24 April 2012

NZ Privacy

The New Zealand Government has formally responded to the NZ Law Commission's Review of the Privacy Act 1993 report.

The Review of the 1993 Act involved four stages, each with discrete publications -
Stage 1: ... a high-level analysis (completed in 2008 with publication of a study paper) to assess privacy values, changes in technology, international trends, and their implications for NZ law. 
Stage 2: ... a consideration of the law relating to Public Registers and whether it requires systematic alteration as a result of privacy considerations and emerging technology. The Commission recommended a review of all public registers against a template set out in its 2008 report, with the resulting legislative changes to be introduced by way of a single omnibus Bill. 
Stage 3: ... a consideration of the adequacy of New Zealand's civil and criminal law to deal with invasions of privacy. The Commission's final report recommended a new Surveillance Devices Act to fill gaps in "the regulation of the most objectionable forms of surveillance". In contrast to reports by three Australian law reform commissions the report recommended that "development of the common law privacy tort (publication of private facts)" be left to the courts to develop over time, ie NZ should not establish a statutory cause of action. 
Stage 4:  ... a general review of the Privacy Act 1993.
The response concurs with the Law Commission's assessment that the Privacy Act needs to be replaced with a new statute that addresses community expectations about the protection of personal information, new technology and new business practices.

The response is in the traditional format, with the Government noting progress, accepting particular recommendations and quibbling or rejecting others. The response notes that the Government
  • has already made progress on 33 recommendations (including the introduction of the Privacy (Information Sharing) Bill
  • agrees to do further work on 39 recommendations
  • needs to do further work on 55 recommendations before coming to a view
  • will consider 17 recommendations later as part of other work
  • will not consider doing further work on two recommendations.
The Law Commission made ten recommendations about the NZ information matching framework, with the Government responding that seven are best considered after the Privacy (Information Sharing) Bill has been passed and has had time to ‘bed in' -
  • removing the requirement to seek authorisation for online transfers
  • removing the blanket exemption for Inland Revenue to information destruction rules
  • increasing the notice of adverse action period to 10 days, but allowing the Privacy Commissioner to reduce the period in appropriate cases. Two of the 10 recommendations were considered sensible but needed further analysis. They are:
  • making the requirement for the Commissioner to perform a five yearly review of operating programmes a discretionary decision
  • allowing the Commissioner to report separately on information matching activity rather than in the Commissioner's annual report.
The Government noted that the final recommendation (ie all information matching should operate under the information matching framework) is no longer relevant as the Government responded positively to an alternative recommendation with the introduction of the Privacy (Information Sharing) Bill. Pending introduction of that law the information matching framework will remain in effect.

The report suggests that "a high degree of uptake on information sharing agreements may make the information matching provisions redundant", requiring consideration of work to amend or repeal the information matching provisions.

The report proposed introduction of mandatory data breach notification. It cautioned against an absolute breach notification requirement (ie irrespective of the severity of the breach), instead recommending that notification be required only in certain circumstances. It suggested two criteria -
  • where the breach is serious, with seriousness assessed in relation to matters such as the scale of the breach, the information's importance or sensitivity,  or the reasonable foreseeability that significant harm might result
  • where notification may allow the individual to mitigate a significant risk of real harm to the individual.
The report called for 'Better protection against offensive online publication', commenting that
The internet has been enormously empowering, but its power can also be abused through the offensive or harmful publication online of private information about other people. The Privacy Act covers online information, but there are currently some broad exceptions in the Act that the Law Commission thinks should not apply when the publication is particularly offensive. The report’s recommendations to narrow the scope of these exceptions will not apply only to the internet, but they are particularly relevant to online information because it can be viewed and copied so widely. 
For example, there have been cases of people posting naked photographs of their ex-partners online without consent. At the moment, the person posting such photographs can claim the protection of a section of the Privacy Act that exempts information collected or held in connection with a person’s personal or domestic affairs. The report recommends that this exemption should not apply if the collection, use or disclosure of information would be “highly offensive”. The report also recommends an amendment that would prevent others from further using or disclosing such information, even though it is accessible from a “publicly available publication”.
 In an indication that NZ is belatedly catching up with the Australian Do Not Call (DNC) regime the report also commented that
 The Law Commission considered whether a Do Not Call register should be set up by law in New Zealand, as has happened in other countries. A Do Not Call register would allow New Zealanders to register their wish not to receive telephone marketing calls, and to have that wish respected by marketing companies. At present, the Marketing Association operates a Do Not Call register, but participation in the scheme by marketing companies is voluntary. The report recommends that the Marketing Association’s existing register should be put on a statutory footing, making it mandatory for marketers to respect people’s stated preferences. The Law Commission thinks that this change should be implemented through consumer legislation rather than the Privacy Act, however. 
The report does not recommend any changes to the Privacy Act to deal with direct marketing generally, but the Law Commission thinks that it may be necessary in future to consider whether the Do Not Call register should be supplemented by a right in the Privacy Act to opt out of direct marketing. The Commission thinks that privacy issues in relation to online marketing (including tracking of people’s online activity for marketing purposes), and responses to these issues overseas, should be monitored to see if further action is needed in this area in future. The report also recommends that industry bodies should review the adequacy of privacy protection in existing codes for marketing to children.