Select Committee reports back on the Privacy Bill
The Justice Select Committee (Committee) has reported back on the Privacy Bill, recommending that the current Privacy Act should be repealed and replaced with the Privacy Bill, as amended by the Committee.
As we mentioned in a previous edition of InfoRM (available here), the original Privacy Bill retained the Privacy Act's privacy principles and complaints system, but introduced some significant changes. The Committee has considered those changes, making a number of recommendations. Some of the key changes to the original Privacy Bill are set out below.
Mandatory reporting of privacy breaches
The Committee has recommended raising the threshold for what constitutes a notifiable privacy breach, a change many submitters sought. Agencies will now be required to notify the Privacy Commissioner and affected individuals of privacy breaches where it is reasonable to believe the breach has caused or is likely to cause serious harm. When considering whether the breach is notifiable, agencies must take into account the following factors:
- whether the information is sensitive in nature;
- the nature of the harm that may be caused;
- the person or body that has obtained or may obtain the information as a result of the breach;
- any action taken by the agency to reduce the risk of harm;
- whether the information is protected by security measures; and
- any other relevant matters.
In addition, the Committee recommended allowing agencies to delay notifying affected individuals of a notifiable privacy breach where the information security risks of notification outweigh the benefits of notifying affected individuals. This is intended to cover situations where, for example, a vulnerability in an agency's security systems was the cause of the privacy breach and the vulnerability has not yet been remedied.
Cross-border protections
The Committee has recommended a new Information Privacy Principle (IPP) to cover limits on disclosure of personal information outside New Zealand. Under the Privacy Bill, this had been included in IPP 11. The circumstances in which disclosure may occur have also changed:
- The ability to disclose with consent remains. However, the individual must also have been expressly informed by the disclosing agency (A) that the overseas person or entity (B) may not be required to protect their information in a way that provides comparable safeguards with the Privacy Act.
- The Committee has recommended a new ground, where A can disclose if it believes on reasonable grounds that B is carrying on business in New Zealand and is subject to the Privacy Act.
- The Committee has recommended the concepts of "prescribed binding schemes" and "prescribed countries", which are (respectively) schemes and countries identified by regulations providing comparable safeguards to those in the Privacy Act. A can disclose to B if A believes on reasonable grounds that B is either a participant in a prescribed binding scheme or subject to the laws of a prescribed country (or state, territory, province etc).
- The ability to disclose information overseas remains where the information will be subject to safeguards comparable to the Privacy Act. The comparable safeguards might arise through agreement between the two agencies.
Publication of compliance notices
Under the original Privacy Bill, the Privacy Commissioner would be able to issue compliance notices that require an agency to do, or stop doing, something in order to remedy a breach. Under the revised version, the Privacy Commissioner must publish details of any compliance notice issued, including the identity of the agency and details about the notice, unless the publication would cause undue harm to the agency that outweighs the public interest in publication.
News media
The Privacy Bill will not apply to news media carrying out news activities. The Committee has recommended widening the definition of "news activity" to include non-traditional journalistic works, such as books and blogs, provided that the author of those works is subject to an appropriate regulatory body. This is to ensure news media have the freedom to publish news in different formats, including on the internet. It would also extend to Radio NZ and TVNZ.
Application of the Privacy Act
The Committee has recommended new provisions specifying that the Privacy Bill will apply to:
- any actions taken by an overseas agency in the course of carrying on business in New Zealand; and
- all personal information collected or held by New Zealand agencies, regardless of where the information was collected or held, or the location of the person to whom the information relates.
Information stored or processed by one agency on behalf of another
The Committee has recommended a new provision to clarify that information transferred by one agency to another, where it will only be stored or processed for the first agency, is not "disclosure" for the purposes of the Privacy Act. The first agency remains responsible for the information.
What hasn't been included?
Equally interesting is what has not been included in the Privacy Bill. The Committee has not recommended changes to align with the EU's General Data Protection Regulation (such as data portability or the "right to be forgotten"). Nor did it recommend substantial fines for individuals and organisations who seriously breach their obligations under the Privacy Act. The Privacy Commissioner has been a strong proponent of civil penalties, which the European and Australian regimes have.
What's next?
The Privacy Bill will now progress to its second reading. It is currently scheduled to take effect from 1 March 2020 (with regulations relating to prescribed binding schemes and prescribed countries able to be introduced earlier).
If you would like any advice regarding what the changes might mean for you, please do not hesitate to contact us.
This article is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.
This publication is intended only to provide a summary of the subject covered. It does not purport to be comprehensive or to provide legal advice. No person should act in reliance on any statement contained in this publication without first obtaining specific professional advice. If you require any advice or further information on the subject matter of this newsletter, please contact the partner/solicitor in the firm who normally advises you, or alternatively contact one of the partners listed below.