Almost a year ago, the Government introduced a new Bill to Parliament to replace the existing Privacy Act with one more suited to our digital world. Having considered submissions on the Bill, the Justice Select Committee has now released its report, recommending that the Bill be passed.
Information privacy principles
The core elements of the Privacy Bill are the same as the Act it is designed to replace. It retains the twelve information privacy principles, which protect people’s privacy by governing the collection, storage, and use of personal information, while also providing for legitimate use of information by government, businesses, and other organisations. However these information privacy principles are updated in the Bill, to better protect personal information sent overseas.
The Select Committee’s recommended amendments clarify and emphasise the new elements of the information privacy principles, such as by separating out the requirement to consider the vulnerability of children and young people into a separate sub-clause.
The Select Committee has recommended some changes to the application of the Bill to news media. Currently, it does not apply to news media carrying out news activities, on the basis that this enables the media to perform their role of supporting the free flow of information to the public. The Select Committee noted that “news activity” currently relates to articles or programmes, and they propose expanding this to include other journalistic works such as books and blogs, and also making it clear that “publishing” includes publishing on the Internet.
In addition, the Select Committee pointed out that Radio New Zealand (RNZ) and Television New Zealand (TVNZ), unlike other media, have to comply with the Privacy Act, because of their status as Crown Entities. They propose that this be changed, saying:
“We believe that RNZ and TVNZ should be brought within the media exemption. It is a matter of principle that they should be able to operate on the same footing as other news media when undertaking news activities. We recommend aligning the treatment of RNZ and TVNZ with other news media so that they have the full benefit of the media exemption.”
Notification of privacy breaches
A key addition to the Privacy Bill is a requirement for any entity which handles personal information to notify the Privacy Commissioner and any affected individuals of any unauthorised access to or disclosure of personal information, where the access or disclosure poses a risk of harm. The Select Committee has recommended changing this to “serious harm”, on the basis that the threshold for harm is too low, and could result in over-notification. This will also be better aligned with the notification requirements in other countries.
The Select Committee has also recommended including an exception, allowing notification to individuals to be delayed where notification could risk wider exploitation of the vulnerability in the entity’s systems. In this situation, the Privacy Commissioner would still need to be notified as soon as is practicable after the agency becomes aware of the breach.
The amended Privacy Bill will now be referred to Parliament for further consideration. If passed, it is currently expected that the new legislation would come in to force on 1 March 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.