Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The protection of personally identifiable information (PII) is primarily governed by the Privacy Act 1993. The Privacy Act operates to regulate the collection, storage, security, access and correction and other dealings with personal information by both public and private agencies. The Privacy Act adopts a principle-based framework centralised around 12 information privacy principles (IPPs). These IPPs originate from the Organisation for Economic Cooperation and Development Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, which was adopted in 1980.

The Privacy Act is currently under legislative review. The Privacy Bill is currently passing through its second reading in Parliament. If adopted, the Privacy Bill will repeal and replace the Privacy Act. The Privacy Bill proposes to promote the public’s confidence that their personal information is secure and treated properly while also attempts to align New Zealand’s privacy and data protection regulation with international developments.

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The Office of the Privacy Commissioner is responsible for overseeing data protection law in New Zealand and gains its authority through the Privacy Act.

The privacy commissioner can instigate an investigation of an agency’s dealings with personal information on their own initiative. In addition, the commissioner may (but is not obliged to) instigate an investigation of an agency’s dealings with personal information as a result of a submitted complaint.

When conducting an investigation of an agency’s dealings with personal information, the commissioner can regulate their own procedure as they see fit (subject to the Privacy Act and its regulations).

When requested to do so by any agency (being any person or legal entity excluding certain government authorities), the commissioner can conduct an audit of personal information maintained by that agency for the purpose of ascertaining whether the information is maintained according to the IPPs.

Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

There is no express legal obligation under the Privacy Act for the commissioner to cooperate with international data protection authorities. Further, New Zealand is not party to any binding cross-border privacy schemes, such as the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules System.

Under the Privacy Act, the commissioner may refer matters to an overseas privacy enforcement authority where the complaint relates to a matter that is more properly within its jurisdiction.

The commission as a matter of good practice continues to engage with the premier global network of privacy commissioners as a founding member of the Global Privacy Enforcement Network and a participant in the APEC Cooperation Arrangement for Cross-Border Privacy Enforcement. The privacy commissioners of New Zealand and Australia signed a memorandum of understanding (MOU) in 2008 to facilitate cooperation between their offices on privacy-related issues (including information sharing). However, the MOU is not intended to be legally binding but rather to provide a practical means of meeting the co-operation targets set out in the APEC Privacy Framework.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Under the Privacy Act, the Human Rights Review Tribunal can award damages for interference with an individual’s privacy.

Following an investigation of any privacy complaint by the commissioner, if the alleged interference cannot be settled between the relevant parties, proceedings can be brought in the tribunal and remedies that are sought can include damages. The tribunal may award damages in respect of the interference with the privacy of an individual to appropriately compensate them for the humiliation, loss of dignity and injury to feelings caused by serious breaches, as well as the loss of any benefit (monetary or other) that the individual might reasonably have expected to obtain if the interference had not occurred.

Criminal penalties are not available in respect of any breach of the Privacy Act. However, under the Crimes Act 1961, criminal penalties are available in respect of the unlawful interception of private communications, as well as certain unlawful monitoring and surveillance activities.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

The Privacy Act 1993 does not apply to the collection and reporting of news and current affairs. However, this exclusion does not extend to include ‘citizen journalists’, such as bloggers.

The Privacy Act also does not apply to:

  • the House of Representatives;
  • members of Parliament in their official capacity;
  • the New Zealand courts or tribunals; and
  • other government judicial review functions.

While New Zealand’s intelligence and security agencies are not excluded wholesale from the application of the Privacy Act, non-compliance with certain information privacy principles is permitted under the act to the extent the non-compliance is necessary to enable an intelligence and security agency to perform any of its functions.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The Privacy Act does not expressly cover interception of communications, electronic marketing or monitoring and surveillance of individuals. The relevant law in this regard is as follows.

Interception of communications

Under the Crimes Act 1961, a person is liable to up to two years’ imprisonment if they intentionally intercept any private communications by means of an interception device (eg, recording device), other than when they are authorised to do so under other legislation (eg, the Search and Surveillance Act 2012, the Intelligence and Security Act 2017 or the International Terrorism (Emergency Powers) Act 1987). Any intentional disclosure of a private communication, the substance or meaning of that communication or an intentional disclosure of the existence of the private communication could result in up to two years’ imprisonment.

