19 Dec 2011
The Law Commission's Report on the Privacy Act – a New Act?
Over the past several years, the New Zealand Law Commission has conducted an extensive review of New Zealand's privacy laws. On 2 August 2011, the Law Commission published its conclusion to stage four of its review, the long anticipated report on the Review of the Privacy Act 1993 (Report). The overall recommendation in the Report is that the Privacy Act should be replaced by a new Act, implementing the recommendations in the Report and in the Privacy Commissioner's Necessary and Desirable: Privacy Act 1993 Review, initially published in 1998 (New Act).
The Law Commission's recommendations reflect the need to update the law to take into account, among other things, consistency with international privacy laws (particularly those of our trading partners), technological developments and lessons learned from practical experience since the Privacy Act came into force. This article outlines some of the key recommendations that introduce new concepts and potentially greater compliance obligations on businesses if the recommendations are adopted.
Privacy Commissioner 2.0
In an attempt to increase the speed, efficiency and efficacy of the existing privacy complaint procedure, the Report states that the Privacy Commissioner should be given two significant new powers: the power to issue compliance notices, and the power to conduct a privacy audit on an organisation.
Currently, the Privacy Commissioner may only respond to complaints made to it. The Report recommends giving the Privacy Commissioner the power to issue compliance notices - a notice requiring an organisation to comply with the Privacy Act. A failure to do so would be an offence under the Privacy Act. This power gives the Privacy Commissioner the ability to act independently of complaints, for example in situations where there have been significant breaches but no complaint, or there has been repeated non-compliance despite requests to the organisation to change its activities. It can also be used to prevent future breaches, or used as a response to a complaint. However, a compliance notice would only be able to be issued if the Privacy Commissioner already had knowledge of a breach and would be able to be challenged by the organisation in the Human Rights Review Tribunal.
The Law Commission also recommends giving the Privacy Commissioner the ability to audit an organisation. This would enable the Privacy Commissioner to be proactive in promoting compliance with the Privacy Act, rather than waiting for a breach to be notified or a complaint to be made. The audit could be comprehensive (all the organisation's personal information handling methods) or specific (just the collection of personal information, or perhaps solely in relation to a specific event). However, again, audits would not be able to be given without "good reason", for example where the Privacy Commissioner has reasonable grounds to believe that an organisation's systems are not adequate to protect privacy.
Data Breach Notification
The recommendation with potential to have a significant effect on businesses operating in New Zealand is the introduction of mandatory data breach notification laws. Data breach notification is an international term (it is not used in New Zealand legislation at present), and it refers to situations where personal information is lost or misused (ie used or disclosed for an invalid purpose) by an organisation, and the organisation must then notify the Privacy Commissioner or the relevant individual of the privacy breach.
The Law Commission steers clear of recommending an absolute data notification requirement (ie notification of data breaches every time they occur, regardless of the severity of the breach). Instead, it recommends that there be a reasonably high threshold and that notification only be required in certain (relatively confined) circumstances. Two criteria are suggested. One is where notification may allow the individual to mitigate a significant risk of real harm to the individual. The other is where the breach is serious, with seriousness being assessed having regard to matters such as the importance or sensitivity of the information, the scale of the breach (whether it affects a small group or a large number of people) or where it is reasonably foreseeable that significant harm might result.
In our opinion, the recommendation represents an appropriate balance between the benefits of data breach notification and the potential compliance costs on businesses. Internationally, there has been a trend towards greater regulation of data breaches (with most US states and many European nations enacting some form of mandatory data breach notification laws).
It is recommended that notification be given to both the Privacy Commissioner and the individual(s) concerned. However, it is also recommended that the Privacy Commissioner should not publish the identity of the breaching agency unless the public interest so requires (and, where an agency appropriately mitigates the effects of the breach and otherwise acts responsibly, it may be that there is no public interest in "naming and shaming" the business).
Cross-border Outsourcing Arrangements and Disclosures
The Law Commission recommends that the New Act state that any agency that transfers personal information to another agency for processing or storage (or similar outsourcing) remains fully accountable for the storage, use and disclosure of that personal information by the receiving agency in accordance with the New Act. While this does not necessarily change the underlying approach of the Privacy Act, the recommendation clarifies the position both for overseas and domestic agencies.
The Law Commission does not go so far as to recommend that data protection agreements be made mandatory. However, as the collecting agency remains fully accountable, it is beneficial to businesses to implement data protection agreements (or include data protection clauses in any outsourcing agreements) in order to provide comfort that the collecting agency will continue to comply with its obligations under the Privacy Act. The Law Commission suggests that the Privacy Commissioner should provide guidance as to how outsourcing agencies can protect themselves by using contractual or other means to ensure a comparable level of protection to the Privacy Act for outsourced data. This guidance could include the office of the Privacy Commissioner maintaining a list of jurisdictions that have implemented comparable privacy standards to the Privacy Act.
The Law Commission has also recommended that where a New Zealand agency discloses personal information to an overseas entity for that overseas entity's own use (as opposed to, say, an outsourcing arrangement), the disclosing agency should be required to take reasonable steps to ensure that the information disclosed will be subject to acceptable privacy standards.
The Law Commission also recommends that the New Act should be able to be easily modified, by an Order in Council, to adopt international cross-border privacy rules. This is in response to the rules currently being agreed by APEC, which will allow jurisdictions to have more similar cross-border privacy rules (and thus allow businesses that operate in multiple jurisdictions to more easily implement uniform privacy policies across borders).
General Comments and Conclusion
In addition to the major recommendations above, the Report includes many more minor recommendations that will be relevant to businesses. Some of these are noted below:
- Under the Privacy Act, businesses must take reasonable steps to check the accuracy of personal information it holds before it can be used. The Law Commission also recommends that businesses must take reasonable steps to check the accuracy of any personal information before it discloses the information to other entities.
- Where a business has already provided the personal information it holds to the individual concerned, it may have grounds to refuse similar disclosures (allowing businesses to choose not to respond to any personal information requests where there is no new ground to release the information).
- There is other legislation that it may be appropriate to amend to address requirements for specific types of personal information. For example, the Law Commission recommends that a statutory "do not call" register should be added to the Fair Trading Act 1986 and a new health information statute should be enacted to address sensitive personal health information.
- Under the Privacy Act, a business must appoint one of its officers or employees as that business' privacy officer. The Law Commission recommends that businesses should be able to appoint external parties (eg an outsourcing partner or a parent/subsidiary company) as their privacy officer.
As with all Law Commission reports, these recommendations are not binding. However, the recommendations, in general, are aimed at bringing New Zealand's privacy laws more in line with international privacy regulation, which historically has been a significant driver in amending New Zealand privacy law. In general, the recommendations are positive for businesses, providing additional clarity on contentious issues and a framework for an easier to read, more comprehensive approach to privacy law.
However, it is likely that there will be additional obligations imposed on businesses as a result of the review process. These are likely to include firmer obligations around data processing outsourcing and transfers, accuracy checking of personal information and limited mandatory data breach notification. As a result, businesses will need to keep on eye on developments in this area, especially if they are heavily involved with cross-border transfers of personal information.
Other articles this month