Preparing for the Privacy Act 2020

The Privacy Bill 2020 is currently making its way though the NZ Parliament. As it sits at the Committee of the Whole House Stage (with a third reading and the royal assent expected in the coming months), it's a good time to get abreast of the changes.

As you know, the current Privacy Act is dated 1993 and (given its age) has been largely outpaced with the advent of technology. The 1993 Act anticipated when passed that it would be reviewed after three years (1996) then every 5 years after that. In fact it was only reviewed once, in 1998, and despite some recommendations batted around for changes, nothing was done. It wasn’t until a Law Commission Report in 2011 that recommended the need for a modern Act, and the subsequent take up of recommendations in 2014 that drafting of the new legislation commenced. 

Modernised drafting and greater responsiveness to the technological age were key considerations in drafting the Bill but also were the desire for greater powers for the Privacy Commissioner to deal with access and breach issues. Of course, it remains to be seen whether the changes will result in effective change.

The 5 key changes to note from the Bill are outlined below: 

1. Mandatory Breach Notification

The new Act will introduce mandatory breach notifications.

A notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious hard to an affected individual or is likely to do so (s117).

In assessing the likelihood of serious harm being caused by a privacy breach (and therefore, whether it is notifiable), the following considerations should be had:

• Any action taken by the agency to reduce the harm following the breach
• Whether the personal information is sensitive in nature
• The nature of the harm caused to the affected individual
• Who may obtain the information as a result of the breach
• Whether the personal information is protected by security measure (i/e if you’ve lost your work laptop, full of client files, is the laptop password protected?) (s117A).

 The obligation is to notify both the Privacy Commissioner and the individual(s) involved (s118 and 119). Failure to do so could attract a fine of up to $10,000.00 (s122).

Interestingly, there is no strict time lines in place in order to notify. It is judged against what is reasonably practicable.

2. Commissioner’s power to issue Compliance Notices

Under the current Act, the commissioner’s power to enforce compliance notices where an agency has interfered with an individual’s privacy, is constrained by a threshold test that requires harm to result. In short, if no one is harmed by the breach, the Commissioner can’t really do anything about it. 

In the new Act, the power to enforce compliance notices will not be dependent on establishing harm. It will be evidenced on non-compliance with the Act (s124).

The Commissioner may bring proceedings for breach of a compliance order to the Human Rights (HR) Tribunal. Where failure to comply is proven, an offence is committed and fine of up to $10,000.00 may be imposed. 

3. Binding Decisions on Access Requests

The current Act does not give the Commissioner any power to enforce access to personal information for an individual. The burden to pursue and enforce their right to access is essentially placed on the individual seeking the information.

The new Act gives the Commissioner the power to issue Access Directions (s96A) – to release the information to the individual – and the agency can appeal to the HR Tribunal where they believe the Commissioner has got his decision to release, wrong (s110).

4. New criminal offences

 The new Act provides two new offences (although, correct me if I'm wrong, by my reading one was an offence already!):

1. It is an offence to mislead an agency by impersonating an individual, or falsely pretending to be an individual or to be acting under the authority of an individual in order to obtain access to an individual’s personal information or to have that persons information used, altered or destroyed, and
2. It is an offence to respond to a request for personal information by destroying information the subject of the request (s212)

5. Extraterritorial reach

The new Act will apply to a business whether or not is has a legal or physical presence in New Zealand. The test will be whether it is carrying on business in New Zealand (s3A). (This was a conscious attempt to align the NZ legislation with the gold standard GDPR provisions).

There will also be restrictions on agencies transferring data outside their jurisdiction without the explicit consent of the individual concerned or satisfaction of the agency of comparable measures on privacy in the country to which the information is being transferred (s193).

Helpfully, the Commissioner has indicated that his office will be creating a white list of countries that they consider will meet the comparable measures test and will also be providing model clauses for firms / companies to use in their T&C’s regarding transfers. 

Need a little more direction?

The Privacy Commission has an e-learning site for privacy matters. It can be accessed through he Privacy Commission landing page. Some of the courses are fairly basic but it may provide a quick ready-reckoner and is likely to be updated when the Bill comes into law to help brush up on the changes.

Happy learning!