Privacy Bill 2018 – Key Changes

In this article we discuss the new Privacy Bill that was introduced to Parliament on 20 March 2018 and the Privacy Commissioner’s new guidelines in dealing with law enforcement and the use of drones.

Introduction

The Bill began its first reading in Parliament on 10 April 2018 and has now been referred to the Justice Select Committee.  We expect the Bill will progress through Parliament this year as it has a proposed commencement date of 1 July 2019. We will monitor the progress of the Bill as it progresses through Parliament. We will also be hosting seminars to explore and discuss the implications of the Bill for businesses.  Keep an eye out for our invitation in the coming weeks.

The 186-page long Bill has the aim of updating and modernising the 25 year-old Privacy Act 1993 (Act). It does so by replacing the Act in its entirety.  However, the Bill retains much of the content of the current Act, although it does update language and re-order many of the provisions.  In particular, the Bill retains the 12 information privacy principles that we know under the Act.

The Bill’s key impact is in strengthening the compliance aspects of the regime.  We discuss the key changes below, the most significant of which is a requirement to report privacy breaches.

Submissions

The closing date for submissions to the Justice Select Committee is Thursday, 24 May 2018.  If you would like to make a submission on the Bill please contact your usual Lane Neave lawyer.

Mandatory reporting of privacy breaches

Summary of the requirement

The essence of this new provision is that if a breach of privacy reaches a defined threshold, an agency must notify both the affected individual (unless an exception applies, eg notification would likely prejudice the mental health of the individual) and the Privacy Commissioner (Commissioner).

The threshold to notify, requires that the breach has or may:

  • cause loss, detriment, damage, or injury to the individual;
  • adversely affect, the rights, benefits, privileges, obligations, or interests of the individual; or
  • result in, significant humiliation, loss of dignity, or injury to the feelings of the individual,

or that “there is a risk” that it will do so.

The Bill also sets out what is required in the notifications, which includes stating the steps taken in response and steps an individual may wish to take.  Public notice can be given if individual notice is not reasonably practicable.

Trigger for notification is low

Given the ‘risk’ element of the test this is a pretty low threshold for notification.  It is lower than recommendations and the threshold that applies overseas.  The Law Commission in its 2011 recommendations on privacy reform suggested the threshold should be if such notification will enable the recipient to take steps to mitigate a real risk of significant harm or if the breach is a serious one.  The real risk of significant harm test has been adopted in Canada in new laws.  In Australia the test for data breach notification is “serious harm”.  In the EU’s new laws the test adopted is if the breach is likely to result in a high risk to theindividual’s rights and freedoms.  As the Law Commission notes, if the bar is set too low this will create a real cost implication as almost every privacy breach will need to be notified.

What amounts to a privacy breach is also set at a low level and includes (along with unauthorised loss or disclosure), accidental access to personal information or an action that prevents the agency from accessing information on a temporary basis.  These would likely include personnel inadvertently seeing information and the unavailability of computer systems.  While many instances may not result in harm to individuals, with a threshold of “there is a risk” it will do so applying, many events that are not what are ordinarily considered to be a data breach appear to be caught.

Implications of a failure to notify

Agencies who fail to report such breaches to the Commissioner are liable for fines of up to $10,000.  This is at a low level when compared internationally.

A failure to notify the individual will be deemed to be an interference with the individual’s privacy, so the individual can complain to the Commissioner and the existing right of a claim in the Human Rights Tribunal for damages also applies.  As a class action can be brought in the Human Rights Tribunal, such an action may have more teeth than a fine if the breaches were significant and widespread.

Other compliance provisions

A number of other new compliance provisions have been introduced:

  • Directions on access and compliance notices – The Commissioner will be able to:
    • direct an agency to provide an individual with access to their personal information;
    • issue compliance notices in response to a breach of the legislation, including suggesting steps to be taken. Agencies will be required to comply with compliance notices.

