The Office of the Privacy Commissioner has released the Privacy Commissioner's submission on the Privacy Bill.
This update provides a summary of the Privacy Commissioner's key proposals.
Overall, the Privacy Commissioner's submission seeks to align the Privacy Bill more closely with the GDPR by introducing core GDPR concepts such as rights to data portability, algorithmic transparency and further protections for anonymised information. The Privacy Commissioner also supports further detail on the new notifiable privacy breach scheme, as well as penalties of up to NZ$1 million.
A copy of the Privacy Commissioner's submission is available
here and the Privacy Bill is available
Privacy Commissioner's key submissions
Mandatory reporting of privacy breaches
The Privacy Bill introduces a new obligation to notify the Privacy Commissioner and affected individuals if a notifiable privacy breach occurs.
The notifiable privacy breach scheme should include:
more guidance and certainty surrounding the definition of "notifiable privacy breach," e.g., by including factors to be taken into account and providing examples of privacy breaches that would, or would not, be notifiable;
an express obligation on an agency processing or providing safe custody of personal information on behalf of another agency to notify that other agency when it becomes aware of a privacy breach;
an obligation on agencies to take appropriate measures to minimise the potential harm to individuals affected by a notifiable breach;
a discretion for the Privacy Commissioner to require a notifying agency to also submit a follow up notice recording steps taken in response to the breach; and
a civil penalty provision (to replace clause 122 (Offence to fail to notify Commissioner)) where an agency fails to notify the Privacy Commissioner.
The Privacy Bill carries over provisions from the Privacy Act 1993 that allow for the publication and use of personal information in an anonymised form.
More robust de-identification measures should be required. In particular, the Privacy Bill should:
strengthen protections for individuals from the privacy risks of inadequate de-identification of personal information for statistical and research purposes; and
provide safeguards against the privacy risks resulting from re-identification events (i.e. where individuals are unexpectedly identified from data that has purportedly been anonymised).
The Privacy Bill does not include data portability rights.
Data portability should be included in the Privacy Bill. In particular, the Privacy Bill should include a right for an individual to require that their personal information be:
This recommendation mirrors the GDPR data portability provision.
made available to them electronically and in machine readable format; and
transferred, where technically feasible, to another agency.
The Privacy Bill does not include a right to erasure (commonly referred to as a "right to be forgotten"), but does:
entitle individuals to require an agency to correct(with the definition of 'correct' including deletion) their personal information (IPP 7);
require an agency to take reasonable steps to ensure that an individual's information is accurate, up to date, complete, relevant and not misleading (IPP 8); and
require an agency to not hold personal information for longer than is required (IPP 9).
Note that these IPPs are largely the same as the IPPs under the current Privacy Act.
The Privacy Bill should include a right to erasure of personal information (that is comparable with GDPR standards).
Algorithmic transparency and automated decision making
The Privacy Bill does not expressly address the emerging privacy issues relating to automated decision-making (i.e. decisions based on automated tools and algorithms).
The Privacy Bill should include additional provisions, including a new Information Privacy Principles (IPP) to address automated decision-making and require algorithmic transparency in appropriate cases.
Application of the Privacy Act to overseas activities and agencies
The Privacy Bill provides limited scope for the IPPs to apply to the activities of overseas entities in particular circumstances.
The Privacy Bill should clarify the application of the Privacy Act to the activities of overseas agencies that collect, hold, use or disclose personal information about New Zealand individuals, and to the overseas activities of New Zealand-based agencies, including by setting out different situations establishing a "sufficient link" for the Privacy Act to apply.
Relevance of age of the individual concerned
Under the Privacy Bill (IPP 4) an agency must have particular regard to the age of the individual concerned to ensure the means by which personal information is collected is fair and does not intrude to an unreasonable extent upon the affairs of that individual.
The Privacy Commissioner submits that IPP 4 should not be amended as proposed and that an alternative drafting option should be considered to address the collection practices of agencies when collecting personal information from children and young people.
Privacy Commissioner's submissions relating to enforcement
Civil penalty for serious or repeated breaches
While the Privacy Bill includes specific criminal offences, these are limited to particular instances of non-compliance, and do not provide a power to enforce serious breaches of privacy, including repeat offending.
A civil penalty provision and ancillary provisions should be included in the Privacy Bill. The Privacy Commissioner should be empowered to apply to the High Court for a civil penalty to be imposed in cases of serious or repeated breaches of the Privacy Act - up to NZ$100,000 for an individual and up to NZ$1 million for a body corporate.
Agency accountability for ongoing compliance
The Privacy Bill requires an agency to appoint a privacy officer to encourage the agency to comply with the IPPs, ensure compliance with the Privacy Act, deal with requests made under the Privacy Act, and to work with the Commissioner in relation to investigations.
The Privacy Bill should go further by requiring an agency to:
take other reasonable steps to ensure its ongoing compliance with the Privacy Act; and
if requested by the Privacy Commissioner, report to the Privacy Commissioner in writing on the steps the agency has taken, or proposes to take, to ensure its ongoing compliance with the Privacy Act.
Discontinuing the role of the Director of Human Rights Proceedings
The Privacy Bill continues the current model which splits functions between the Privacy Commissioner and the Director of Human Rights Proceedings in relation to privacy complaints. This means that under the Privacy Bill, if the Commissioner considers proceedings should be brought before the Human Rights Tribunal, the complaint must first be referred to the Director of Human Rights Proceedings for his or her consideration.
The Privacy Commissioner should have a discretion to consider whether proceedings should be instituted in the Human Rights Tribunal.
The Privacy Commissioner's submissions, although more detailed, remain largely consistent with the recommendations signalled in the Privacy Commissioner's report to the Minister of Justice on 3 February 2017, available
Please contact our privacy team if you would like any advice or assistance in relation to the matters addressed in this client update.
Our privacy team is closely monitoring the Privacy Bill and will continue to provide updates. Please refer to our previous update available
here. Bell Gully's submission on the Privacy Bill is available
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.