Alex 1

Privacy Bill – Five changes to watch out for

20 March 2019

In this article we summarise five key changes introduced by the new Privacy Bill (which will, once enacted, replaced the Privacy Act 1993), as reported from the Justice Committee on 13 March.

1. Agencies must notify the Privacy Commissioner and the relevant affected individual(s) as soon as practicable after becoming aware of a notifiable privacy breach.  A breach will be notifiable if it is reasonable to believe that breach has caused serious harm to an affected individual(s) or is likely to do so.  In determining whether a breach is likely to cause serious harm, agencies must consider any action taken by the agency to reduce the risk of harm following the breach, whether the personal information is sensitive in nature (for example, health records), the nature of harm that may be caused to affected individuals, the person or body that has obtained or may obtain personal information as a result of the breach, whether the information is protected by a security measure (such as encryption) and any other relevant matter. 

2. Sending personal information overseas is more tightly controlled.  In summary, agencies can now only disclose personal information to a foreign person or entity if that person or entity has been authorised by the relevant individual or the agency otherwise believes on reasonable grounds that the foreign person or entity is subject to the Bill or privacy laws that, overall, provide comparable safeguards to those in the Bill.

3. The Bill applies on an extra-territorial basis.  The Bill applies to agencies located off-shore where those agencies are "carrying on business in New Zealand", regardless of where the relevant information is collected or held and whether or not the agency has a physical presence in New Zealand, charges monetary payment, or makes a profit from its business in New Zealand.  In our view, the scope of "carrying on business in New Zealand" is very broad and it will be interesting to see how this extra-territoriality reach is applied in practice.

4. The transfer of information to an agent (such as a cloud provider) is not to be treated as a disclosure.  The Privacy Bill clarifies that the transferring agency is treated as holding the information and will be liable for any privacy breaches by its agent.  Agencies will need to ensure that their contracts with their agents (eg cloud providers) impose appropriate privacy requirements on that agent. 

5. The Privacy Commissioner will be able to issue compliance notices requiring an agency to either do something or to stop doing something.  The Privacy Commissioner (Commissioner) must publish details of any compliance notice issued, including the identity of the agency and details about the notice, unless the publication would cause undue harm to the agency that outweighs the public interest in publication. This means that there is greater reputational risk for agencies in respect of any non-compliance with the Bill.