The Justice Select Committee recently published its widely anticipated report on the Privacy Bill, having now completed its review. This Bill will repeal and replace New Zealand’s 25 year old Privacy Act 1993, an Act in desperate need of a refresh. Technology has changed enormously over this time and the law has struggled to keep up with the issues that such change has presented.

Once enacted, the Bill will have major implications for every business that handles personal information and every business should be taking proactive steps to review their internal policies and procedures ahead of the law change. In short, agencies will be required to actively manage their privacy obligations (as opposed to relying on their privacy policy in a “set and forget” fashion) and implementing new internal systems and processes will be unavoidable.

The most notable changes made by the Select Committee are:

• Overseas agencies carrying on business in New Zealand

Arguably the most important change is to give the Bill cross-border reach by applying to overseas agencies that collect personal information in the course of “carrying on business” in New Zealand (think Facebook and other global platforms) – a hat-tip towards the recently implemented European Data Protection Regulations (GDPR).

The Justice Select Committee also clarified the extent to which the Privacy Bill will apply to New Zealand agencies. In this respect, the Privacy Bill will apply to any action taken and all personal information collected or held by it, both inside and outside New Zealand (i.e. if your business is based in New Zealand, the Privacy Bill will apply irrespective of where the information is collected or held).

These changes provide much needed clarity, particularly given the legal uncertainty around the Privacy Act’s application and scope with regards to collection and handling of personal information by overseas technology providers.

• Breaches notifiable if they cause “serious harm”

The Justice Committee has raised the threshold for when an agency must notify a privacy breach to the Privacy Commissioner and affected individuals. The definition of “notifiable privacy breach” has been restricted to a breach that caused serious harm or is likely to do so. This mirrors the approach taken in Australia.

When assessing whether a privacy breach is likely to cause serious harm, agencies must consider:

• any actions the agency has undertaken to reduce harm;
• the sensitivity of the information;
• the nature of the harm that may be caused to individuals;
• those to whom the information may be disclosed;
• whether the information is protected by security measures; and
• any other relevant matters.

While the bar for privacy breach notification has effectively been raised, the burden on New Zealand agencies to determine whether the breach is “notifiable” will remain a challenge as the new law beds in.

• Agencies not to collect information unless it is required

The Justice Select Committee has expanded Information Privacy Principle One regarding the collection of personal information for a lawful purpose. In particular, agencies will be prohibited from collecting “identifying information” if it is not necessary for the lawful purposes for which it was collected. The intention being to discourage agencies from collecting personal identifiers (e.g. email address) without considering whether it is necessary to do so. For instance, XYZ Recruiting Ltd requires job applicants to state their driving licence number on its standard client details form. James, who wishes to apply for a job that does not involve driving, fills in the form including details of his driving licence. In processing details of James’ driving licence, XYZ Recruiting Ltd is likely to breach the Privacy Principle One.

• Sending personal information offshore

The Justice Select Committee has amended the disclosure rules for agencies wishing to disclose personal information outside New Zealand. In cases where the New Zealand agency is disclosing personal information to a foreign person or entity, the agency would need to satisfy one of six grounds (for example, that the agency believes on reasonable grounds that the foreign person or entity is subject to privacy laws that are comparable to the New Zealand’s privacy laws).

In this respect, the Justice Select Committee recommends inserting a new Information Privacy Principle 12 (resulting in a total of 13 Privacy Principles as opposed to the current 12).

Other changes worth mentioning include:

• news media exemptions: broadened the news media exemption to ensure it covers all forms of media including “new” media such as bloggers, TVNZ and RNZ when they undertake “news activities” or media that are the subject of an appropriate regulatory body (e.g. the Broadcasting Standards Authority);
• publish compliance notices: empowering the Privacy Commissioner to publicise the fact that a compliance notice has been issued against a business (unless publication would cause the agency undue harm that outweighs the public interest); and
• IPP amendments: making minor tweaks and adjustments to the Information Privacy Principles, such as additional duties on agencies when displaying unique identifiers on computers screens or on receipts (e.g. the use of truncated account bank account numbers on receipts).

Now is the time to prepare

The amended Privacy Bill will now be referred to Parliament for further consideration, but further significant change is now unlikely. There are many useful steps your business can take in preparation for the new law, and our privacy law experts are here to help you.

Get in Touch!