New privacy regime in final form?

19 March 2020

Late changes to the Privacy Bill, introduced via Supplementary Order Paper this week by Justice Minister Andrew Little, give us a much clearer idea of what the new regime – expected to apply from 1 November 2020 – will look like.

We run through the proposed changes.

Notifying privacy breaches

The Privacy Commissioner will be required to disclose identifying details of persons who may have access to personal information to individuals affected by a privacy breach only where he reasonably believes such disclosure is necessary to prevent or lessen a serious threat to that individual.

Liability for not notifying individuals

The Bill now specifies that liability for failing to notify a privacy breach sits with the responsible employer or agency, not with those employees or agency members whose actions may have led to the failure.

Representatives and class actions

Any person may make a complaint on behalf of any aggrieved individual and, in the case of claims for class actions to the Human Rights Review Tribunal, by a representative of the aggrieved individuals.

Extra-territorial effect

The extra-territorial provisions have been refined to bring the Bill further into line with the European General Data Protection Regulation (GDPR), including application to overseas agencies carrying on business in New Zealand.

Compliance notices

The Commissioner may issue compliance notices for breaches of a code of practice, and has the discretion to publish the compliance notice.

Information sharing agreements

Only specified agencies (being a public sector department or agency, or a specified Crown entity) can lead an information sharing agreement and any agency covered by the agreement will have to be a party to the agreement.

Also, if the Minister consents, the Commissioner can review the agreement within 12 months.

Chapman Tripp comment

The Bill continues to define “personal information" in general terms as “information about an identifiable individual". We consider this an opportunity missed as the definition is highly fact-specific and potentially captures a wide range of information.

Without further amendment to the Bill, we will have to be guided by court decisions, like the recent Taylor v Chief Executive of the Department of Corrections, to identify whether information is “personal information".

In that case, the Court determined that information about others in emails about Mr Taylor was not Mr Taylor's “personal information" nor was it mixed with Mr Taylor's personal information.

Likely commencement date

If the proposed changes are passed the new Privacy Act will fully come into force on 1 November 2020.

We'll continue to monitor the Bill's progress. If you have any questions about how to prepare for the new Act, we're always happy to help.

Our thanks to Tom Cleary for writing this Brief Counsel.