Story image

New Zealand's Privacy Bill to get first reading in Parliament

21 Mar 18

New Zealand’s Privacy Bill is about to begin its first reading in Parliament with Andrew Little as the MP in charge.

The Bill aims to replace the Privacy Act 1993 as recommended by a 2011 review by the Law Commission. It aims to ensure proper security and use of personal information.

There are several main tenets to the new Privacy Bill. They are:

  • Mandatory reporting of privacy breaches: privacy breaches (unauthorised or accidental access to, or disclosure of, personal information) that pose a risk of harm to people must be notified to the Privacy Commissioner and to affected individuals
  • Compliance notices: the Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals
  • Strengthening cross-border data flow protections: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider
  • New criminal offences: it will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine not exceeding $10,000.
  • Commissioner making binding decisions on access requests: this reform will enable the Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions will be able to be appealed to the Tribunal
  • Strengthening the Privacy Commissioner’s information gathering power: the Commissioner’s existing investigation power is strengthened by allowing him or her to shorten the time frame within which an agency must comply, and increasing the penalty for non-compliance.

Privacy Commissioner John Edwards welcomes the Bill’s introduction and believes it will both maintain and progress New Zealand’s track record of protecting New Zealanders’ privacy interests.

Edwards, who is lobbying for penalties of up to $1 million for organisations who suffer a serious data breach, also believes that a revamp of the act is long overdue.

The current Privacy Act is now 25 years old. While the 2011 review helped to modernise the Act, Edwards notes that much has changed since then.

“I’m pleased the Government has moved so promptly in its term to address the immediate need for stronger privacy protections and enforcement powers. Better privacy and data protection regulation is a growing trend in OECD countries like New Zealand,” Edwards says.

Edwards notes that Australia and the European Union have already made moves to improve their privacy laws. Now it is New Zealand’s turn.

“That the Government has made privacy law reform a significant priority in its busy work programme reflects the privacy concerns of a majority of New Zealanders - something which has been borne out in regular opinion surveys undertaken by my office.”

Edwards also believes that there is more civil enforcement needed to ensure New Zealand has a robust policy comparable to its trading partners.

“Without real and meaningful consequences for non-compliance, rogue agencies will continue to thumb their nose at the regulation, meaning responsible organisations will disproportionately bear the cost of compliance, while cowboys will ignore their obligations,” Edwards states in an additional blog.

“My aim is to keep compliance costs for industry down, to reward good behaviour, punish the cavalier, and provide New Zealanders with easy access to remedies when their rights are breached.”

Privacy Commissioner Edwards proposed six recommendations to the Bill in 2016.

  • Empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate)
  • An update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised
  • Introducing data portability as a consumer right
  • An additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues
  • Narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner; and
  • Reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.

"We will also argue for the Law Commission’s recommendation to shift the privacy functions of the Director of Human Rights Proceedings into the Privacy Commissioner’s office in order to streamline the handling of privacy complaints," he adds.

Edwards says his office is committed to providing independent assistance as the Bill progresses through parliament. The office will also continue to advocate for New Zealanders’ privacy rights.

Techday will continue to cover news of the Privacy Bill’s progress as it unfolds.

You can read the Proposed Privacy Bill on the Parliamentary Counsel Office website here.

2019 threat landscape predictions - Proofpoint
Proofpoint researchers have looked ahead at the trends and events likely to shape the threat landscape in the year to come.
InternetNZ welcomes Govt's 99.8% broadband coverage plan
The additional coverage will roll out over the next four years as part of the Rural Broadband Initiative phase two/Mobile Black Spots Fund (RBI2/MBSF) programme expansion.
Commerce Commission report shows fibre is hot on the heels of copper
The report shows that as of 30 September 2018 there were 668,850 households and businesses connected to fibre, an increase of 45% from 2017.
Dr Ryan Ko steps down as head of Cybersecurity Researchers of Waikato
Dr Ko is off to Australia to become the University of Queensland’s UQ Cyber Security chair and director.
Businesses in APAC are ahead of the global digital transformation game
“And it’s more about people and culture - about change management - along with investing in the technology.”
HubSpot announces fund for 'customer first' startups
HubSpot is pouring US$30 million (NZ$40 million) into a new fund to support startups that demonstrate ‘customer first’ approach of not only growing bigger, but growing better.
Mac malware on WatchGuard’s top ten list for first time
The report is based on data from active WatchGuard Firebox unified threat management appliances and covers the major malware campaigns.
LearnCoach closes $1.5m seed round
The tutorials are designed for students who want to learn NCEA subjects but can’t make it to a physical classroom.