Privacy Bill update – April 2020
The long-anticipated overhaul of New Zealand’s privacy law was expected to be passed last month, with the Privacy Bill (the Bill) scheduled to proceed to its third reading. Although this did not proceed as planned, Justice Minister Andrew Little tabled a Supplementary Order Paper on 17 March 2020 (SOP) which set out a number of proposed changes to the Bill. Once passed, the Bill will replace Privacy Act 1993 to more closely align the law with our evolving conceptions of privacy in the digital age.
In addition to new reporting obligations and notification requirements for privacy breaches, the Bill contains a number of significant changes to New Zealand’s privacy law. If passed in its current form, the Bill will commence on 1 November 2020. Given the exceptional challenges of COVID-19 which are currently affecting projects and timeframes, there is some uncertainty on when the Bill might pass. However, it would be prudent for all businesses and organisations in New Zealand to work with the 1 November deadline in mind to ensure they are ready for these changes.
Many businesses and organisations rely on cloud-based data storage and offshore service providers which handle individuals’ private data on their behalf. The Bill introduces a new information privacy principle (IPP) containing a series of controls on the disclosure of personal information to foreign agencies.
The new IPP reflects similar provisions in the European General Data Protection Regulation (GDPR) and Australia’s Privacy Act. These new controls are intended to ensure that personal information being sent offshore will be subject to comparable privacy safeguards as those that apply in New Zealand. Any agency which discloses information to a foreign person or entity must be reasonably satisfied that it is subject to laws which provide comparable safeguards, or otherwise agrees to be bound by comparable safeguards as those found in the Bill.
However, sending information offshore to be stored or processed by an agent (for example, a cloud storage provider) will not be treated as a disclosure. The agency which sent the information offshore will be responsible for ensuring their agent adheres to New Zealand’s privacy safeguards as found in the Bill.
Complaints on behalf of other persons and groups
Earlier versions of the Bill provided that complaints could only be made by an aggrieved person or their representative. If the proposed amendment in the SOP is passed, any person will be able to make a complaint on behalf of one or more aggrieved individuals. This significantly widens the class of persons who could make a complaint, as they do not have to themselves be an aggrieved individual or their representative.
In addition, the SOP allows for representatives of a group of aggrieved individuals to commence proceedings in the Human Rights Review Tribunal on their behalf.
These provisions open avenues for groups of individuals who have been affected by privacy breaches to bring class actions against the agency that committed the breach once the Bill comes into force.
Notifiable privacy breaches
Under the Bill, agencies are required to notify the Privacy Commissioner (the Commissioner) and the affected individual(s) as soon as practicable after becoming aware of of a notifiable privacy breach. A notifiable privacy breach means a breach that has caused serious harm to an affected individual or is likely to do so. This notification requirement brings New Zealand’s privacy law in line with similar obligations in other jurisdictions, such as Australia and European countries under the GDPR.
The Bill sets out a non-exhaustive list of factors to consider when deciding if a privacy breach is likely to cause serious harm, but stops short of actually defining serious harm. Agencies should err on the side of caution as to what entails “serious harm” until the courts inevitably provide clearer guidance once the Bill comes into force.
When a notifiable breach occurs, under certain circumstances the agency may also provide an affected individual with details of any person or body in possession of their information. The SOP provides that the agency may pass on these details if the agency has reasonable grounds to believe that identification was necessary prevent or lessen a serious threat to an individual’s life or health. This is a higher test than in the previous draft Bill, which required a serious threat to exist but did not require the agency to consider whether identification was necessary to prevent or lessen the threat.
The SOP also now expressly states employees and members of agencies are not personally liable for delays in notifying an affected person of a notifiable privacy breach. However, their employer or the agency remains liable.
Exceptions to notification requirements
The Bill requires agencies who become aware of a privacy breach to notify the Commissioner and any affected individual as soon as is practicable, or give public notice if it is unable to notify the affected individual(s). However, in limited circumstances, agencies are permitted to delay notifying individuals or the public if the notification itself would risk further breaches – for example, if this would make others aware of the method used to access the information. The agency would still be required to notify the Commissioner as soon as practicable.
An agency may also decide not to inform an individual of a breach if informing them would be likely to prejudice the individual’s health, or the individual is under 16 years of age and the agency believes notification is not in their best interests.
The Bill widens the scope of the Commissioner’s powers to publish compliance notices for privacy breaches. The Commissioner will have the power to publish compliance notices for breaches of a code of conduct under any Act, in addition to breaches of the new Privacy Act.
The Commissioner will also have the ability to delay publication of any compliance notice if they believe it to be in the public interest to do so.
Preparing for the new Privacy Act
To get your organisation ready for the expected changes and new reporting obligations, there are a few practical steps you can start to take now:
- Implement staff training: key people in your organisation should be well versed in the new approach.
- Update your organisation’s privacy policies to ensure alignment with the new law, and to ensure that your customers and clients understand how you will use their information.
- Develop effective procedures to detect, report and investigate a personal data breach: it is important to make sure you have a plan in place so that you can meet your reporting obligations without undue delay if a notifiable breach occurs.
- Ensure you have clear internal lines of communication and let your staff know who they can approach within the organisation to discuss privacy issues.
Get in touch
Duncan Cotterill’s privacy experts are here to help, if you have any queries or need advice or training to ensure continued privacy compliance under the new regime. Please feel free to get in touch with our data protection and privacy team if you require further assistance.
Disclaimer: the content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.