PRIVACY LAW REFORM
By Anna Guise & Madeleine Masters
New Zealand’s privacy laws are set to change.
Currently, privacy in New Zealand is governed by the Privacy Act 1993. This legislation has struggled to keep up with the rise of extensive technological advances which have transformed the way in which we collect and use personal information in New Zealand. As a result, our privacy laws are in urgent need of an update.
This update comes in the form of the Privacy Bill, which if enacted will strengthen privacy protections and require agencies (which includes any business or organisation, whether in the public or private sector) to actively manage their privacy obligations. It will also provide the Privacy Commissioner with increased powers to address privacy law breaches.
The Bill is currently making its way through Parliament and had its second reading on 7 August 2019. If enacted, some of the changes which agencies could expect to see include:
1. Mandatory notification of a privacy breach
Agencies will be required to notify the Privacy Commissioner, and any affected individuals, of any ‘notifiable privacy breach’ as soon as practicable after becoming aware of the breach. A notifiable privacy breach will occur where it is reasonable to believe that the breach has caused, or is likely to cause, an affected individual serious harm.
When determining whether a breach has or may cause serious harm, agencies must consider the following factors:
- What action has been taken by the agency to reduce the risk of harm following the privacy breach;
- Whether the personal information subject to the breach is of a sensitive nature;
- The nature of the harm that may be caused to the affected individuals
- If known, who has obtained, or may obtain, the personal information subject to the breach;
- Whether the personal information is protected by any security measures; and
- Any other relevant matters.
Failure to notify the Privacy Commissioner of a notifiable breach under the Bill may result in a fine of up to $10,000. The Privacy Commissioner will also have the power to publish the identity of the agency subject to the breach where the Privacy Commissioner believes it is in the public interest to do so.
2. Privacy Commissioner can issue and publish compliance notices
The Privacy Commissioner will have the ability to issue a compliance notice to an agency requiring them to take action, or stop taking a particular action in order to comply with privacy laws.
If the Privacy Commissioner issues a compliance notice to an agency, the Bill requires the Privacy Commissioner to publish the following information in relation to the compliance notice:
- The identity of the agency;
- Other details about the compliance notice or the breach that the Privacy Commissioner considers should be published; and
- A statement or comment about the breach that the Privacy Commissioner considers is appropriate in the circumstances.
The publication of such notice may only be avoided if an agency can satisfy the Privacy Commissioner that it will suffer undue hardship as a result of the publication, and the Privacy Commissioner believes that such hardship outweighs the public interest in the publication.
3. Disclosure of personal information outside New Zealand
A new principle will also be introduced under the current privacy principles, concerning the disclosure of personal information outside of New Zealand. The principle will put more limits on foreign disclosure by requiring an agency to satisfy one of the six requirements contained in the principle before disclosing the personal information outside of New Zealand.
For example, an agency may only disclose the personal information to an overseas person or entity if the overseas person or entity is subject to privacy laws that provide comparable safeguards to those contained in the New Zealand Privacy Act.
4. Identifying information cannot be collected unless required
The Privacy Bill will also amend ‘information privacy principle 1’ under the 1993 Act, which concerns the purpose for the collection of personal information. In particular, the amendment will prohibit an agency from obtaining more identifying information from an individual than is necessary for the purpose for which it is collected.
This addition is likely to have a significant impact on agencies, as it will require agencies to carefully consider what identifying information they are collecting from an individual and ensure that they can justify why that identifying information is required or necessary for their particular purpose.
Where to go from here?
While the Privacy Bill still needs to pass its third reading in Parliament, it is a good time for New Zealand businesses to take a look at their current privacy policies and information collecting processes to ensure that they are up to date. Businesses should also consider what changes they need to make if the new Privacy Bill is passed.
If you have any questions or require any assistance regarding your privacy law requirements, please feel free to contact the Commercial Team at Davenports Harbour to discuss using the details below:
Anna Guise, Commercial Team
Direct dial: 09 915 4380
Madeleine Masters, Commercial & Employment Teams
Direct dial: 09 915 4380
The above article provides a brief overview of some of the changes that agencies might expect to see if the new Privacy Bill is implemented. It is not intended to be a comprehensive outline of the Bill or to be constituted as legal advice. If you require any legal advice or further information about this article, please contact the team at Davenports Harbour to discuss.