A new Privacy Bill has been introduced to Parliament which will impact all New Zealand businesses that collect, use or hold information about individuals.
The Privacy Bill represents a long-awaited update to New Zealand's privacy laws, following recommendations from the Law Commission in 2011. It follows a global trend towards more robust regulation of personal information, including Australia's recent amendment to its Privacy Act, and the upcoming implementation of the European Union's General Data Protection Regulation (GDPR) in May this year.
You can read the new Privacy Bill here.
Key changes under the Privacy Bill are consistent with those signalled by the Law Commission and the Privacy Commissioner, although not all of the Privacy Commissioner's recommendations have been included (see our previous article here).
Key changes include:
Mandatory reporting of privacy
The Privacy Commissioner must be notified
where there is a risk of harm as a result of unauthorised or accidental
disclosure of personal information.
The Privacy Commissioner will be able to issue
notices to require agencies or take (or prevent) particular action(s).
These notices will be enforced by the Human Rights Tribunal.
Stronger cross-border data flow protection
Reasonable steps must be taken by New Zealand
agencies to ensure that any personal information disclosed in other
jurisdictions is subject to adequate privacy standards. Further, the Bill aims
to clarify the law applicable to overseas service providers engaged by New
New criminal offences
The introduction of a fine not exceeding
$10,000 to penalise anyone who misleads an agency in a manner which affects
another person’s personal information or where a person destroys documents
containing personal information following a request for access.
Powers of the Commissioner
The Commissioner will be able to make binding
decisions on access requests. Additionally, the Commissioner will have
increased investigatory powers, including increasing penalties for
The Privacy Bill states that the new requirements will come into force on 1 July 2019. However, this reflects a proposed transitional period of 6 months. The effective date will ultimately depend on the speed of the Privacy Bill's progress through the parliamentary process - after the long lead-up to the release of the Bill.
We will be closely monitoring the proposed reform and will keep you updated when further information is announced.
If you need any further information on matters covered in this update, please contact your usual Bell Gully adviser.
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.