New Zealand Government response to its Law Commission report on Privacy

April 18, 2012 |

The New Zealand Government has provided a response to the New Zealand Law Commission’s report on amendments to the Privacy Act 1993. It is found here:

In overview the Government response is found (absent footnotes):

A new Privacy Act

The Law Commission recommends that a new Privacy Act, to replace the Act, be enacted.  The Law Commission also recommends that the new Act retain a principles-based approach to regulating privacy.  The Government agrees with these recommendations.

A new Privacy Act will improve the clarity, certainty, navigability and user-friendliness of the Act and will incorporate many of the changes recommended by the Law Commission, as well as additional proposals to strengthen the regime.  Retaining a principles-based approach to regulating privacy will ensure that the new Act retains flexibility and that New Zealand law remains in line with its primary trading partners.

In summary, a new Privacy Act will:

  • retain aspects of the Act that work well
  • make the Act easier to navigate and understand
  • decrease uncertainty for government, business, private sector agencies, and individuals
  • improve flexibility, and the ability to respond to ongoing technological advances
  • increase the efficiency and effectiveness of government and business privacy practices
  • maintain public confidence in the security of, and appropriate use of, personal information.

Recommendations that the Government has already made progress on

Bills already introduced

The Government responded to 12 of the Law Commission’s recommendations on Government information sharing when it introduced the Privacy (Information Sharing) Bill.

Once the Criminal Procedure Act 2011 comes into force it will implement the Law Commission’s recommendation that the Criminal Disclosure Act 2009 refer to the Evidence Regulations 2007 rather than the repealed Evidence (Videotaping of Child Complainants) Regulations 1990.

Work plans for better guidance and privacy education

Three recommendations request minor changes to the Legislation Advisory Committee Guidelines on Process and Content of Legislation. The Government has invited the Legislation Advisory Committee to review its Guidelines in the light of these recommendations.

Seventeen recommendations request that Government agencies provide education or develop guidance on the Act to improve understanding of definitions, access requests, employee ‘browsing’ rules, unique identifiers, exceptions, exemptions, crime reporting, privacy by design, privacy enhancing technologies, capacity and disability issues and disclosure of information overseas.  The Government has invited the Privacy Commissioner to consult the Ministry of Justice and relevant partner agencies and submit a plan for developing the guidance and education material recommended by the Law Commission.  It is likely that most of the guidance and education material will need to be developed during and after the reform of the Act.

Recommendations that the Government agrees to do further work on

There are 39 recommendations that appear on their face to be sensible but may have unforeseen implications requiring further analysis.  These recommendations include:

    • a new purpose section for the Act; enabling the Privacy Commissioner to determine access complaints;introducing representative complaints; adding new exceptions and accountabilities;
      • clarifying the relationship between the Act and other legislation;
      • ensuring that age and cultural characteristics factor into the Privacy Commissioner’s decision-making; and
      • removing ambiguity and redundant provisions, filling unintended loopholes, correcting errors in the Act, and improving clarity and navigability.
      • The Government has directed the Ministry of Justice to analyse the implications of these recommendations and to report back to the Government in September 2012.

Recommendations that need further analysis before a Government view is possible

    • There are 55 recommendations that require further investigation before the Government is able to form a view.  Most of these recommendations are to make significant changes to the Act; will have regulatory implications that are more than minor; and will have flow on effects that need to be carefully analysed.  These recommendations include proposals to:
      • create new information privacy principles and exceptions;
      • bring new agencies under the Act;
      • enhance the Privacy Commissioner’s enforcement powers;
      • introduce compulsory data breach notification; and
      • clarify and enhance how the Act operates on information transferred and held overseas.

Recommendations that will be considered later

There are 17 recommendations that it is more appropriate for the Government to respond to in the context of other work.

Seven recommendations relate to accessing and disclosing personal information and are best dealt with when the Government responds to the Law Commission’s report on the Official Information Act 1982.  The access and withholding provisions in the Act are based on and mirror the Official Information Act.  Amending the Act before the review of the Official Information Act is complete may lead to temporary uncertainty and cost.  The Law Commission is expected to publish its report on the Official Information Act in the first half of 2012.

Two recommendations relate to the exemption of the news media from the Act and are best dealt with when the Government responds to the Law Commission’s report reviewing regulatory gaps and the new media.  That report is likely to consider what counts as “news media” in a world where “news” is quickly and easily produced online to a massive audience.  An issues paper has been published and submissions are sought until March 2012.

One recommendation relates to public registers.  The Government has previously announced that it will deal with the Law Commission’s recommendations on public registers after policy decisions on the Act are made.

Seven recommendations would strengthen and clarify the information matching provisions of the Act and are best considered after the Privacy (Information Sharing) Bill has been passed and has had time to “bed-in”.  A high degree of uptake on information sharing agreements may make the information matching provisions redundant.  The timing of any work to amend or repeal the information matching provisions will be considered as the Government updates its regulatory review programme.

Recommendations that no further work will be done on

There are two recommendations that the Government will not do any further work on.  These recommendations would create a power for the Privacy Commissioner to report on surveillance activities, and instigate a review of the handling of health information.

These recommendations do not appear to address any identifiable problem or issue, are likely to cause confusion, or add administrative burden without clear benefits.

Next steps for privacy reform

The Government will:

    • seek to progress the Privacy (Information Sharing) Bill in the House
    • request ongoing updates from the Privacy Commissioner and the Legislation Advisory Committee about their plans for better guidance and privacy education
    • receive reports from the Minister of Justice in September 2012 on the repeal and re-enactment of the Privacy Act, including:
      • the implications of implementing the Law Commission’s recommendations that require further work and additional analysis
      • additional proposals to strengthen the privacy regime
      • specific policy proposals for inclusion in a new Privacy Act.
    • consider the remaining recommendations made by the Law Commission in the context of the Law Commission’s Official Information Act 1982 and new media reviews, when considering the public registers, and after information sharing reforms have “bedded in”.

The Government’s response can be best described as cautious and minimalist.  The Government is luke warm (in buerocratic speak “recommendations needing further analysis”) on increasing the Privacy Commissioner’s enforcement powers, bringing new agencies under the Act and requiring compulsory notification of data breaches.  That is not best practice and disappointing.

 

Leave a Reply