Privacy Commissioner recommends Privacy Act reform
Privacy Commissioner recommends data portability, brakes on data re-identification and fines up to $1 million
3 February 2017
Privacy Commissioner John Edwards has recommended to Government, as part of its plans to reform the Privacy Act, that the penalty for a serious breach of personal information could be a fine of up to $1 million.
If adopted, the Privacy Commissioner would be able to apply to the High Court for a civil penalty of up to $100,000 for individuals and up to $1 million for public and private sector organisations, for serious breaches (as is the case in Australia).
The recommendation is one of six in the Privacy Commissioner’s latest report on the current operability of the Privacy Act, tabled in Parliament this week. This report coincides with the Government’s stated intention to reform the Act.
In the update report, Mr Edwards notes privacy law reform has been under consideration since 1998, including the wide-ranging Law Commission review from 2008-2011. These reviews and the government response have formed the basis for the proposed modernisation of the Privacy Act, as led by the Ministry of Justice.
But Mr Edwards says a lot has changed since the Law Commission’s review. “Important developments since 2011 that impact on the operation and adequacy of the privacy legislation include developments in data science and information technology, and new business models built on data-driven enterprise.”
He says there are apparent gaps and weaknesses in the Privacy Act’s enforcement framework that need to be addressed if the reforms proposed are to introduce an effective and modernised form of privacy regulation.
He is proposing six recommendations. These are:
• empowering the Privacy Commissioner to apply to the High Court for a civil penalty to be imposed in cases of serious breaches (up to $100,000 in the case of an individual and up to $1 million in the case of a body corporate)
• an update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised
• introducing data portability as a consumer right
• an additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues
• narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner; and
• reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.
Mr Edwards says while the Privacy Act had already been the subject of thorough review, in light of later rapid changes in information technology and data science, and significant developments in international frameworks, these recommendations will help to ensure that New Zealand’s privacy framework will be fit for purpose in the current environment and for foreseeable developments in the future.
The Privacy Commissioner has a statutory responsibility to report periodically to Parliament on the functioning of the Act. The Privacy Commissioner’s report can be found here.