The penalty for a serious or repeated breach of the Privacy Act could be increased to a fine of up to NZ$1 million, if the Privacy Commissioner, John Edwards’, recent recommendations to the Government for changes to the Privacy Act are adopted.
This article summarises six recommendations published by the Privacy Commissioner last week and provides a brief update on anticipated reform of the Privacy Act.
Read the Privacy Commissioner’s full report here.
Status of Privacy Act reform
The Privacy Commissioner’s recommendations have been made in the context of the Privacy Commissioner’s periodic review obligations under the Privacy Act.
Privacy law reform has also been under consideration by the New Zealand Government since 1998. Last year, Minister Amy Adams confirmed that the Privacy Act is being modernised and that a new Privacy Bill is expected to be introduced in 2017, following a period of targeted technical consultation.
Six recommended changes to the Privacy Act
In his review, Mr Edwards proposes six recommendations for changes to the Privacy Act, based on rapid advances in data science and information technology in the five years since the last review.
- Including a civil penalty provision
The Privacy Commissioner recommends that the Commissioner is empowered to apply to the High Court for a civil penalty to be imposed in cases of serious or repeated breaches of the Privacy Act - up to NZ$100,000 in the case of an individual and up to NZ$1 million in the case of a body corporate.
- A right of personal information portability
The Privacy Commissioner recommends that data portability is introduced as a consumer right, to empower individuals to request an agency provide them with their personal information in a suitable electronic format. This would reduce the difficulty in transferring services to another provider, and strengthen customer choice on internet service providers.
- Controls on re-identification
The Privacy Commissioner recommends an update of the Privacy Act to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised. The New Zealand Data Futures Partnership will provide a report on recommended reform to the Government in 2017. Read more here and here.
- An additional power to require demonstration of compliance
The Privacy Commissioner recommends that each agency is required to demonstrate its ongoing compliance with the Privacy Act by establishing a privacy management programme and reporting to the Commissioner and to the public. This in turn would enable the Privacy Commissioner to proactively identify and respond to systemic issues and ensure compliance with the other new enforcement recommendations.
- Reform of criminal defences for obstructing the Commissioner
The Privacy Commissioner recommends narrowing the defences available to agencies in respect of criminal offences for obstructing the Privacy Commissioner, or failing to comply with a lawful requirement of the Commissioner. The Commissioner suggests that a strict liability standard should apply instead of the current “without reasonable excuse” wording.
- Proceeding with public register reform
The Privacy Commissioner recommends repealing the “public register privacy principles” and replacing them with specific privacy safeguards, such as the suppression of personal information in cases requiring the protection of personal safety. In addition, the Privacy Commissioner recommends that it is empowered to monitor the establishment, operation and use of public registers and to publicly report on the need for or desirability of taking legislative, administrative or other action to give protection or better protection to the privacy of the individual.
What this means for New Zealand
If adopted, the changes proposed by the Privacy Commissioner would bring New Zealand in line with proposed European privacy reform, as well as similar schemes in Australia and the United Kingdom.
Read more on the European privacy reform here and here.
Please contact our team if you would like any advice or assistance on the key changes to the Privacy Act.
This publication is necessarily brief and general in nature. You should seek professional advice before taking any action in relation to the matters dealt with in this publication.