List of access keys

Privacy Bill

Year: 2018 Number: 34 Download PDF (361 KB)

This departmental disclosure statement for the Privacy Bill seeks to bring together in one place a range of information to support and enhance the Parliamentary and public scrutiny of this Bill. It identifies:

  • the general policy intent of the Privacy Bill and other background policy material;
  • some of the key quality assurance products and processes used to develop and test the content of the Privacy Bill;
  • the presence of certain significant powers or features in the Privacy Bill that might be of particular Parliamentary or public interest and warrant an explanation.

This disclosure statement was prepared by the Ministry of Justice.

The Ministry of Justice certifies that, to the best of its knowledge and understanding, the information provided is complete and accurate at the date of finalisation below.

 

Caroline Greaney

General Manager, Civil and Constitutional

Ministry of Justice

7 March 2018

 

Part One: General Policy Statement

The Privacy Bill

The Privacy Bill (the Bill) repeals and replaces the Privacy Act 1993 (the Act), as recommended by Law Commission’s 2011 review of the Act.

The Act has been in operation for 25 years. Over that time, the rise of the Internet and the digital economy has transformed business and government, and the use of personal information. New technologies such as social media platforms, e-commerce, Internet-connected devices, and cloud storage have changed the way personal information is used.

Large quantities of data are readily stored, retrieved, and disclosed and can be easily sent around the world. This creates many benefits, but also new challenges for the protection of personal information. The Law Commission has called for the Act to be updated and modernised to reflect these changes.

Like the Act, the Bill regulates the collection, use, and disclosure of information about individuals. The Bill retains the Act’s 12 information privacy principles, which seek to protect people’s privacy, while also accommodating legitimate information use by government, firms, and other organisations. Information privacy principles 6 and 7, for example, continue to provide, respectively, for a person’s right to access and correct information about them. The Bill also updates the information privacy principles in some respects, for example, to better protect personal information sent overseas.

The Bill retains the Act’s complaints system. If a person thinks his or her privacy has been breached resulting in harm, he or she can complain to the Privacy Commissioner. The Privacy Commissioner will then attempt to resolve the dispute. If it is not resolved, the person may take the complaint to the Human Rights Review Tribunal and may seek compensation.

The Bill introduces additional ways, however, to enforce the information privacy principles. For example, the Privacy Commissioner will be able to make binding decisions on complaints about access to information and issue compliance notices. The Bill also requires agencies (the name used for any entity handling personal information) to notify the Privacy Commissioner and affected individuals of any unauthorised access to or disclosure of personal information where that poses a risk of harm.

Purpose of the reforms

The key purpose of reforming the Act is to promote people’s confidence that their personal information is secure and will be treated properly. The Bill achieves this purpose through reforms that will help address privacy risks earlier and give the Privacy Commissioner a stronger role. Public confidence in the way personal information is used and handled will, in turn, support the innovative and effective use of personal information by public and private sector agencies.

Changes made in the Bill

The Bill implements most of the Law Commission’s recommendations, and some recommendations from the Privacy Commissioner’s Necessary and Desirable reports. The key changes are listed below—

  • Mandatory reporting of privacy breaches: privacy breaches (unauthorised or accidental access to, or disclosure of, personal information) that pose a risk of harm to people must be notified to the Privacy Commissioner and to affected individuals:
  • Compliance notices: The Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals:
  • Strengthening cross-border data flow protections: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider:
  • New criminal offences: It will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine not exceeding $10,000:
  • Commissioner making binding decisions on access requests: This reform will enable the Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal.  The Commissioner’s decisions will be able to be appealed to the Tribunal:
  • Strengthening the Privacy Commissioner’s information gathering power: The Commissioner’s existing investigation power is strengthened by allowing him or her to shorten the time frame within which an agency must comply, and increasing the penalty for non-compliance.

The changes will better align New Zealand’s privacy law with international developments, such as the 2013 OECD Privacy Guidelines and the European Union’s forthcoming General Data Protection Regulation.

The Bill modernises and updates the language used in the Act to make the Bill easier to navigate and read. It also makes minor and technical changes. For example, it addresses 2 problems that have emerged with Approved Information Sharing Agreements (AISAs), namely making it easier for an AISA to apply to a class of agencies, and allowing specified Crown agents to lead an AISA’s development.

The Bill updates authorisations for sharing listed law enforcement information, including some court information. It clarifies the relationship between privacy legislation and the Senior Courts Act 2016 and the District Court Act 2016. It also re-establishes the ability to amend authorisations by Order in Council, where the proposed change does not involve sharing court information. The Bill preserves existing Information Matching Agreements but, in the future, information matching programmes will be able to be authorised using AISAs.