Electronic marketing

The Unsolicited Electronic Messages Act 2007 prohibits:

  • the sending of unsolicited commercial electronic messages; and
  • the use of address-harvesting software or harvested-address lists being used for unsolicited commercial electronic messages.
Monitoring and surveillance

The Crimes Act imposes criminal penalties for certain restricted monitoring and surveillance activities, including intimate visual recordings. Under the Crimes Act, any individual that intentionally or recklessly makes, possesses (in certain circumstances) and publishes, imports or sells intimate visual recordings of another person is liable to imprisonment. The Search and Surveillance Act 2012 regulates police powers and their ability to monitor compliance with the law and their power to carry out investigations and the prosecution of offences.

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Under the Privacy Act, the privacy commissioner can issue specific codes of practice which have the effect of modifying the practical operation of the provisions of the act in particular industries. Codes of practice regulating credit reporting, health information, information sharing by civil defence during national emergencies, telecoms information and unique identifiers have been issued in New Zealand to date.

PII formats

What forms of PII are covered by the law?

All forms of PII are covered by the Privacy Act. Any information that falls within the definition of ‘personal information’ under the Privacy Act (ie, information about an identifiable individual) is protected.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

The Privacy Act’s reach is presently limited to New Zealand agencies. It aims to regulate:

  • such agencies’ dealings with PII that is located or collected in New Zealand; and
  • information held by such agencies outside New Zealand.

The Privacy Bill seeks to clarify what is intended by a ‘New Zealand agency’, defining the term to include:

  • an individual ordinarily resident in New Zealand;
  • a New Zealand public sector agency; or
  • a private sector agency which is established in New Zealand or has its central management or control in New Zealand.

The Privacy Bill also seeks to extend the application of the Privacy Act to:

  • the actions of any overseas agency in the course of carrying on business in New Zealand; and
  • all personal information collected or held by overseas agencies in the course of carrying on business in New Zealand (regardless of where the PII is collected and where the relevant individual concerned is located).
Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

The Privacy Act presently provides that a person remains accountable for PII that is held by another person as its agent (ie, those who provide PII processing services). Accordingly, in some instances under the current legislation, PII processing services are deemed not to hold the relevant PII and are arguably not subject to those provisions of the Privacy Act that are applicable only to agencies holding PII.

The Privacy Bill proposes to clarify this position to state that persons who provide services to the original owner of the PII as its agent (ie, cloud providers and other service providers which process information on behalf of others) will be held accountable for the PII that they hold, store and process to the extent that the agent uses or discloses the information for its own purposes.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

Under the Privacy Act, personally identifiable information (PII) must not be collected unless the collection is for a lawful purpose connected with a function or activity of the agency and the collection is necessary for that purpose.

Where PII is collected directly from an individual, the agency collecting the PII must ensure that the individual is made aware of, among other things, the purpose of the collection of the information. If the collection is required by law, the individual must be made aware of the specific law that requires it. There are limits on how PII can be used once it has been collected. PII that was obtained in connection with one purpose cannot be used for any other purpose unless:

  • consent is obtained;
  • the information is already in the public domain; or
  • non-compliance is required in the circumstances (ie, to enforce the law, to protect public revenue, for the conduct of proceedings before a court or tribunal or to prevent or lessen a serious threat).

There are exceptions for intelligence and security agencies. An intelligence and security agency that holds personal information that was obtained in connection with one purpose may use the information for any other purpose (a secondary purpose) if that agency believes on reasonable grounds that the use of the information for the secondary purpose is necessary to enable the agency to perform any of its functions.

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Codes of practice issued under the Privacy Act 1993 may modify the application of the information privacy principles under the Privacy Act to specific classes of PII. To date codes of practice regulating information held for credit reporting purposes, health information and telecoms information have been issued in New Zealand.

