In our last legal update, we outlined proposed changes to the Privacy Act 1993. These include a requirement to report data or privacy breaches to the Privacy Commissioner and individuals affected, an ability for the Privacy Commissioner to issue compliance notices and to make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The changes proposed are intended to strengthen privacy protections, promote early intervention and risk management by agencies and enhance the Privacy Commissioner's role and powers. In addition, given that the Privacy Act turns 25 years old this year, the changes are intended to update the law to better address the challenges of the digital age.
Currently, notification of data or privacy breaches is voluntary. Under the Bill, agencies would be required to report any breach (unauthorised access to, disclosure, alteration, loss or destruction of personal information, or an action that prevents an agency from accessing information) that has caused or risks causing harm to an individual (subpart 1 of part 6). Harm is defined as including situations where an individual suffers loss, where their rights or interests may or have been affected, or where they have suffered significant humiliation, loss of dignity or injury to feelings. This threshold is low compared to some countries, and requires reporting to both the Privacy Commissioner and the individual. Failure to notify the Commissioner is an offence, with a maximum penalty of $10,000.
The Privacy Commissioner is urging all organisations and individual New Zealanders to take a moment to review and make submissions on the Bill to the Select Committee. As with any legislative process, additions, deletions and improvements will likely be made as the Bill makes its way through the parliamentary process, and the Select Committee process provides individuals with an opportunity to comment on the proposed changes.
The closing date for submissions is Thursday 24 May 2018. The Bill can be viewed online, and further information on the proposed changes can be found in our last legal update. If you want to make a submission, you can do so here, and we are happy to advise on any of the proposed changes or explain how the proposed changes might affect your organisation.