Story image

New Zealand's Privacy Bill to get first reading in Parliament

21 Mar 2018

New Zealand’s Privacy Bill is about to begin its first reading in Parliament with Andrew Little as the MP in charge.

The Bill aims to replace the Privacy Act 1993 as recommended by a 2011 review by the Law Commission. It aims to ensure proper security and use of personal information.

There are several main tenets to the new Privacy Bill. They are:

  • Mandatory reporting of privacy breaches: privacy breaches (unauthorised or accidental access to, or disclosure of, personal information) that pose a risk of harm to people must be notified to the Privacy Commissioner and to affected individuals
  • Compliance notices: the Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals
  • Strengthening cross-border data flow protections: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider
  • New criminal offences: it will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine not exceeding $10,000.
  • Commissioner making binding decisions on access requests: this reform will enable the Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions will be able to be appealed to the Tribunal
  • Strengthening the Privacy Commissioner’s information gathering power: the Commissioner’s existing investigation power is strengthened by allowing him or her to shorten the time frame within which an agency must comply, and increasing the penalty for non-compliance.

Privacy Commissioner John Edwards welcomes the Bill’s introduction and believes it will both maintain and progress New Zealand’s track record of protecting New Zealanders’ privacy interests.

Edwards, who is lobbying for penalties of up to $1 million for organisations who suffer a serious data breach, also believes that a revamp of the act is long overdue.

The current Privacy Act is now 25 years old. While the 2011 review helped to modernise the Act, Edwards notes that much has changed since then.

“I’m pleased the Government has moved so promptly in its term to address the immediate need for stronger privacy protections and enforcement powers. Better privacy and data protection regulation is a growing trend in OECD countries like New Zealand,” Edwards says.

Edwards notes that Australia and the European Union have already made moves to improve their privacy laws. Now it is New Zealand’s turn.

“That the Government has made privacy law reform a significant priority in its busy work programme reflects the privacy concerns of a majority of New Zealanders - something which has been borne out in regular opinion surveys undertaken by my office.”

Edwards also believes that there is more civil enforcement needed to ensure New Zealand has a robust policy comparable to its trading partners.

“Without real and meaningful consequences for non-compliance, rogue agencies will continue to thumb their nose at the regulation, meaning responsible organisations will disproportionately bear the cost of compliance, while cowboys will ignore their obligations,” Edwards states in an additional blog.

“My aim is to keep compliance costs for industry down, to reward good behaviour, punish the cavalier, and provide New Zealanders with easy access to remedies when their rights are breached.”

Privacy Commissioner Edwards proposed six recommendations to the Bill in 2016.

  • Empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate)
  • An update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised
  • Introducing data portability as a consumer right
  • An additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues
  • Narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner; and
  • Reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.

"We will also argue for the Law Commission’s recommendation to shift the privacy functions of the Director of Human Rights Proceedings into the Privacy Commissioner’s office in order to streamline the handling of privacy complaints," he adds.

Edwards says his office is committed to providing independent assistance as the Bill progresses through parliament. The office will also continue to advocate for New Zealanders’ privacy rights.

Techday will continue to cover news of the Privacy Bill’s progress as it unfolds.

You can read the Proposed Privacy Bill on the Parliamentary Counsel Office website here.

Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.