The Privacy Bill aims to impose additional obligations in respect of the collection of PII when collecting PII from children and young persons.

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

The Privacy Act 1993 requires agencies collecting personally identifiable information (PII) directly from an individual to ensure that the individual is aware of:

  • the fact that the information is being collected;
  • the purpose for which the information is being collected;
  • the intended recipients of the information;
  • the consequences for them if they do not provide all or part of the requested information; and
  • how they may request access to and correction of personal information.

Where the collection of PII is authorised or required by law, the individual must be informed of the particular law by which the collection of the information is authorised or required, as well as whether the supply of the information is voluntary or mandatory.

Exemption from notification

When is notice not required?

Notice is not required in relation to the collection of PII from an individual where either the collecting agency has taken the steps outlined under question 13above in relation to the collection of the same or similar information from the individual on a recent previous occasion or if the agency believes, on reasonable grounds, that:

  • non-compliance would not prejudice the interests of the individual concerned;
  • the non-compliance is necessary to avoid prejudice to the maintenance or enforcement of law (including the conduct of proceedings before any court or tribunal);
  • the non-compliance is necessary for the protection of public revenue;
  • compliance is not reasonably practicable in the circumstances of the particular case; or
  • where the PII collected will not be used in a form in which the individual concerned can be identified.
Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

New Zealand has no specific provisions to this effect. However, under the Privacy Act, any agency that collects PII must inform the individual concerned of the purposes for which their information is being collected so that they can make an informed choice at the time of disclosure as to whether they wish to disclose their PII.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

Yes - under the Privacy Act no agency may use or disclose PII without taking reasonable steps to ensure that, having regard to the purpose for which the PII is proposed to be used, the PII is accurate, up to date, complete, relevant and not misleading.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

The Privacy Act prohibits agencies from keeping PII for longer than necessary or for longer than is required for the purpose for which the information can lawfully be used (ie, the purpose for which the information was initially disclosed or any other purpose required by law).

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

Yes - any agency which holds PII must use that PII only for the purposes in respect of which it was obtained. Any collection of PII by an agency must be for a lawful purpose connected with a function or activity of the relevant agency.

The Privacy Bill seeks to expand the above principles by providing that, if the lawful purpose for which the relevant PII is collected does not require the collection of that PII, the agency may not require such PII to be collected.

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Under the Privacy Act, an agency holding PII may use that PII for a purpose other than the purposes in respect of which that PII was originally obtained where the agency reasonably believes:

  • that the individual concerned has authorised the new use;
  • that the source of the information is publicly available and it would not be unfair or unreasonable to use the information;
  • the non-compliance is necessary to avoid prejudice to the maintenance or enforcement of law (including the conduct of proceedings before any court or tribunal);
  • the non-compliance is necessary to prevent or lessen a serious public threat or the safety of the individual concerned;
  • the PII will not be used in a form in which the individual concerned can be identified;
  • the use is necessary to enable a New Zealand intelligence or security agency to perform its functions; or
  • the disclosure is necessary to facilitate the sale of a business as a going concern.

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

Under the Privacy Act 1993, any agency holding personally identifiable information (PII) must ensure that it is protected and take reasonable security safeguards to protect it against:

  • loss;
  • access;
  • use;
  • modification;
  • disclosure; or
  • other misuse.

Further, if an agency discloses any PII to a service provider in connection with the provision of a service to that agency, the agency must ensure that it does all things reasonably within its power to prevent the unauthorised use or disclosure of the relevant PII.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

The Privacy Act does not contain any mandatory obligation on agencies that hold PII to notify the privacy commissioner or affected individuals of data breaches. The Privacy Bill proposes to introduce such obligations.

The Privacy Bill would introduce the concept of a ‘notifiable privacy breach’ - that is, a privacy breach that has caused or is likely to cause serious harm to an affected individual. The Privacy Bill also proposes to mandate that agencies must notify the commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred. An agency will also be required to notify an affected individual as soon as practicable after becoming aware that a notifiable privacy breach has occurred, unless it is not otherwise reasonably practicable (in which case public notice is required) or an exception or delay applies.

