Protecting privacy is everyone's responsibility - Privacy Week 2019
The Office of the Privacy Commissioner has once again rolled out a week of events to help educate businesses, organisations and agencies about their rights and responsibilities in New Zealand.
With proposed changes to New Zealand’s existing Privacy Act 1993 expected to take effect next year, we asked our Executive Legal Counsel, Deborah Malaghan, for the lowdown on what to expect.
1.Why is the Privacy Act 1993 being amended?
Since the Privacy Act 1993 came into force, there’s been vast changes to the way we use personal information: the rise of the Internet, the creation of a digital economy and the utilisation of Big Data. There’s also been significant changes in international privacy law, including the adoption of the EU General Data Protection Regulation in Europe.
The existing legislation needs an overhaul to ensure we’re regulating the use of data and privacy in this new environment.
2. How will the new bill change the existing Privacy Act?
The new Privacy Bill retains the existing Act's privacy principles, but if enacted would introduce some significant changes. These include:
Mandatory reporting of privacy breaches: agencies would be required to notify the Privacy Commissioner and those affected, of privacy breaches that caused or are likely to cause serious harm. The initial threshold was “harm”, but this was amended to “serious harm” at the select committee stage. Failing to notify the Privacy Commissioner could see an agency fined up to $10,000.
Compliance notices: the Privacy Commissioner could issue compliance notices that require an agency to do, or stop doing something, in order to remedy a breach. For example, a person may complain to the Privacy Commissioner that their information is being used in a way they did not give consent to. The Privacy Commissioner could then issue a compliance notice to the agency in relation to this use of information.
It is an effective name and shame tool as the Privacy Commissioner is required to publish this notice, unless it would cause undue hardship to the agency.
Strengthening cross-border protections: changes to Information Privacy Principle 11 (limits on disclosure of personal information) impose additional obligations on agencies that disclose personal information to overseas persons (new Privacy Principle 12). Disclosure will now generally only be permissible in the following instances:
- The individual consents;
- The overseas person is conducting business in New Zealand and is subject to the Privacy Act;
- The overseas person is required to protect the information in a way comparable to New Zealand legislation; or
- The overseas person is in a country with comparable privacy legislation to New Zealand legislation.
Access requests: the Privacy Commissioner will have the authority to request agencies make information requested by an individual available, rather than the individual needing to take the matter to the Human Rights Review Tribunal as is currently the case.
New criminal offences: the Bill introduces new offences for persons misleading an agency by impersonating an individual, or falsely pretending to be an individual for the purpose of obtaining access to that individual’s personal information, and for knowingly destroying documents that contain personal information that is subject to an information request (with the penalty for these new offences, being a fine not exceeding $10,000).
3. What does the bill not include?
Changes do not reflect the introduction of the EU General Data Protection Regulation, such as a right to data portability (the ability for an individual to move information easily between agencies).
Financial penalties for a serious breach are also not included in the changes, despite the Privacy Commissioner advocating for fines of up to $1 million for organisations, and $100,000 for individuals.
The Privacy Bill will now progress to its second reading and is scheduled to take effect from the March 1st, 2020.