The New Zealand Privacy Commissioner (Commissioner), John Edwards, recently released a report reviewing the Privacy Act 1993 (Act). The report recommends amendments to the Act as part of the overhaul of New Zealand privacy law announced by the Ministry of Justice in 2014.
Information technology and data science developments are progressing with enormous speed. Regulators are playing catch-up with the capabilities of the technology. Revisions to the Act need to forecast the future needs of privacy protection. The recommendations of the Commissioner focus on modernising the Act by strengthening enforcement powers and aligning our laws internationally, including the European Union General Data Protection Regulation (GDPR) that will come into force in May 2018.
A right to personal information portability: This recommendation allows individuals to request an agency to provide them with their personal information in an electronic format. This would enable easy transfer of services to another provider, such as banks, or between social media providers, such as Facebook. Data portability is increasingly a basic consumer right, so it is fundamental that this be provided for in our privacy laws. The aim is also to reduce consumer/provider lock-in by empowering an individual's autonomy in choosing who holds and uses their information.
Controls on re-identification: An emerging privacy risk is that publicly available anonymised information can be manipulated to re-identify individuals. This has occurred overseas where individuals have been identified from anonymised datasets that have been publicly released for research purposes. The social and economic benefits of public datasets are huge and, therefore, public trust and confidence in the anonymity of their information is vital. By implementing controls through additional provisions around re-identification, it would be made clear that New Zealand's expectation is to adequately de-identify information before releasing it and that there is an explicit prohibition on re-identification.
A new power to require demonstrations of agency compliance: The Commissioner would have a new power to require agencies to set up a privacy management program or plan, and to report on their compliance with the program/plan. The reports could be made public. The aim is to reduce systemic breaches of the Act, of which many are currently undetected. This would usually be triggered by the suspicion of a risk to privacy, either generally or in response to a specific agency's practices. The ability to hold agencies accountable would fill the notable gap in our privacy framework, by allowing the Commissioner to inquire into the adequacy of agencies' privacy processes and identify weaknesses or non-compliance. The Commissioner would also be able to impose requirements to achieve compliance.
An agency could be ordered to provide a publicly available report on its privacy management.
New civil penalty provision: A civil penalty provision would allow the Commissioner to apply to the High Court for a civil penalty to be imposed for serious breaches. This would be up to $100,000 in the case of an individual and $1 million in the case of a body corporate. This would bring New Zealand into line with penalties provided for in Australia, and other comparable jurisdictions, for intentional and reckless breaches of privacy.
Adjustments to criminal offences: The Commissioner recommends the narrowing of the defences currently available in respect of the criminal offences under the Act. Presently, there is a 'reasonable excuse' defence available for the obstruction of the Commissioner or failing to comply with a lawful requirement of the Commissioner. It is proposed this is replaced with one of the following:
a) Lawful justification or excuse; b) 'Strict liability'; or c) An option for a pecuniary penalty order as an alternative to prosecution.
Narrowing these defences would align the Act with other comparable offences and reinforce the importance of complying with privacy law.
Public register reform: It is recommended that the public register privacy principles, which form part of the Act, are repealed. Public registers now have the necessary relevant privacy safeguards provided for in the individual statute which sets up each register. The Office of the Commissioner is consulted on any proposed amendments to public register statutes and, therefore, there is little utility for the public register privacy principles in the Act. In their place, the Commissioner proposes provision for:
a) specific privacy safeguards, such as the suppression of personal information in cases requiring the protection of personal safety (eg those protected by the Domestic Violence Act 1995); and b) complaints to the Commissioner in relation to breaches of access conditions as provided in each public register enactment.
Get Your Data Protection/Privacy House in Order
These changes are increasingly necessary for New Zealand, particularly following the adoption of the European GDPR, which provides for stringent strengthening of privacy rights. Mandatory reporting of privacy breaches has also been recommended by Government, something already provided for in other jurisdictions. The regulation methodology is placing increasingly heavy pressure on data-holding and processing agencies to proactively ensure personal data is protected. A casual approach will not cut it in future.