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

The Privacy Act 1993 does not contain a mandatory obligation for agencies to appoint a data protection officer; the Privacy Bill proposes to mandate this.

The Privacy Bill proposes to require each agency to appoint a privacy officer (who may be external to the agency). The role of the privacy officer will be to:

  • encourage the agency’s adherence with the Privacy Act’s information privacy principles (IPPs);
  • deal with requests in respect of personally identifiable information (PII) made to the agency; and
  • liaise with the privacy commissioner as required.
Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

The Privacy Act does not expressly require agencies holding or processing PII to maintain specific internal records or establish internal processes. The Privacy Act does impose a high-level obligation on agencies to:

  • ensure that any PII held by that agency is protected; and
  • take reasonable security safeguards to protect the PII against:
    • loss;
    • access;
    • use;
    • modification;
    • disclosure; or
    • other misuse.

This obligation may naturally drive agencies to develop such internal processes.

New processing regulations

Are there any obligations in relation to new processing operations?

The Privacy Act does not contain any specific legal obligations on new processing operations to, for example, integrate data protection measures into an agency’s processing activities and operations at the design stage.

In order to comply with many of the IPPs set out in the Privacy Act (including the restrictions on using and disclosing any PII other than for the purpose in connection with which the PII was obtained), most new PII processing operations will integrate data protection measures to ensure compliance with the Privacy Act into their business practices from launch and throughout the operation’s lifecycle.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

No.

Formalities

What are the formalities for registration?

Not applicable.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Not applicable.

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

Not applicable.

Public access

Is the register publicly available? How can it be accessed?

Not applicable.

Effect of registration

Does an entry on the register have any specific legal effect?

Not applicable.

Other transparency duties

Are there any other public transparency duties?

No.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

The Privacy Act 1993 does not expressly regulate the transfer of personally identifiable information (PII) to entities that provide outsourced processing services, other than to state that an agent remains accountable for PII held by another person as its agent (ie, those who provide PII processing services).

The Privacy Bill seeks to provide that the transfer of PII by an agent to cloud service providers or other overseas processors (pursuant to a services or agency arrangement) would not be treated as a use or disclosure of the relevant PII by the agency for the purposes of the Privacy Act.

Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

The Privacy Act does not specifically restrict an agency’s ability to disclose PII beyond the general restriction against disclosure for any purpose which is not one of the purposes in connection with which the information was obtained.

The Privacy Bill seeks to introduce a further restriction against the disclosure of PII to overseas persons. Under the Privacy Bill, agencies would only be able to disclose PII to an overseas person if:

  • that individual authorised the disclosure;
  • the overseas person was a prescribed country; or
  • the agency believed on reasonable grounds that the overseas person was required to protect the PII in a manner comparable to that required by the agency under New Zealand law.

The Privacy Bill would also provide that the proposed restriction against the disclosure of PII to overseas persons should not apply to transfers to cloud storage providers or other overseas processors.

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

The Privacy Act does not specifically restrict an agency’s ability to transfer PII outside New Zealand.

As mentioned above, the Privacy Bill seeks to introduce a further restriction against the disclosure of PII to overseas persons. Under the Privacy Bill, agencies would only be able to disclose PII to an overseas person if:

  • the individual authorised the disclosure;
  • the overseas person was a prescribed country; or
  • the agency believed on reasonable grounds that the overseas person was required to protect the PII in a manner comparable to that required by the agency under New Zealand law.

The Privacy Bill would also provide that the proposed restriction against the disclosure of PII to overseas persons should not apply to transfers to cloud storage providers or other overseas processors.

Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

No and this is not proposed under the Privacy Bill.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

The Privacy Act does not specifically restrict an agency’s ability to transfer PII outside New Zealand.

The Privacy Bill’s proposed restriction against the disclosure of PII to overseas persons will not apply to transfers to cloud storage providers or other overseas processors (to the extent that entity is engaged by the original agent pursuant to a services or agency arrangement and is not otherwise using the PII for its own purposes).

