Privacy And Data (1)

Winston Peters recently fielded a barrage of questions about over-payments to him of National Superannuation. Initially he refused to comment. Subsequently he disclosed that a "mistake" had been made, although by whom was unclear, and that all relevant sums had been repaid. Ultimately however, finding his mojo, the tables were turned: this was a beat-up by scurrilous reporters who were relying on the illegal disclosure of private information.

"The Privacy Commissioner has been described as a "toothless tiger" without power to make binding decisions…"

So, in this modern digital age, how certain is it that information about individuals will remain private? According to Justice Minister, Amy Adams, we are experiencing a "data explosion". It seems that in the past few years we have created more data than in the entire history of the human race: 40,000 search queries on Google every second; 300 hours of video uploaded to YouTube every minute; a billion active users hosted by Facebook each day.

With all this activity an increase in data breaches seems inevitable. Presently the Privacy Act regulates how agencies deal with personal information. The Privacy Commissioner monitors the operation of the Act and may conduct investigations. But many criticise the Act as lacking teeth. The Commissioner himself has been described as a "toothless tiger" without power to make binding decisions and a focus on settling complaints by conciliation.

Reform has been recommended. Indeed the Commissioner advocates fines of up to $1,000,000 for a serious breach of personal information. Other recommendations include:

  • Protection against individuals being unexpectedly identified from data purportedly anonymised
  • The introduction of data portability as a consumer right
  • Additional power to require compliance with the Act to identify and avoid systemic issues
  • A narrowing of defences available to agencies that obstruct the Commissioner
  • Suppression of personal information in public registers where there is a safety risk.

The Law Commission also has recommended overhauling and updating the Act. Some of the recommendations found favour with the Government. In particular it proposed:

  • Making notification of privacy breaches mandatory including notification to affected individuals when there is a real risk of harm
  • Providing the Commissioner with greater own motion investigation powers and increased penalties for non-compliance
  • Empowering the Commissioner to issue compliance notices for privacy breaches.

Sadly for Winston Peters, to date changes to the legislation have not been made. However it seems that predictions of Winston as kingmaker have become a reality. Perhaps now we can expect renewed enthusiasm for privacy reform.

This article was written by Graeme Hall for the NBR (October 2017).