Privacy law reform introduced – An overhaul at last
Purpose of the Bill
In March 2018, the Government introduced the Privacy Bill, the long awaited reform to the Privacy Act 1993. The Bill is intended to repeal and replace the Privacy Act as recommended in the Law Commission’s 2011 review of the Privacy Act. Submissions on the Bill closed on 24 May 2018 with the Justice and Electoral Select Committee due to report back to Parliament in October 2018.
Similar to the drivers that lead to Europe’s General Data Protection Regulation, the reforms are a nod to the significant technological changes in the last 25 years that have changed the way that individuals, businesses, and government control and process personal information. These changes concern not only the volume of data that agencies collect about each one of us through the digitisation of our society, but also the free, cross border flow of our personal information.
The aim of the Bill is to restore the individual’s confidence in agencies that their personal information will be kept secure and treated properly and to provide the Privacy Commissioner with greater powers to address failures by business and government to handle personal information appropriately. While the Bill retains the Privacy Act’s 12 information privacy principles (which are sufficiently broad to continue to govern the use, access and collection of personal information in the digital environment) it proposes some much needed changes to ensure that the law is equipped to react to, and enforce, individuals’ privacy rights in the current environment.
The key changes proposed by the Bill include:
Mandatory reporting of privacy breaches
The Bill proposes that agencies will be required to notify the Privacy Commissioner and the affected individuals, in the event of a notifiable privacy breach as soon as practicable after becoming aware of the breach.
A notifiable privacy breach includes unauthorised or accidental access to, or disclosure of, personal information that poses a risk of harm to an individual. This will require agencies to consider whether systems are sufficiently secure to prevent unauthorised or inadvertent disclosure of personal information, as well as be more aware of how the information they hold is being used and ensure that it is being accessed or used only for legitimate reasons.
The penalty for failing to report a notifiable privacy breach will be a fine of up to $10,000. In addition, the Privacy Commissioner will be able to publish the identity of the agency that has made the notification if it is in the public interest to do so.
The Bill proposes two new criminal offences. One of these is an impersonation offence for fraudulently accessing another individual’s personal information; or having that information used, altered, or destroyed. The other offence relates to the destruction of documents, knowing that a request has been made in respect of that information.
These new offences are in addition to existing offences for:
- obstructing, hindering, or resisting the Privacy Commissioner’s exercises of its powers;
- refusing to comply with any lawful requirement under the Privacy Act;
- making any statement, or giving any information, knowing it is false and misleading; and
- knowingly misrepresenting having any authority under the Privacy Act.
The penalties for all of these offences will be a fine of up to $10,000, which is an increase from the current maximum fine of $2,000 for the existing offences.
The Bill will enable the Privacy Commissioner to issue compliance notices requiring an agency to either do something or stop doing something to comply with privacy laws.
Before a compliance notice can be issued, the Privacy Commissioner must issue a written notice to the agency. The notice will need to set out the identified breach, cite the relevant statutory provision, and that the Privacy Commissioner requires the agency to remedy that breach. In addition, a compliance notice may also identify particular remedial steps, conditions for remedying the breach, and a timeframe for compliance. The agency would have the opportunity to comment on the notice before it is issued.
Once a compliance notice is issued, the Human Rights Review Tribunal will have authority to enforce the notice or hear any appeal by an agency to the notice. The Human Rights Review Tribunal will be able to make an order for an agency to comply with a compliance notice, or to undertake a specific course of action to remedy a breach. A failure to comply with an order attracts a fine of up to $10,000.
Strengthening cross-border data flow protections
New Zealand agencies will be required to take reasonable steps to ensure that personal information that is disclosed to an overseas person is subject to acceptable privacy standards. This is similar to the regimes other jurisdictions have put in place to ensure the protection of its citizens’ personal information once it is sent off-shore.
The Bill proposes that disclosure to an overseas person will only be permissible if the individual consents to the disclosure, if the overseas person has comparable privacy laws to New Zealand, or the agency believes the overseas person is required to protect the individual’s information in a way that is comparable to New Zealand’s privacy laws.
Strengthening information-gathering power
Individuals have the right to gain access to their personal information that is held by an agency, but this has typically been an area where agencies have been somewhat relaxed in their approach to compliance.
The Bill proposes that the Privacy Commissioner will be able to make binding decisions on information access requests on the application of an individual. This includes giving the Privacy Commissioner the ability to direct an agency to make information available to an individual. In addition, the Privacy Commissioner will be able to set the timeframe within which an agency will need to comply with an information request, which may be shorter than the current default period of 20 working days.
This will put pressure on agencies to respond swiftly as the penalty for non-compliance with access requests will be a fine of up to $10,000.
Information Privacy Principles
In addition, work has been done to update the information privacy principles to ensure that they are fit for purpose in the environment in which personal information is used and agencies operate. For example, expanding the definition of “collect” to include attempts to collect personal information. However, the fundamental protections in the existing principles have been retained.
Privacy reform is needed not only to ensure the rights of individuals are protected in a time of such rapid technological advances, but also to ensure that New Zealand’s laws are consistent with global data protection standards, such as the OECD’s Privacy Guidelines and Europe’s General Data Protection Regulation. New Zealand is currently recognised by Europe as having “adequacy status”, which enables the free flow of information between European states and New Zealand – and the Bill, if passed, should serve to reinforce that status.
However, many of the submissions received by the Justice and Electoral Select Committee, including those from the Privacy Commissioner, consider that the reforms need to go further to address current issues of concern, particularly around increasing the penalties for non-compliance and bolstering the rights of individuals to access and control their personal information by introducing a right to data portability and erasure.
In light of the large volume and range of submissions received by the Justice and Electoral Select Committee it will be interesting to see how the Bill evolves through the next stages of the House and the impact this will have on New Zealand businesses.
If you have any queries in relation to the proposed reforms or privacy matters generally, please feel free to get in touch with us and we would be happy to assist.
This article was first published in March 2018 and last updated in July 2018.