The Law Commission recently released the 4th and final stage in its Review of the Privacy Act 1993 (Act). The report brings to a close the Law Commission's five year review of privacy laws and contains over 100 recommendations, which are diverse and often technical in nature.
One of the key issues addressed by the Law Commission was whether the current Act is flexible enough to address privacy issues associated with new technologies and the fast pace of technological change. While the report concludes that the Act is able to respond to new technologies well given the "remarkable success" of its technology-neutral and principled approach to the protection of personal information, the Law Commission did flag a number of technology related areas for potential reform. These include:
- Inserting clearer provisions in the Act about personal information that is sent overseas (for example to ensure that where personal information is processed offshore on behalf of a New Zealand agency, the agency remains responsible for that information, or where information is otherwise disclosed overseas, the agency should take steps to ensure that the information remains subject to reasonable privacy protections). Changes here may be particularly important for multinational organisations or any organisation using cloud computing.
- Continuing to review the Privacy Principles on a five yearly basis to ensure that they keep pace with technological change. The Law Commission also noted that the definition of "personal information" may need to be widened in the future, as the category of information that is not about an "identifiable individual", but which people still expect privacy protection for (such as history or location data that can be linked to an IP address) continues to grow.
- Raising the awareness of privacy enhancing technologies (such as tracking protection lists and other applications offering "do not track" functionality).
- Issuing further guidance to public sector agencies about privacy impact assessments.
- Including provision in the Act for New Zealand to be able to adopt a cross-border privacy rules system at some point in the future, for example those currently being developed under the APEC Privacy Framework.
- Introducing a mandatory data breach notification requirement into the Act. This would require agencies who hold personal information to notify individuals whose information becomes subject to unauthorised access, if the notification will enable that person to take steps to mitigate a real risk of significant harm, or otherwise if the breach is a serious one. For agencies in the business of information storage or for agencies holding large amounts on personal information electronically, this could have significant implications.
Time will tell whether any of these recommendations are implemented, but we will continue to watch the area with interest.