioner and associated office that can develop codes of practice and investigate complaints. If the parties to a complaint do not settle then a proceeding can be taken to the Human Rights Review Tribunal. The Tribunal has the authority to order damages1Sections 85 and 88.

Any complaint would be based on a breach of one of the 12 Privacy Principles2Set out in section 6 unless a specified exception applies. The Principles include using information only for the purpose for which it was collected; enabling a person to correct their personal information; limiting disclosure; and keeping information secure.
In 2013 the Act was amended to provide for information sharing between agencies, where approved after a public process.

The Bill

Rather than amending the existing Act the 2011 Law Commission Review recommended a replacement act and this approach has been followed with the Privacy Bill. Almost all of the structural elements of the current Act remain. There are still Privacy Principles (and exceptions), the Privacy Commissioner, codes of practice, and recourse to the Human Rights Review Tribunal.

The changes include:

  • Many clarifications and a reordering of the provisions;
  • An amendment to Information Privacy Principle 11 so that there are additional obligations on agencies when disclosing personal information to an overseas person. Before disclosing the agency must be satisfied that: the individual consents; or the overseas person is in a prescribed country with similar privacy laws to New Zealand; or the overseas person is required to protect the information in a similar way to New Zealand3Clause 19;
  •  The Commissioner (rather than just the Tribunal) can direct an agency to make information available where it has refused to make the information available but the agency can appeal to the Tribunal4New Part 5, clause 96, clause 110;
  •  A new concept of a ‘notifiable privacy breach’ where a breach results in the risk of harm. Agencies must notify the Commissioner and affected individuals, and potentially the public of a ‘notifiable privacy breach’. Failure to notify can result in a fine up to $10,0005New Part 6, subpart 1;
  •  A new ‘compliance notice’ regime whereby the Commissioner can, after consultation with the agency, issue a compliance notice for a privacy breach. A compliance notice can require an agency to stop or start doing something to comply with privacy law. These compliance notices can be appealed to and enforced by the Tribunal6New Part 6, subpart 2;
  •  Increasing the range of organisations that can engage in approved information sharing agreements beyond Government Departments to include listed Crown Entities including district health boards7Clause 141;
  •  Removing the ability to create new information matching programmes (existing programmes will remain)8Part 7, subpart 4;
  •  Enabling the Commissioner to share information with overseas equivalents9Clause 207;
  •  Two new offences are added relating to impersonating an individual requesting information, and the destruction of requested documents10Clauses 212(2)(c) and (d); and
  •  Increasing the maximum penalty for offences from $2,000 to $10,00011Clause 212 .

The Privacy Commissioner, John Edwards, has welcomed the Bill but would like a stronger compliance regime with even higher penalties. John Edwards has already signalled that he will be submitting on the Bill to call for changes to incentivise compliance. The submission process is an opportunity to make privacy law more workable. We are able to assist in making submissions to the select committee and have experience in successfully convincing select committees to recommend amendments to bills.

The Bill can be viewed here


Want to know more?

If you have any questions about the Privacy Bill, please contact our specialist Local government team.

PDF Version: Rejig of Privacy Law – Amended

1 Sections 85 and 88
2 Set out in section 6
3 Clause 19
4 New Part 5, clause 96, clause 110
5 New Part 6, subpart 1
6 New Part 6, subpart 2
7 Clause 141
8 Part 7, subpart 4
9 Clause 207
10 Clauses 212(2)(c) and (d
11 Clause 212