My research list

Loading My Research List ...

Save my research

Don't lose any of your research. Fill out the form below and have your research list emailed to you.

Register to receive our latest publications

The lost art of keeping a secret - new Privacy Bill released

March 21, 2018

Contacts

Partners Jania Baigent, Sally McKechnie, Karen Ngan, John Rooney

Data protection (inc Privacy Bill and GDPR) Government reform and public policy

The long awaited Privacy Bill was introduced to the House by the Minister of Justice yesterday. The Bill intends to replace the 25 year old Privacy Act and bring New Zealand’s Privacy laws in line with recent international developments and reforms.

Key changes

Fundamental aspects of the Privacy Act, such as the information privacy principles which regulate the collection, use and disclosure of personal information, are retained, but the Bill introduces new ways to enforce those principles, including more substantive fines and greater powers for the Privacy Commissioner.

The key changes include:

Mandatory Reporting of Privacy Breaches

An agency must notify the Privacy Commissioner as soon as practicable after becoming aware of a notifiable privacy breach (a privacy breach that has caused any type of harm to an affected individual, or there is a risk it will do so). Notice will also need to be given to affected individuals (or public notice given).

Failure to comply with these notification requirements is an offence and could result in a fine of up to $10,000.

Compliance Notices

The Privacy Commissioner will have the ability to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy laws.

The compliance notice may be enforced by the Privacy Commissioner by way of proceedings in the Human Rights Review Tribunal (Tribunal). Equally, an agency may appeal to the Tribunal against all or part of the compliance notice or against the Privacy Commissioner’s decision to vary or cancel the compliance notice.

Strengthening Cross-Border Data Flow Protection

New Zealand agencies will need to take reasonable steps to ensure that personal information sent/disclosed overseas will be subject to acceptable privacy standards. Generally, personal information will not be able to be disclosed to an overseas person unless:

  • the individual concerned consents to the disclosure of his or her information to the overseas person; or
  • the overseas person is in a country that is prescribed in regulations as having privacy laws comparable to New Zealand; or
  • the agency believes that the overseas person is required to protect the information in a way that, overall, is comparable to the protections afforded by our New Zealand legislation (eg there is an agreement where the overseas person will provide such comparable safeguards).

New Criminal Offences

New criminal offences have been introduced under the Privacy Bill.It will be an offence for a person to:

  • make or give any false or misleading statements or information to the Privacy Commissioner or other persons exercising powers under the Privacy Act;
  • falsely represent that he or she has authority under the Privacy Act;
  • impersonate or falsely pretend to be an individual for the purposes of obtaining access to that individual’s personal information or having that individual’s personal information used, altered or destroyed; and
  • knowingly destroy documents containing personal information that is the subject of a request.

Any person that commits any of the above offences will be liable to a fine of up to $10,000.

The Privacy Commissioner can Make Binding Decisions on Access Requests

The Privacy Commissioner will have the power to make binding decisions on complaints relating to access to personal information (instead of the current process where the Privacy Commissioner refers such complaints to the Tribunal). In particular, if an agency refuses an individual’s request to access their personal information, the Privacy Commissioner will be able to direct that agency to make that information available.

Agencies will have the ability to appeal to the Tribunal against a decision by Privacy Commissioner to make the information available.

Strengthening of the Privacy Commissioner’s Information Gathering Power

The Privacy Bill will strengthen the Privacy Commissioner’s existing investigation powers by allowing the Privacy Commissioner to shorten the time frame within which an agency must comply and increasing the penalty for non-compliance.

Other recommendations not included

Many of the changes introduced in the Privacy Bill are based on recommendations from the Law Commission’s 2011 review of the Privacy Act, and reports made by the first Privacy Commissioner dating back to 1998. The changes are also consistent with the reforms flagged in Cabinet Social Policy Committee paper “Reforming the Privacy Act”, dated 13 March 2014.

These are all important and make significant strides in modernising our privacy laws, but some of the recommendations are now seven years old and the Bill does not go as far as reforms that have been adopted overseas (particularly under GDPR and recent Australian reforms).

In particular, the Minister of Justice's Bill does not take into account the key recommendations in the Privacy Commissioner’s February 2017 report on the Privacy Act. These included:

  • fines of up to $1 million;
  • data portability;
  • compliance monitoring;
  • controls on the re-identification of data;
  • adjustments to existing criminal offences; and
  • reforming the public register privacy principles.

(See our article on that review here). So we expect to see the Privacy Commissioner push in Select Committee for even more significant reforms, including greater fines and consequences for non-compliance.

What next?

From here, the Privacy Bill will have its first reading in Parliament (likely to be this week). It will then be referred to the Select Committee, where submissions can be made by the public.

We encourage businesses collecting and holding significant amounts of personal information to engage with the law reform process. Potential privacy liability is increasingly pervasive, and reform will undoubtedly impact on your business.

We will be providing more insights into the proposed reforms in the Bill, but in the meantime, contact us if you have any questions or want guidance on what the reforms might mean for you.

Contributors melody.zhou@simpsongrierson.com, catey.boyce@simpsongrierson.com