The Privacy Bill, currently being considered at Select Committee, is a long-awaited piece of legislation, which will repeal and replace the outdated Privacy Act 1993.
All going to plan, New Zealand will have a new standard of privacy rules by the middle of 2019.
The current Act regulates how personal information should be collected, used, disclosed, and stored in New Zealand. It includes 12 core information privacy principles, such as how, why and where personal information can be collected, how that information is stored or disclosed, and the rights that individuals have to access or correct information about themselves.
However, the technology we are using today has come a long way since 1993, and the way we are collecting, storing and disclosing personal information (such as on platforms like social media and cloud storage) continues to change at a rapid rate.
The new Bill promises to improve the overall privacy standard in New Zealand and ensure compliance with that new standard – providing consumers and individuals with heightened protection and a more robust complaints process.
But the changes will likewise place increased burdens and expectations of transparency on those companies and entities which gather and use personal information as part of their business operations.
Some of the key changes we can expect to see when the new Bill comes into force in mid 2019 include the following:
- A mandatory requirement to notify the Privacy Commissioner (plus the affected individuals – whether they are in or outside of NZ) of any privacy breaches that cause or pose a risk of harm to the individual. The definition of breach is broad and includes any unauthorised or accidental access to, or disclosure, alteration, loss or destruction of, the personal information. This is a wide set of criteria, which might result in over-notification to customers. But fines of up to $10,000 are payable if a privacy breach is not properly reported, which means that businesses will need to understand their obligations, and respond to any possible breaches quickly and appropriately.
- Perhaps most significantly, the Privacy Commissioner will be able to publish the identity of anyone that has made the notification, if it is in the public interest to do so. This reputational risk to New Zealand businesses may be one of the strongest motivations for taking these privacy obligations seriously.
- The Commissioner will be able to issue compliance notices requiring the remedy of a privacy breach, and also issue binding decisions on complaints relating to an individual’s access to information.
- The Commissioner’s existing investigation powers will be strengthened. It will have the ability to shorten any time frames for compliance, as well as increase the penalties for non-compliance up to $10,000.
- The flow of data across borders will also be more closely protected, and reasonable steps must be taken to ensure that personal information disclosed overseas will be subject to acceptable privacy standards.
- New criminal offences will be put into place, with fines of up to $10,000, for behaviour such as knowingly destroying documents containing personal information after someone has requested them.
Most of us are aware of the new GDPR (General Data Protection Regulation) which came into force in Europe earlier this year. The new Privacy Bill will bring the treatment of data and privacy in New Zealand more into line with the position in Europe. However, there are some key differences between the two pieces of legislation which are worth noting.
The Privacy Bill doesn’t include certain key personal rights such as the right of erasure (in other words the right to ask that any personal data relating to you is deleted, and that no third parties can process that data either) and data portability rights (meaning that any data must be held by the controller in a structured and commonly used standard electronic format).
The type of consent required (in relation to the use of any data) under the Privacy Bill is not particularly clear. The way it is currently drafted, consent can be buried in fine print that no one except lawyers and us data nerds will read. Compare this to the GDPR which requires explicit and individualised consent. So anything less than this will not be sufficient for compliance with the GDPR, particularly in relation to sensitive personal data or children’s personal data.
In terms of the need to notify authorities of a breach, the Privacy Bill currently has a lower threshold for notification than the GDPR. However the timeframe within which the breach must be notified under the Bill is not defined, whereas the GDPR stipulates that notification must happen within 72 hours of knowledge of the breach.
In a world that increasingly relies on digital technology and data, protecting privacy and respecting the value and importance of data has never been more important.
Talk to phew! today about ensuring that your business is ready for the new Privacy Bill.