Privacy watchdog to get more teeth
28 May 2014
A strengthened and updated Privacy Act will give New Zealanders more power over their information and give the Privacy
Commissioner better tools to deal with challenges posed by the digital information era, says Privacy Commissioner John
Edwards.
Mr Edwards welcomed the Government’s intention to reform the 20-year-old Privacy Act and says it makes the law more
equal to the task of protecting New Zealanders' personal information.
The proposed changes to the Privacy Act are the culmination of a process that began with a four-year-long Law Commission
project to review privacy, resulting in comprehensive recommendations in its 2011 report.
The overall impact of these changes will be to give the Office stronger investigative powers, the authority to order
that information be given to people, and the power to order agencies to fix privacy problems.
“These reforms will power up our privacy law to bring it more in line with world class standards of protection that New
Zealanders are entitled to expect,” Mr Edwards said.
“Since the Privacy Act was passed 20 years ago, we have seen huge technology-driven changes. The Law Commission report
on which the law changes are based recognises that individual New Zealanders have countless new opportunities from
technological developments, but that there are also real risks.”
“People's information can be lost or hacked; organisations collect huge amounts of our confidential information and then
fail to protect it; individuals can breach others’ privacy by highly offensive internet postings. The law needs to be
flexible and strong enough to be able to deal with these kinds of problems.”
An important change is that the Privacy Commissioner could order agencies – through issuing a compliance notice - to fix
business practices that breach the law. This targeted tool would address those rare occasions when no other solution has
worked and people are at risk of harm from misused information or poor information handling.
In another change, the privacy complaints process would be streamlined, allowing for groups of people to bring
"representative" complaints - similar to class actions.
The Privacy Commissioner would also be able to make binding decisions on complaints where a person has asked for
information about him or herself and has been refused.
Other significant changes include data breach notification to become mandatory where there is a risk of significant harm
or where the breach is a serious one.
ENDS