The Human Rights Review Tribunal will be able to enforce these access directions and compliance notices, whilst also hearing appeals from agencies issued with them.

  • Strengthening powers – The Commissioner’s investigative powers will be strengthened:
    • by allowing the Commissioner to shorten the time frame within which an agency must comply with information requests; and
    • to enable the Commissioner to take any other action that the Commissioner considers appropriate where a complaint is not resolved, in addition to the existing right to refer the matter for consideration of proceedings in the Human Rights Tribunal. What that action may be is not defined though.
  • Sharing information with overseas enforcement agencies – The Commissioner will gain the power to share information with an overseas privacy enforcement authority to assist it with its functions, duties or powers or to enable it to provide information to the Commissioner.
  • New criminal offences – It will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine up to $10,000.

Other points of note

Other key changes to be aware of are:

  • Cross-border data flow protections – The Bill introduces a new prohibition on disclosing personal information overseas (to a person outside of New Zealand who is not subject to the regime), unless:
    • the individual concerned consents to the disclosure;
    • the overseas person is in a country with comparable privacy laws to New Zealand;
    • the agency believes the overseas person must protect the information in a comparable manner (eg by a contract that provides for such comparable safeguards); or
    • there is a permitted exception (eg to avoid prejudice to the maintenance of the law).

The Bill also provides that disclosure is permitted where it is to the agency’s provider for processing or storage.  Under the current regime, that is not a situation that is generally considered a disclosure due to a deeming provision that requires that the processor must not use or disclose the information for their own purposes.  The deeming provision states that an agency holding information solely for processing is held by the collecting agency.  The Bill appears to change this, as updates to the deeming provision suggest that both the collecting and processing agencies will be holding the information.

While such a change does not seem to be the intention of the Bill (based on the first reading speeches), the language in the Bill is unclear in this regard.  We think it muddies the distinction between the agency collecting the information and the agency that processes it.  If it does make a change it would also create additional compliance obligations and liabilities for both parties (ie both the collecting and processing agencies have to provide address details under principle 3 and comply with principle 5) rather than ensuring responsibility for privacy protection lies only with the collecting agency.  Hopefully these points will be clarified by the Select Committee.

  • Disclosure of unique identifiers – It is proposed that where an agency provides a unique identifier (ie an identifier other than an individual’s name that uniquely identifies them) to another agency it must take all reasonable steps to minimise the risk of misuse of the unique identifier. This is likely to require there to be a contract in place between the two agencies before the unique identifier can be disclosed in order to comply with this new requirement.
  • Tightening the exemption for personal information relating to personal or domestic affairs – There are a few changes here, including that the exemption will:
    • only apply if the information is lawfully obtained (ie a camera on a drone over the neighbours property without consent will be a breach of privacy under the Bill);
    • not apply if the collection involved misleading or deceptive conduct;
  • Use of positive rather than negative language – Some of the privacy principles have been redrafted in positive rather than negative language. For instance, in principle 4, instead of prohibiting the use of unlawful means to collection personal information the obligation is to collect only by a lawful means.  What this means in practice is unclear, but it is possible the changed presumption will require an agency to prove that the means by which they collect information is lawful, rather than a focus on whether the means of collection was unlawful.
  • Objective rather than subjective test for interference with privacy – Under the Act, an interference with privacy requires the Commissioner or Human Rights Tribunal to consider that harm exists. The Bill will replace that with an objective test of whether harm exists.

Overseas comparison

Aside from the introduction of mandatory data breach notification requirements, the Bill does not tackle the issues that are addressed by the new requirements in the EU.  Please refer to our earlier newsletter on what those new requirements are.  Click here for a link.

There are also a number of other issues that the Bill does not address, such as dealing with re-identification of previously de-identified personal information and the application of the legislation to overseas businesses that collect data on New Zealanders but are not doing business in New Zealand. This may be something that the Select Committee will consider.

