Story image

New Zealand's Privacy Bill to get first reading in Parliament

21 Mar 18

New Zealand’s Privacy Bill is about to begin its first reading in Parliament with Andrew Little as the MP in charge.

The Bill aims to replace the Privacy Act 1993 as recommended by a 2011 review by the Law Commission. It aims to ensure proper security and use of personal information.

There are several main tenets to the new Privacy Bill. They are:

  • Mandatory reporting of privacy breaches: privacy breaches (unauthorised or accidental access to, or disclosure of, personal information) that pose a risk of harm to people must be notified to the Privacy Commissioner and to affected individuals
  • Compliance notices: the Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals
  • Strengthening cross-border data flow protections: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider
  • New criminal offences: it will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine not exceeding $10,000.
  • Commissioner making binding decisions on access requests: this reform will enable the Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions will be able to be appealed to the Tribunal
  • Strengthening the Privacy Commissioner’s information gathering power: the Commissioner’s existing investigation power is strengthened by allowing him or her to shorten the time frame within which an agency must comply, and increasing the penalty for non-compliance.

Privacy Commissioner John Edwards welcomes the Bill’s introduction and believes it will both maintain and progress New Zealand’s track record of protecting New Zealanders’ privacy interests.

Edwards, who is lobbying for penalties of up to $1 million for organisations who suffer a serious data breach, also believes that a revamp of the act is long overdue.

The current Privacy Act is now 25 years old. While the 2011 review helped to modernise the Act, Edwards notes that much has changed since then.

“I’m pleased the Government has moved so promptly in its term to address the immediate need for stronger privacy protections and enforcement powers. Better privacy and data protection regulation is a growing trend in OECD countries like New Zealand,” Edwards says.

Edwards notes that Australia and the European Union have already made moves to improve their privacy laws. Now it is New Zealand’s turn.

“That the Government has made privacy law reform a significant priority in its busy work programme reflects the privacy concerns of a majority of New Zealanders - something which has been borne out in regular opinion surveys undertaken by my office.”

Edwards also believes that there is more civil enforcement needed to ensure New Zealand has a robust policy comparable to its trading partners.

“Without real and meaningful consequences for non-compliance, rogue agencies will continue to thumb their nose at the regulation, meaning responsible organisations will disproportionately bear the cost of compliance, while cowboys will ignore their obligations,” Edwards states in an additional blog.

“My aim is to keep compliance costs for industry down, to reward good behaviour, punish the cavalier, and provide New Zealanders with easy access to remedies when their rights are breached.”

Privacy Commissioner Edwards proposed six recommendations to the Bill in 2016.

  • Empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate)
  • An update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised
  • Introducing data portability as a consumer right
  • An additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues
  • Narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner; and
  • Reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.

"We will also argue for the Law Commission’s recommendation to shift the privacy functions of the Director of Human Rights Proceedings into the Privacy Commissioner’s office in order to streamline the handling of privacy complaints," he adds.

Edwards says his office is committed to providing independent assistance as the Bill progresses through parliament. The office will also continue to advocate for New Zealanders’ privacy rights.

Techday will continue to cover news of the Privacy Bill’s progress as it unfolds.

You can read the Proposed Privacy Bill on the Parliamentary Counsel Office website here.

CERT NZ highlights rise of unauthorised access incidents
“In one case, the attacker gained access and tracked the business’s emails for at least six months. They gathered extensive knowledge of the business’s billing cycles."
Report finds GCSB in compliance with NZ rights
The Inspector-General has given the GCSB its compliance tick of approval for the fourth year in a row.
Game review: Just Cause 4 on PC
Rico Rodriguez returns to wreak over-the-top havoc for a fourth time. This time the island nation of Solís is our hero’s sandbox, ripe for destruction.
Hands-on review: Logitech G502 HERO gaming mouse
My favourite feature of the G502s is the ‘Sniper’ button, which is found on the left hand side of the device. When held, this lowers the DPI and allows you to achieve maximum accuracy whilst honing in on a kill on your favourite FPS title.
Interview: ZeniMax Online's game director talks Elder Scrolls Online
FutureFive’s Darren Price sat down with Matt Firor, ESO’s designer and now president and game director at ZeniMax Online.
IDC: Tablets stay dead, notebooks keep head above water
An IDC report predicts a soft personal PC market, slipping into further decline with the exception of notebooks, gaming PCs, and business PC upgrades.
A hands-on guide to Christmas shopping by Santa’s IT elf
Ho, ho, ho! So you’re back again for more inspiration for that hard-to-buy-for person in your life?
Govt commits $15.5m to digital identity research
“With more and more aspects of our lives taking place online it’s critical the government takes a lead to ensure New Zealanders have control of how and who uses their identity information,” says Minister Woods.