TMT Update - Harmful Digital Communications Bill recommended, Privacy law changes, new records standard, and more...
There have been a number of developments in the TMT area since our last update, in this issue we provide updates on:
- The report by the Justice and Electoral Committee on the Harmful Digital Communications Bill.
- The Government’s intention to repeal and re-enact the Privacy Act 1993.
- The New Records Management Standard issued in May 2014.
- The passing of the Electronic Transactions (Contract Formation) Amendment Bill.
- The Government’s Connect Smart initiative.
If you have any questions, please contact a member of our TMT team.
Harmful Digital Communications Bill recommended
On 27 May 2014 the Justice and Electoral Committee released its report, available here, on the Harmful Digital Communications Bill, recommending that it be passed (with some amendments).
The Bill is intended to address the growing risks of digital technology being used to cause harm, by creating offences and providing for an ‘Approved Agency’ (most likely NetSafe) to monitor and investigate complaints. You can find our earlier summary of the Bill here.
The Justice and Electoral Committee have proposed a number of changes. Key ones include:
- widening the class of educators who can take action on behalf of an affected student, which is intended to help schools have an additional tool to fight cyber-bullying;
- making the Approved Agency subject to the Ombudsmen Act, the Official Information Act and the Public Records Act;
- permitting the Approved Agency the ability to delegate any of its functions;
- allowing District Court proceedings where there is only a threat of a breach of the Bill’s communication principles;
- permitting the District Court to order an IPAP (Internet Protocol Address Provider) to release to the court the identity of an anonymous communicator;
- increasing the maximum sentence for causing harm by posting digital communications from 3 months to 2 years imprisonment.
The safe-harbour provisions, which were hurriedly introduced at a late stage, have also been modified slightly. Those provisions protect online content hosts that comply with the provisions from civil and criminal proceedings (aside from copyright liability). The changes introduce an ability for the author of the content complained about to disagree.
This means that if online content hosts wish to seek the protection of the safe-harbour provisions, they must contact the author of the harmful communication within 48 hours of a complaint and then wait a further 48 hours. Unless the author disagrees with the complaint by providing a valid counter-notice in that time period the host must take down the material as soon as practicable.
The Bill does not define what “valid” means. This could potentially require online content hosts to look beyond the three things that must be stated in a counter-notice (which are only name and address for service, whether the author consents to the author’s identity being released to the complainant and whether the author consents to the removal of the specific content).
The Bill is now waiting on its second reading and we will provide updates as it progresses.
Privacy law changes to strengthen protection
The Government has now confirmed that it will repeal and re-enact the Privacy Act 1993. The Privacy Act regulates how personal information must be stored and used. It applies to all agencies (public and private), that collect personal information from individuals. However, the Government considers that the current Act is out-of-date and ill-equipped to deal with advances in technology and the new ways that information is collected, stored and used.
The Government proposes to make a number of changes to the Privacy Act, which are in line with the Law Commission’s recommendations set out in its review of the Privacy Act (completed in 2011). The key changes include:
- Mandatory reporting;
- New offences;
- Enhanced enforcement powers for the Privacy Commissioner;
- New obligations when disclosing information overseas; and
- Extra guidance.
The proposed mandatory reporting scheme will have two tiers. The first tier would require all agencies (public and private) to notify the Privacy Commissioner of any material breaches of privacy as soon as reasonably practicable. For the more serious breaches, where there is a real risk of harm (including loss, injury or humiliation), the second tier will require agencies to notify both the Privacy Commissioner and the affected individuals. New offences for failing to report such breaches are proposed with fines (for a private sector agency) to a maximum of $10,000. Public sector agencies would not be fined, but will be subject to being named and shamed.
The enhanced powers proposed for the Privacy Commissioner include enabling the Privacy Commissioner to issue compliance notices that require an agency (public and private) to do (or to stop doing) something.
It is proposed that when disclosing information to an overseas entity the agency (public and private) will have to ensure that acceptable privacy standards are in place. If they are not, disclosure will not be permitted. Guidance will be provided on what is acceptable and the Privacy Commissioner will also publish a list of countries with acceptable privacy laws. The proposals also include making the disclosing agency responsible for what happens to the information provided to the overseas entity if the agency does not take reasonable steps to protect the personal information before it leaves the agency’s control.
There will also be increased guidance from the Privacy Commissioner to help agencies comply with the proposed requirements.
It is currently proposed that an exposure draft be released for consultation before a Bill is introduced to Parliament.
New Records Management Standard produced
On 16 May 2014 the Chief Archivist issued the Records Management Standard for the New Zealand Public Sector. This standard simplifies and consolidates the previous four recordkeeping standards, without making many substantive changes.
The Standard is mandatory for local authorities and public offices (except schools) from 1 July 2014. The Standard helps agencies ensure they create and maintain reliable, authentic records that have integrity and are usable.
The Standard sets out 7 principles covering 37 requirements which must be met. The principles are:
- Create and maintain records
- Classify and organise records
- Assign metadata to records and aggregations
- Provide access to records
- Appraise records and dispose of them appropriately
- Maintain the integrity of records
- Manage records systematically.
The Standard recognises that records under the Public Records Act include records of lower-value. Accordingly, agencies do not have to comply with all requirements for every record held. The Standard states that an agency will comply if it implements the requirements of the Standard “with regard to a reasonable and defensible subset of the records they hold”. Assessing that subset is a key activity in defining its record management obligations. However, the Standard does impose some key requirements on agencies in relation to those lower-value records.
The new Standard should make the guidelines clearer and easier to apply for public offices. The Standard can be accessed here.
Electronic Transactions (Contract Formation) Amendment bill passes
In our last newsletter, click here for a link, we provided an update on the progress of the Electronic Transactions (Contract Formation) Amendment Bill 2014. The Bill has now passed its third reading and came into force as an Amendment Act on 10 May 2014.
The Amendment Act clarifies when the acceptance of an offer occurs by email. Previously there was some confusion in the legal community over whether acceptance occurs on the sending, or on the receiving, of the email. Now, acceptance of an offer by electronic communication will be effective from when it is received, unless the parties agree otherwise (or another Act provides differently).
This Amendment Act tidies up the law and provides more certainty to contracting parties, especially given the prevalence of email in commercial contracting.
On 16 June 2014 the Government launched Connect Smart Week. As part of this the Government’s website, www.connectsmart.govt.nz, provides information and resources to help people and businesses protect themselves from cyber security threats.
One key resource for SME businesses is the Connect Smart Toolkit. The toolkit sets out four steps for businesses to follow to assist with cyber security: assess cyber security, develop a policy, establish an incident management plan and review and update systems. To help develop the policy the toolkit outlines some basic considerations and controls that should be put in place.
The toolkit can be accessed here.