 

Commencement

The Bill is intended to come into force six months after it is enacted.

Part Two: Background Material and Policy Information

Published reviews or evaluations

2.1. Are there any publicly available inquiry, review or evaluation reports that have informed, or are relevant to, the policy to be given effect by this Bill?

YES

The Bill implements most of the recommendations from the Law Commission’s review of the Privacy Act: Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4, the Law Commission, June 2011. Available at http://www.lawcom.govt.nz/sites/default/files/projectAvailableFormats/NZLC%20R123.pdf

 

It also implements some recommendations from the Privacy Commissioner’s earlier report: Necessary and Desirable – Privacy Act 1993 Review, The Privacy Commissioner, 1998. Available at https://www.privacy.org.nz/assets/Necessary-Desirable.pdf

 

The following reports recommend reforms that have not been implemented in the Bill but that may be considered for a future amendment Bill:

https://www.privacy.org.nz/assets/Files/Reports-to-ParlGovt/OPC-report-to-the-Minister-of-Justice-under-Section-26-of-the-Privacy-Act.pdf

Relevant international treaties

2.2. Does this Bill seek to give effect to New Zealand action in relation to an international treaty?

NO

Regulatory impact analysis

2.3. Were any regulatory impact statements provided to inform the policy decisions that led to this Bill?

YES

The following RIS was prepared for the initial decision about whether to repeal and replace the Privacy Act:

  • Privacy Act Reform, authorised by the Ministry of Justice, March 2012.

https://www.justice.govt.nz/assets/Documents/Publications/Regulatory-Impact-Statement-Privacy-Act-Reform.pdf

 

The following RIS analysed the key reforms that now appear in the Bill:

  • Supplementary Government Response to Law Commissioner’s Report “Review of the Privacy Act 1993”, authorised by the Ministry of Justice, August 2014.

https://www.justice.govt.nz/assets/Documents/Publications/Regulatory-Impact-Statement-Review-of-the-privacy-act-1993.pdf

 

A further RIS was prepared for additional policy decisions taken in 2016. That RIS, Additional decisions for the Privacy Bill, was produced by the Ministry of Justice in February 2016. It will be published once the Bill is introduced and available at: https://www.justice.govt.nz/justice-sector-policy/constitutional-issues-and-human-rights/regulatory-impact-statements/

Part of this RIS concerns a new Information Privacy Principle to regulate the use of re-identified data. Following Cabinet decisions, the former responsible Minister tasked the Data Futures Partnership (DFP) with exploring a range of issues associated with re-identification. Work on a new Information Privacy Principle was put on hold, pending the outcome of that work. The DFP produced interim advice in July 2017 that recommended a systems approach to the risks and benefits of re-identification and other privacy threats.

The contracts for members of the DFP’s working group expired, however, before DFP produced a final report. As such, the Bill for introduction does not include a new Information Privacy Principle regulating the re-identification of personal information.

The threshold for mandatory notification of a privacy breach was adjusted in subsequent Cabinet decisions, as discussed further below.

 

2.3.1. If so, did the RIA Team in the Treasury provide an independent opinion on the quality of any of these regulatory impact statements?

YES

The RIA Team considered the 2014 RIS and stated:

 

The Regulatory Impact Analysis Team (RIAT) reviewed the RIS prepared by the Ministry of Justice and considers that the information and analysis summarised in the RIS meet the quality assurance criteria.

 

The RIS outlines the analysis conducted by the Law Commission in its review of the Privacy Act and also analyses alternative recommendations from officials.  While the RIS does not provide detailed information on what the increased regulatory oversight arrangements mean for agencies’ compliance costs, the process and consultation followed by the Law Commission suggest that the compliance costs should not be major if guidance about technological implications is provided. There appears to be consensus that these impacts and the increased powers and resources for the Office of the Privacy Commissioner are proportionate to the benefits from increased clarity and certainty about privacy obligations.

 

 

2.3.2. Are there aspects of the policy to be given effect by this Bill that were not addressed by, or that now vary materially from, the policy options analysed in these regulatory impact statements?

YES

The Bill contains additional measures and variations from earlier Cabinet decisions, including:

 

  • a single, clear threshold for notifying a data breach. An agency must notify affected individuals and the Office of the Privacy Commissioner if there is a risk of harm. This replaces the two tier model agreed by Cabinet in 2014.
  • addressing two problems that have emerged with Approved Information Sharing Agreements (AISAs), namely making it easier for an AISA to apply to a class of agencies and specified Crown agents to lead an AISA’s development.
  • changes to the law enforcement information schedule to:
    • clarify its relationship with the Senior Courts Act 2016 and the District Court Act 2016, and
    • allow it to be amended by Order in Council, except in respect of court information.
  • retiring information matching agreements, which are outdated, but preserving existing ones.
  • applying a consistent maximum penalty of $10,000 for the offences in the Bill, which we consider to be of similar seriousness.

