Recently published proposals see New Zealand joining the worldwide trend towards more stringent data protection and privacy safeguards. This article gives details on the proposed reforms and next steps.

By: Simon Lapthorne, Scott Worthy

Firm: Kiely Thompson Caisley

On 11 April 2018 the New Zealand Parliament gave a first reading to a new Privacy Bill. The Bill has now been referred to the Justice Select Committee and is currently open for public submissions. If passed into law, the Bill would repeal and replace the current Privacy Act 1993, which has been in force for nearly 25 years. The Bill leaves many of the principles and provisions of the current Act untouched; however there are some important changes proposed.

Changes Proposed by the Privacy Bill

There are four key changes in the Bill. Overall, these changes strengthen the standard of protection for personal information and increase the enforcement powers of the Privacy Commissioner.

Firstly, the Bill contains a breach-reporting requirement. If a person’s privacy rights are breached and there is a possibility of serious harm or serious harm results from this breach, the agency holding the information will be required to notify both the Privacy Commissioner and the individual or individuals whose privacy has been breached as soon as practicable. There will be a fine of up to NZD10,000 associated with failure to report under this requirement.

Secondly, the Privacy Commissioner’s power to enforce privacy standards will be enhanced. The Commissioner will have two important new abilities; the ability to issue compliance notices requiring agencies to take specific steps to comply with privacy law, as well as the ability to issue binding decisions on requests for access to personal information.

Thirdly, the Bill places obligations on agencies to ensure the protection of information sent overseas. Personal information will only be allowed to be sent overseas if the jurisdiction to which the information is being sent has comparable privacy laws to New Zealand, or if the person concerned authorises the disclosure of their personal information overseas.

Finally, the Bill makes it an offence for a person to falsely represent that he or she has authority under the Privacy Act. It will also be an offence to knowingly destroy documents that are subject to a personal information request. A maximum fine of NZD 10,000 has been proposed for these offences.

Public Submissions

The Bill is now open for public comment until 24 May 2018. We expect that the Bill will engender significant debate and many submissions will be made given the community’s interest in privacy rights. As almost all employers are agencies subject to the regulation of the Privacy Act and will hold personal information about both employees and customers, employers have a particular interest in having their say.