Security Cameras and drones

In November last year the Privacy Commissioner issued some guidelines for the use of cameras on private property, whether as a fixed security camera or a camera on a drone.  As the guidance notes, cameras on private property are often not subject to the Privacy Act (unlike cameras operated by a business, club or organisation).  However, if the Privacy Bill is passed in its current form, as noted above, this position will change if the camera films in breach of any law.

For now, you can avoid getting offside with your neighbours by following the guidelines.  Key messages include considering your neighbours’ privacy before filming or uploading any footage to the Internet, avoiding pointing camera’s directly at your neighbours’ property, and don’t share footage of the neighbours on their residence (except to the neighbour concerned if they want to see it).  The guideline can be accessed here.

Releasing personal information to police and law enforcement agencies

Also in November last year the Privacy Commissioner released guidance explaining the obligations of organisations when Police or other law enforcement agencies request disclosure of personal information held by them.  The guidance considers “mandatory demands” and “voluntary requests”.  It also includes example scenarios and a quick guide checklist.  It can be accessed here.  This summary gives an overview of the key points from the guidance.

Mandatory demands

A mandatory demand for information is a legal obligation that must be complied with.  The Privacy Act permits disclosure in such a case.  Usually the demand will be under a search warrant.

As the guidance notes, an organisation must only provide the information required of it and no more than that. Any excess information provided will be in breach of the Privacy Act unless it is able to be provided as part of a voluntary request.

The guidance recommends determining exactly what information is required and to clarify the contents of the information request in the demand if you think it is too broad.

Voluntary requests

When the request by a law enforcement agency is voluntary, an organisation is not required to provide the information.  It may however release the information if it has a reasonably held belief that an exception exists.  There are two exceptions relevant to such requests – where there is a serious threat to health and safety (principle 11(f)) and the maintenance of law exception (principle 11(e)(i)).  Both of these exceptions are continued under the proposed Privacy Bill.

As the guidance explains, it is the organisation’s responsibility, not that of the law enforcement agency, to justify that the exception applies and that its belief is reasonably held. For this reason, you should always make your own enquiries and ensure you have sufficient information from the law enforcement agency to determine whether the release of information is justified.

The guidance also provides a view on what an organisation must consider in relation to each of these exceptions.  Key points from the guidance are that:

  • releasing under the serious threat to health and safety exception requires:
    • considering the likelihood of the threat, the severity of the consequences and the time it may occur; and
    • being satisfied that the person to whom it is released is in the position to do something to prevent or lessen the threat;
  • releasing under the prejudice to the maintenance of the law exception is not a general right of access to information they think will help their investigation. It must be necessary to avoid prejudice to the maintenance of law.  In this regard, the guidance notes that:
    • it is not enough if law enforcement simply state that the information is necessary for an investigation, there needs to be a link between the offence and the relevance of the information sought;
    • you should ask yourself if law enforcement did not have this information, would it prevent an investigation commencing or continuing or are there circumstances that mean an investigation would be prejudiced without access to the information sought?
    • the more sensitive the requested information, the more compelling the reason for disclosure should be.

If the organisation is not satisfied that an exception applies, it should deny the request.

What the guidance does not really cover is whether or not to disclose if you are satisfied that the exception does apply, although it does note confidentiality assurances should be considered.  In our view, it is important to consider what the organisation’s position on such requests should be and if there are any factors, such as confidentiality obligations, which may mean it must deny requests.

This summary does not cover all matters in the guidance and the guidance (along with legal advice) should be considered if you receive a request for personal information from a law enforcement agency.

Business Law Team

If you need any assistance with the sale or purchase of your business, do not hesitate to get in touch with the business law team at Lane Neave.

Gerard Dale, Claire Evans, Graeme Crombie, Evelyn Jones, Peter Orpin, Joelle Grace, Anna Ryan, Kristina Sutherland, Danita Ferreira, Jacob Nutt, Angela Sargent, Whitney Moore, Alex Stone, Giuliana Petronelli