Privacy Amendment Bill
This disclosure statement was prepared by the Ministry of Justice.
The Ministry of Justice certifies that, to the best of its knowledge and understanding, the information provided is complete and accurate at the date of finalisation below.
24 August 2023
Part One: General Policy Statement
The Privacy Amendment Bill (the Bill) amends the Privacy Act 2020 (the principal Act). Section 22 of the principal Act regulates the collection, storage, use, and disclosure of personal information through 13 information privacy principles that seek to protect the privacy of an individual’s personal information while also accommodating legitimate information use by public and private sector agencies.
Purpose of Bill
The key purpose of the Bill is to improve transparency for individuals about the collection of their personal information and better enable individuals to exercise their privacy rights. The Bill addresses a current gap that arises because there is no requirement for an agency (public or private) to notify an individual when it collects personal information about the individual indirectly (ie, from a source other than from the individual concerned). This means an individual may not know that an agency holds their personal information.
The Bill achieves the key purpose by introducing a new notification obligation on an agency when it collects personal information indirectly. This new requirement will also update New Zealand’s privacy laws to be in line with international best practice.
Part 1 of Bill
Part 1 of the Bill introduces new information privacy principle 3A (IPP 3A) relating to the indirect collection of personal information. It is closely based on the existing information privacy principle 3, which deals with the direct collection of personal information. Under IPP 3A the collecting agency will be required to notify an individual of a range of matters when collecting the individual’s information indirectly, including the name and address of the agency, the purposes for which the information is being collected, and the rights of access to, and correction of, the information. The requirement is, however, subject to a number of practical exceptions to ensure the efficient administration of certain public functions and to protect against other unintended consequences.
Part 2 of Bill
Part 2 of the Bill makes technical amendments to address some minor issues that have arisen since the principal Act came into force.
Part Two: Background Material and Policy Information
Published reviews or evaluations
|
2.1. Are there any publicly available inquiry, review or evaluation reports that have informed, or are relevant to, the policy to be given effect by this Bill? |
YES |
|
Possible changes to notification rules under the Privacy Act 2020, Summary of engagement (undertaken 24 August and 30 September 2022), Ministry of Justice, published December 2022 |
|
Relevant international treaties
|
2.2. Does this Bill seek to give effect to New Zealand action in relation to an international treaty? |
NO |
Regulatory impact analysis
|
2.3. Were any regulatory impact statements provided to inform the policy decisions that led to this Bill? |
YES |
|
A Regulatory Impact Statement: broadening notification requirement in the Privacy Act 2020, Ministry of Justice, 30 March 2023. This covers the substantive policy change that that led to this Bill. A copy of the RIS will be available at https://www.justice.govt.nz/justice-sector-policy/regulatory-stewardship/regulatory-impact-assessments/ Some information has been withheld, on the basis that it would not, if requested under the Official Information Act 1982 (OIA), be released. Where that is the case, the relevant section of the OIA has been noted and no public interest has been identified that would outweigh the reasons for withholding it: Section 6(a) to avoid prejudice to the security or defence of New Zealand or the international relations of the Government of New Zealand, and Section 9(2)(d) to avoid prejudice to the substantial economic interest of New Zealand. The Treasury’s RIA team determined that the “other amendments” in the Bill were exempt from the requirement to provide a RIS on the grounds that they have no or only minor impacts on businesses, individuals, and not-for-profit entities. |
|
|
|
|
|
2.3.1. If so, did the RIA Team in the Treasury provide an independent opinion on the quality of any of these regulatory impact statements? |
NO |
|
The RIS did not meet the threshold for the Treasury RIA Team assessment. The Regulatory Impact Statement was assessed internally by the Ministry of Justice Regulatory Impact Assessment Quality Assurance Panel. It was determined to meet the quality assurance criteria. |
|
|
|
|
|
2.3.2. Are there aspects of the policy to be given effect by this Bill that were not addressed by, or that now vary materially from, the policy options analysed in these regulatory impact statements? |
NO |
Extent of impact analysis available
|
2.4. Has further impact analysis become available for any aspects of the policy to be given effect by this Bill? |
NO |
|
2.5. For the policy to be given effect by this Bill, is there analysis available on: |
|
|
(a) the size of the potential costs and benefits? |
NO |
|
(b) the potential for any group of persons to suffer a substantial unavoidable loss of income or wealth? |
NO |
|
The RIS referred to above in 2.3 analyses the potential costs and benefits of the main change being progressed in the Bill (introducing a new notification obligation for the indirect collection of personal information in pages 19-20.) Overall agencies are already required to comply with the Privacy Act 2020 and the key proposal involves marginal costs, alongside these existing obligations. |
|
|
|
|
|
2.6. For the policy to be given effect by this Bill, are the potential costs or benefits likely to be impacted by: |
|
|
(a) the level of effective compliance or non-compliance with applicable obligations or standards? |
YES |
|
(b) the nature and level of regulator effort put into encouraging or securing compliance? |
YES |
|
