New Privacy Bill

After 25 years the New Zealand Privacy Act is finally getting an update! It is based on 2011 recommendations from the Law Commission’s review. The new bill has just been released on 20th March and the act will come into force on 1st July 2019.

You can read the full Privacy Bill here:

However, if you don’t have the time to read the whole thing, here is a quick list of the major changes coming up in the future.

Mandatory reporting of privacy breaches:

It will be mandatory for agencies to report to the Privacy Commissioner and people affected if privacy breaches (unauthorised or accidental access to, or disclosure of, personal information) occur that pose a risk of harm.

Compliance notices:

The Privacy Commissioner will be able to issue compliance notices that require agencies to do or stop doing something to comply with privacy law.
Before issuing the compliance notice, a written notice must be sent to the agency outlining the identified breach, cite the relevant statutory position and informing the agency to remedy the breach. In some cases, it may include remedial steps, a timeframe and remedy conditions.
After issuing the compliance notice, the Human Rights Review Tribunal will enforce the notice or hear any appeal by the agency. The Human Rights Review Tribunal will be able to order compliance with the notice or undertake another action to remedy the breach.
Failure to comply will result in a maximum fine of $10,000.

Strengthening cross-border data flow protections:

New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider.
The Bill also proposes that disclosure to an overseas person will only be permissible if:
• The individual consents to the disclosure
• The overseas person has comparable privacy laws to New Zealand
• The agency believes the overseas person is required to protect the individual’s information in a way that is comparable to New Zealand’s privacy laws.

New criminal offences:

It will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it.
Fine for non-compliance will be increased from $2,000 to $10,000.

Commissioner making binding decisions on access requests:

This reform will enable the Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal. The Tribunal will be able to be appeal the Commissioner’s decisions.

Strengthening the Privacy Commissioner’s information gathering power:

The Commissioner’s existing investigation power is strengthened by allowing him or her to shorten the time frame within which an agency must comply. The fine for non-compliance is being increased to a maximum of $10,000.
Bill has been introduced and undergone its first reading and now the Select Committee is gathering information and putting together a report on the bill for the house which could include recommended changes to the Bill. The House will then debate the report during a Second Reading and vote on the Bill.

Want to let the Justice Committee know what you think of the new Bill? You can!
You have until Thursday 24th May to make a submission by following this link: submission/document/52SCJU_SCF_BILL_77618/privacy-bill