 

The Regulatory Quality Team at Treasury has advised that regulatory impact analysis is not required for these proposals as they have no or only minor impacts on businesses, individuals or not-for-profit entities.

 

As noted above, the Bill does not contain a new information privacy principle regulating the use of re-identified data.

Extent of impact analysis available

2.4. Has further impact analysis become available for any aspects of the policy to be given effect by this Bill?

NO

 

2.5. For the policy to be given effect by this Bill, is there analysis available on:

 

(a)  the size of the potential costs and benefits?

YES

(b)  the potential for any group of persons to suffer a substantial unavoidable loss of income or wealth?

YES

The 2014 RIS referred to at 2.3 above analyses the potential costs and benefits of the reforms in the Bill. It said (at page 34) that that the law already effectively requires agencies to operate privacy systems so as to minimise the chance of harm being done to individuals.  The key proposals in the Bill only involve marginal costs in relation to these existing obligations. 

 

2.6. For the policy to be given effect by this Bill, are the potential costs or benefits likely to be impacted by:

 

(a)  the level of effective compliance or non-compliance with applicable obligations or standards?

YES

(b)  the nature and level of regulator effort put into encouraging or securing compliance?

YES

The 2014 Regulatory Impact Statement referred to at 2.3 above (at pages 35 – 36) analysed the need for a stronger role, and additional funding for, OPC. It found that the Privacy Commissioner’s ability to fulfil his or her current role is limited due to increased demand for privacy services and that a sustainable base level of funding for the OPC is required to address that and the new roles in the Bill. Contingency funding has been set aside for this purpose.

Part Three: Testing of Legislative Content

Consistency with New Zealand’s international obligations

3.1. What steps have been taken to determine whether the policy to be given effect by this Bill is consistent with New Zealand’s international obligations?

Like the Privacy Act 1993, the Bill gives effect to internationally recognised privacy obligations and standards, including the OECD Guidelines and the International Covenant on Civil and Political Rights. It will also better align New Zealand law with the European’s Union General Data Protection Regulation, which is due to come into force in May.

The Bill retains in clause 18(b) the requirement on the Privacy Commissioner to take account of New Zealand’s international obligations into account in performing his or her role.

The Ministry of Justice has also considered New Zealand’s international obligations in relation to the new requirement that personal information disclosed overseas should be subject to acceptable privacy standards. The requirement in the Bill is intended to be flexible and allow for recognition of protections provided by privacy laws that take different forms.

Consistency with the government’s Treaty of Waitangi obligations

3.2. What steps have been taken to determine whether the policy to be given effect by this Bill is consistent with the principles of the Treaty of Waitangi?

In its Issues Paper, the Law Commission invited submissions on whether there are any ways in which the Privacy Act or OPC could better provide for the needs of Māori. It also met with a group of Māori from a range of backgrounds as part of its review. The Commission found that there is evidence of distinct Māori perspectives on privacy, including tensions between individual-focused Western concepts of privacy and Māori concerns with collective interests. The Law Commission recommended that the Bill provide that, in exercising his or her functions, the Privacy Commissioner must take account of Māori needs and cultural perspectives, and of the cultural diversity of New Zealand society. This change was agreed by Cabinet and is implemented in clause 18(c) of the Bill.

Consistency with the New Zealand Bill of Rights Act 1990

3.3. Has advice been provided to the Attorney-General on whether any provisions of this Bill appear to limit any of the rights and freedoms affirmed in the New Zealand Bill of Rights Act 1990?

YES

Crown Law is undertaking an assessment of whether the Bill is consistent with the Bill of Rights Act and will provide advice to the Attorney-General. Advice provided to the Attorney-General is generally expected to be available on the Ministry of Justice’s website upon the Bill’s introduction. http://www.justice.govt.nz/policy/constitutional-law-and-human-rights/human-rights/bill-of-rights/

Offences, penalties and court jurisdictions

3.4. Does this Bill create, amend, or remove:

 

(a)  offences or penalties (including infringement offences or penalties and civil pecuniary penalty regimes)?

YES

(b)  the jurisdiction of a court or tribunal (including rights to judicial review or rights of appeal)?