The RIS referred to above in 2.3 analyses the potential costs and benefits of the main change being progressed in the Bill (introducing a new notification obligation for the indirect collection of personal information in pages 19-20. The Office of the Privacy Commissioner (OPC) will be the main agency responsible for monitoring compliance in accordance with its functions under the Privacy Act. This includes issuing guidance, educating agencies on compliance and ultimately monitoring compliance (see also page 21 of RIS). |
|
Part Three: Testing of Legislative Content
Consistency with New Zealand’s international obligations
|
3.1. What steps have been taken to determine whether the policy to be given effect by this Bill is consistent with New Zealand’s international obligations? |
|
The changes will better align New Zealand’s privacy law with international developments, such as the European Union’s General Data Protection Regulation. The Act more broadly gives effect to internationally recognised privacy obligations and standards, including the 2013 OECD Privacy Guidelines and the International Covenant on Civil and Political Rights. |
Consistency with the government’s Treaty of Waitangi obligations
|
3.2. What steps have been taken to determine whether the policy to be given effect by this Bill is consistent with the principles of the Treaty of Waitangi? |
|
During the policy development phase, we determined that the policy will enhance privacy rights of Māori. Transparency is an important part of supporting individuals and groups to have greater awareness over who holds their information and their ability to access it or correct it. |
Consistency with the New Zealand Bill of Rights Act 1990
|
3.3. Has advice been provided to the Attorney-General on whether any provisions of this Bill appear to limit any of the rights and freedoms affirmed in the New Zealand Bill of Rights Act 1990? |
YES |
|
The Crown Law Office has provided advice to the Attorney-General. This advice will be available on the Ministry’s website at https://www.justice.govt.nz/justice-sector-policy/constitutional-issues-and-human-rights/bill-of-rights-compliance-reports/. |
|
Offences, penalties and court jurisdictions
|
3.4. Does this Bill create, amend, or remove: |
|
|
(a) offences or penalties (including infringement offences or penalties and civil pecuniary penalty regimes)? |
NO |
|
(b) the jurisdiction of a court or tribunal (including rights to judicial review or rights of appeal)? |
NO |
|
|
|
Privacy issues
|
3.5. Does this Bill create, amend or remove any provisions relating to the collection, storage, access to, correction of, use or disclosure of personal information? |
YES |
|
Clause 4 amends section 22 of the Privacy Act to insert new information privacy principle 3A (IPP 3A). New IPP 3A requires an agency that collects personal information other than from the individual to whom the information relates to notify the individual of the collection. Clause 13 amends section 49 of the principal Act. Section 49 of the principal Act sets out a number of grounds on which an agency may rely to refuse access to personal information that has been requested by an individual. Two of these grounds are extended. |
|
|
3.5.1. Was the Privacy Commissioner consulted about these provisions? |
YES |
|
Yes. The Office of the Privacy Commissioner has been involved in all stages of the policy development process and has been consulted on the Bill. |
|
External consultation
|
3.6. Has there been any external consultation on the policy to be given effect by this Bill, or on a draft of this Bill? |
YES |
|
Public engagement was conducted between 24 August and 30 September 2022. The purpose of engagement was to identify risks, opportunities, and options for addressing the transparency gap in the Act. We received 53 written submissions: 12 from public agencies; seven from private sector representative bodies; 21 businesses; four privacy lawyers/legal organisations; four academics/privacy experts; two NGOs; one university and two individuals. Support for the proposal to address the transparency gap was mixed. While most submitters saw the opportunity to enhance individuals privacy rights, many submitters (particularly in the private sector) saw risks around compliance burden. |
|
Other testing of proposals
|
3.7. Have the policy details to be given effect by this Bill been otherwise tested or assessed in any way to ensure the Bill’s provisions are workable and complete? |
NO |
Part Four: Significant Legislative Features
Compulsory acquisition of private property
|
4.1. Does this Bill contain any provisions that could result in the compulsory acquisition of private property? |
NO |
Charges in the nature of a tax
|
4.2. Does this Bill create or amend a power to impose a fee, levy or charge in the nature of a tax? |
NO |
Retrospective effect
|
4.3. Does this Bill affect rights, freedoms, or impose obligations, retrospectively? |
NO |
Strict liability or reversal of the usual burden of proof for offences
|
4.4. Does this Bill: |
|
|
(a) create or amend a strict or absolute liability offence? |
NO |
|
(b) reverse or modify the usual burden of proof for an offence or a civil pecuniary penalty proceeding? |
NO |
Civil or criminal immunity
|
4.5. Does this Bill create or amend a civil or criminal immunity for any person? |
NO |
Significant decision-making powers
|
4.6. Does this Bill create or amend a decision-making power to make a determination about a person’s rights, obligations, or interests protected or recognised by law, and that could have a significant impact on those rights, obligations, or interests? |
NO |
Powers to make delegated legislation
|
4.7. Does this Bill create or amend a power to make delegated legislation that could amend an Act, define the meaning of a term in an Act, or grant an exemption from an Act or delegated legislation? |
NO |
|
|
|
|
4.8. Does this Bill create or amend any other powers to make delegated legislation? |
No |
Any other unusual provisions or features
|
4.9. Does this Bill contain any provisions (other than those noted above) that are unusual or call for special comment? |
NO |