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Yes, under the Privacy Act 1993 an individual in respect of whom an agency holds personally identifiable information (PII) is entitled to request from the relevant agency and be granted access to their PII. Only the relevant individual can request access. The agency may require payment in respect of the access request in specified circumstances.

If an agency receives a request for access to an individual’s PII, it has 20 working days to respond to the request (including stipulating what charge may be applied in respect of the management of the request). This time limit may be extended if the request is for a large quantity of information or consultation with other third parties is required in respect of the request.

Other rights

Do individuals have other substantive rights?

Where an agency holds PII about an individual, that individual can request the correction of their PII and request that a statement of correction be attached to it as appropriate. The agency must also inform the individual of the steps taken as a result of their request.

Where an agency that holds personal information is not willing to correct that information in accordance with a request by the individual concerned, the agency will, if so requested by the individual, take reasonable steps to attach a statement that a correction of the relevant PII has been sought.

Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Following an investigation of any privacy complaint by the privacy commissioner, if the alleged interference cannot be settled between the relevant parties, proceedings can be brought in the Human Rights Review Tribunal and remedies sought can include damages. The tribunal may award damages in respect of the interference with the privacy of an individual to appropriately compensate them for the humiliation, loss of dignity and injury to feelings caused by serious breaches, as well as the loss of any benefit (monetary or other) that the individual might reasonably have expected to obtain if the interference had not occurred.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

The enforcement of the Privacy Act (including an agency’s compliance with any request for access) is primarily the responsibility of the commissioner or the authorities to which the commissioner delegates its investigations. If following the relevant investigation by the commissioner the complaint cannot be settled between the relevant parties, proceedings can be brought in the tribunal. If the aggrieved individual disagrees with the tribunal’s decision, it can be appealed to the High Court. In which case, the judiciary can play a role in enforcing the Privacy Act.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

Information privacy principles are not intended to apply to the collection of personally identifiable information (PII) by an agency that is an individual where that PII is collected or held by that individual solely or principally for the purposes of, or in connection with, that individual’s personal, family or household affairs. However, this exclusion will not apply once the relevant PII is collected, disclosed or used, if such collection, disclosure or use would reasonably be considered highly offensive.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

Following an investigation of any privacy complaint by the privacy commissioner, if the alleged interference cannot be settled between the relevant parties, proceedings can be brought in the Human Rights Review Tribunal. If the aggrieved individual does not agree with the tribunal’s decision, the decision may be appealed to the High Court.

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

The Privacy Act 1993 does not contain any express regulation regarding the use of ‘cookies’ or equivalent technology.

Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

The Unsolicited Electronic Messages Act 2007 prohibits the sending of unsolicited commercial electronic messages or spam. The act covers email, instant messages, texts and fax messages but not telemarketing phone calls.

The act applies to electronic messages which are commercial in nature (ie, for the promotion or sale of goods and services) and are unsolicited. Certain commercial emails (ie, messages that provide factual information about the goods acquired, a subscription, membership, account, loan or similar ongoing relationship) will not be deemed unsolicited under the Unsolicited Electronic Messages Act and therefore will not be subject to the restrictions under that act.

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

Cloud computing services are not specifically regulated under the Privacy Act. The privacy commissioner released a guide entitled “Cloud Computing: A guide to making the right choices” in February 2013 outlining some high-level guidance for businesses looking to move into cloud computing. This guidance includes a 10-step checklist for small businesses which asks small businesses to, among other things:

  • ensure adequate research is carried out on the relevant provider;
  • understand what business information and personally identifiable information will be stored by the provider; and
  • understand how the provider will see the business’ information and how the information can be accessed, managed and deleted as necessary once it has been stored on the cloud.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

Key developments of the past year46 Are there any emerging trends or hot topics in international data protection in your jurisdiction?

New Zealand businesses are focused on the practical implications of the key changes introduced by the Privacy Bill. In particular, the mandatory requirement to notify a privacy breach to the privacy commissioner and the affected individual. This proposed process reflects the required reporting process set out under the EU General Data Protection Regulation and has meant that many businesses are looking to update their current business practices, policies and existing third-party data processor service agreements.