Tag: New Zealand

New Zealand’s Privacy Act 2020 comes into force

4. December 2020

New Zealand’s Office of the Privacy Commissioner announced the Privacy Act 2020 has taken effect. Certain aspects of the Privacy Act came into force on July 1st, 2020, with most operative provisions commencing from December 1st, 2020. The new law affords better privacy protections and greater obligations for organisations and businesses when handling personal information. It also gives the Privacy Commissioner greater powers to ensure the agencies comply with the Privacy Act.

Notably, the updated legislation features new breach reporting obligations, criminal penalties and provisions on international data transfers.

Part 6. of the Privacy Act 2020 covers notifiable privacy breaches and compliance notices. It introduces a new mandatory reporting requirement. When an agency becomes aware of a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so (unless a specific limited exception applies), the agency must notify the Privacy Commissioner and affected individuals as soon as practicable. In addition, the Privacy Commissioner may issue a compliance notice to an agency to require it to do something or stop doing something to comply with the Privacy Act. For the sake of completeness, it should be mentioned that there is no distinction between a data controller and a data processor. The term “agencies” refers to all data processing bodies.

Furthermore, new criminal offences have been incorporated into Part 9. of the Privacy Act (Section 212). It is now an offence to mislead an agency for the purpose of obtaining access to someone else’s personal information – for example, by impersonating an individual or falsely pretending to be an individual or to be acting under the authority of an individual. The Privacy Act also creates a new offence of destroying any document containing personal information, knowing that a request has been made in respect of that information. The penalty for these offences is a fine of up to $ 10,000.

Moreover, in accordance with Part 5. of the Privacy Act (Section 92), the Privacy Commissioner may direct an agency to confirm whether it holds any specified personal information about an individual and to provide the individual access to that information in any manner that the Privacy Commissioner considers appropriate.

What’s more, a new Information Privacy Principle (IPP) has been added to Part 3. of the Privacy Act (Section 22), which governs the disclosure of personal information outside New Zealand. Under IPP 12, an agency may disclose personal information to a foreign person or entity only if the receiving agency is subject to privacy laws that, overall, provide comparable safeguards to those in the Privacy Act.

Apart from that, pursuant to Part 1. of the Privacy Act (Section 4), the privacy obligations also apply to overseas agencies within the meaning of Section 9 that are “carrying on business” in New Zealand, even if they do not have a physical presence there. This will affect businesses located offshore.

Privacy Commissioner John Edwards welcomes the Privacy Act, noting that the new law reflects the changes in New Zealand’s wider economy and society as well as a modernised approach to privacy:

The new Act brings with it a wider range of enforcement tools to encourage best practice, which means we are now able to take a different approach to the way we work as a regulator.

Since the Privacy Act 2020 replaces the Privacy Act 1993, which will still be relevant to privacy complaints about actions that happened before December 1st, a guidance has been issued on which act applies and when. The Office of the Privacy Commissioner has also published a compare chart that shall help navigate between the acts.

New Zealand: Privacy after death does matter

27. July 2018

Data protection rights generally refer to living persons only. Among others, the European General Data Protection Regulation (GDPR) explicitly mentions in its Recital 27 that the Regulation does not apply to the personal data of deceased persons.

However, the Recital also contains an opening clause for the EU Member States, stating that these may provide for specific rules for such cases. The GDPR hereby acknowledges that there might be cases that need to be tackled individually.

For example, requests can be made in order to find out whether the deceased had suffered from a hereditary disease. This information is not to be seen as protected for the offspring that might be affected by it.

Consequently, there will be situations that contain mixed information on both the deceased and the requestor.

The Privacy Commissioner’s Office (OPC) of New Zealand has now released a statement regarding the privacy of deceased persons on July 24th, 2018 taking up this exact issue.

Whereas the Privacy Act of New Zealand also defines an individual as a “natural person, other than a deceased person”, the OPC states that “sometimes it will be inappropriate to release the personal information of the dead”.

The OPC further says that “some information is inherently sensitive, for example mental or sexual health information. It could be unfair to release such information to those who are just curious and have no good reason to see it.”

Ultimately, it will often be necessary to balance the rights and elaborate case by case, also taking into consideration the wishes of the deceased person to some extent.

New Zealand: Police uses backdoor in law to gather private data

5. September 2017

According to the New Zealand Council of Civil Liberties, in several cases private data was handed over by banks to the police, after the police requested these data from them. It is further explained that the police used forms that looked official, instead of applying to a judge for a search warrant or examination. The police should neither have an oversight, nor a register which tracks the amount of filed requests.

The Police and banks rely on a legal loophole in the Privacy Act that allows organisations to reveal information about persons in order “to avoid prejudice to the maintenance of the law”. The Privacy Commissioner John Edwards is willing to end the further use of this backdoor. Referring to the case of handing over the private information of activist and journalist Martyn Bradbury, he said:

“…we concluded that Police had collected this information in an unlawful way by asking for such sensitive information without first putting the matter before a judicial officer. Our view is that this was a breach of Principle 4 of the Privacy Act, which forbids agencies from collecting information in an unfair, unreasonable or unlawful way.”