Privacy Bill

14 June 2018

Such a review is inevitable given the vastly different information environment we live in now versus when the Privacy Act came into effect in 1993.  During the course of this 25 year period, the digital space has transformed business, government, economies and personal communications to a significant degree.  The Privacy Act was at a time where internet was still new, and “smartphone” were still over 10 years away from introduction.

Whilst technology has added considerable ease and flexibility to our lives, the recent examples of Facebooks’ management of personal information, highlights the added risks to personal information in modern times.

The proposed changes to the Bill aim to strengthen privacy protections, through early intervention and risk management by agencies (the name used for any organisation or person that handles personal information), rather than relying on people making complaints following a privacy breach. The Bill’s reforms will also enhance the role of the Privacy Commissioner.

The key areas of reform of the Bill are:

  • Data Breaches - Agencies are mandated to report data breaches;
  • Compliance Notices - The Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something;
  • Commissioner’s Powers – The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal.  These decisions can be appealed to the Tribunal;
  • Greater cross-border protections – New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by acceptable privacy standards.   The Bill goes further to provide that New Zealand agencies that engage an overseas service provider, will have to comply with New Zealand privacy laws rather than those of the overseas agency;
  • Criminal Offences - criminal offences will be introduced for misleading an agency in a way that affects someone else’s information, and destroying documents containing personal information if a request has been made for it. The proposed penalty is a fine up to $10,000.

The Select Committee is due to report back on 11 October 2018.