NO

The Bill includes the following new offences:

  • impersonating or pretending to be an individual for the purpose of obtaining access to that individual’s personal information or having that individual’s personal information used, altered, or destroyed,
  • destroying any document containing personal information where a person has sought access to it,
  • without reasonable excuse, failing to notify a notifiable privacy breach,
  • without reasonable excuse, failing to comply with an access order, and
  • without reasonable excuse, failing to comply with an order that an agency comply with a compliance notice.

The Bill sets the maximum penalty for all offences in the Bill at $10,000.

 

 

3.4.1. Was the Ministry of Justice consulted about these provisions?

YES

The Ministry of Justice has led the policy development of the Bill. Offence provisions were checked and approved internally through the standard process by which all offences and penalties are vetted. This process includes consideration of consistency with existing criminal offences.

 

Privacy issues

3.5. Does this Bill create, amend or remove any provisions relating to the collection, storage, access to, correction of, use or disclosure of personal information?

YES

The Bill will repeal and replace the Privacy Act 1993, which regulates the collection, use and disclosure of information about individuals. The changes will enhance the powers of the Privacy Commissioner (including identification of privacy risks) and individual privacy rights. The changes also support agency compliance with the Act.

 

 

3.5.1. Was the Privacy Commissioner consulted about these provisions?

YES

The Ministry of Justice worked closely with the Office of the Privacy Commissioner during the development of this Bill.

External consultation

3.6. Has there been any external consultation on the policy to be given effect by this Bill, or on a draft of this Bill?

YES

The Law Commission’s report, which the Bill largely implements, followed on from an issues paper published in March 2010. The Commission received around 80 submissions on the questions asked in the issues paper from a range of public and private sector organisations and from a number of individuals.

In addition, the Ministry of Justice discussed the key proposals agreed in 2014 with targeted representative private sector agencies: the Banker’s Association, New Zealand Law Society, Marketing Association, Business New Zealand, Google, Trade Me, Facebook, Netsafe, Telecom, Vodafone, Internet NZ, Consumer NZ, and the New Zealand Medical Association.

The Ministry of Justice has also consulted the Co-Chairs of the Human Rights Review Tribunal during the development of the Bill, and the Chief Justice on proposals relating to court information.

Other testing of proposals

3.7. Have the policy details to be given effect by this Bill been otherwise tested or assessed in any way to ensure the Bill’s provisions are workable and complete? 

NO

 

Part Four: Significant Legislative Features

Compulsory acquisition of private property

4.1. Does this Bill contain any provisions that could result in the compulsory acquisition of private property?

NO

 

Charges in the nature of a tax

4.2. Does this Bill create or amend a power to impose a fee, levy or charge in the nature of a tax?

NO

 

Retrospective effect

4.3. Does this Bill affect rights, freedoms, or impose obligations, retrospectively?

NO

 

Strict liability or reversal of the usual burden of proof for offences

4.4. Does this Bill:

 

(a)  create or amend a strict or absolute liability offence?

NO

(b)  reverse or modify the usual burden of proof for an offence or a civil pecuniary penalty proceeding?

NO

 

Civil or criminal immunity

4.5. Does this Bill create or amend a civil or criminal immunity for any person?

NO

 

Significant decision-making powers

4.6. Does this Bill create or amend a decision-making power to make a determination about a person’s rights, obligations, or interests protected or recognised by law, and that could have a significant impact on those rights, obligations, or interests?

NO

 

Powers to make delegated legislation

4.7. Does this Bill create or amend a power to make delegated legislation that could amend an Act, define the meaning of a term in an Act, or grant an exemption from an Act or delegated legislation?

YES

Schedules 2, 3, 4, 5, 6, 7 and 9 of the Bill can be amended by Order in Council.

The Bill (like the current Privacy Act) also allows the Privacy Commissioner to make Privacy Codes. These codes may modify the operation of the Act for specific industries, agencies, activities or types of personal information.

 

 

4.8. Does this Bill create or amend any other powers to make delegated legislation?

YES

The Bill also allows regulations to be made for the following purposes:

  • providing the procedure for giving notices and documents under this Act,
  • specifying the information to be included in a compliance notice,
  • prescribing the matters that the Commissioner may specify to a lead agency for an AISA as matters that are to be included in a report by the lead agency,
  • providing for such matters as are contemplated by or necessary for giving full effect to the Bill and for its due administration, and
  • prescribing countries and states to which personal information may be transferred without imposing any additional safeguards.

 

Any other unusual provisions or features

4.9. Does this Bill contain any provisions (other than those noted above) that are unusual or call for special comment?

NO

 

 

© Crown copyright 2018