New Zealand’s Privacy Bill is about to begin its first reading in Parliament with Andrew Little as the MP in charge.
The Bill aims to replace the Privacy Act 1993 as recommended by a 2011 review by the Law Commission. It aims to ensure proper security and use of personal information.
There are several main tenets to the new Privacy Bill. They are:
- Mandatory reporting of privacy breaches: privacy breaches (unauthorised or accidental access to, or disclosure of, personal information) that pose a risk of harm to people must be notified to the Privacy Commissioner and to affected individuals
- Compliance notices: the Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals
- Strengthening cross-border data flow protections: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider
- New criminal offences: it will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine not exceeding $10,000.
- Commissioner making binding decisions on access requests: this reform will enable the Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions will be able to be appealed to the Tribunal
- Strengthening the Privacy Commissioner’s information gathering power: the Commissioner’s existing investigation power is strengthened by allowing him or her to shorten the time frame within which an agency must comply, and increasing the penalty for non-compliance.
Privacy Commissioner John Edwards welcomes the Bill’s introduction and believes it will both maintain and progress New Zealand’s track record of protecting New Zealanders’ privacy interests.
Edwards, who is lobbying for penalties of up to $1 million for organisations who suffer a serious data breach, also believes that a revamp of the act is long overdue.
The current Privacy Act is now 25 years old. While the 2011 review helped to modernise the Act, Edwards notes that much has changed since then.
“I’m pleased the Government has moved so promptly in its term to address the immediate need for stronger privacy protections and enforcement powers. Better privacy and data protection regulation is a growing trend in OECD countries like New Zealand,” Edwards says.
Edwards notes that Australia and the European Union have already made moves to improve their privacy laws. Now it is New Zealand’s turn.
“That the Government has made privacy law reform a significant priority in its busy work programme reflects the privacy concerns of a majority of New Zealanders - something which has been borne out in regular opinion surveys undertaken by my office.”
Edwards also believes that there is more civil enforcement needed to ensure New Zealand has a robust policy comparable to its trading partners.
“Without real and meaningful consequences for non-compliance, rogue agencies will continue to thumb their nose at the regulation, meaning responsible organisations will disproportionately bear the cost of compliance, while cowboys will ignore their obligations,” Edwards states in an additional blog.
“My aim is to keep compliance costs for industry down, to reward good behaviour, punish the cavalier, and provide New Zealanders with easy access to remedies when their rights are breached.”
Privacy Commissioner Edwards proposed six recommendations to the Bill in 2016.
- Empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate)
- An update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised
- Introducing data portability as a consumer right
- An additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues
- Narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner; and
- Reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.
"We will also argue for the Law Commission’s recommendation to shift the privacy functions of the Director of Human Rights Proceedings into the Privacy Commissioner’s office in order to streamline the handling of privacy complaints," he adds.
Edwards says his office is committed to providing independent assistance as the Bill progresses through parliament. The office will also continue to advocate for New Zealanders’ privacy rights.
Techday will continue to cover news of the Privacy Bill’s progress as it unfolds.
You can read the Proposed Privacy Bill on the Parliamentary Counsel Office website here.