Privacy Commissioner (New Zealand)

Privacy Commissioner
Te Mana Matapono Matatapu
Agency overview
Formed1993
Agency executive
  • Michael Webster, Privacy Commissioner
Key document
  • The Privacy Act 2020 [1]
Websitewww.privacy.org.nz

The Office of the Privacy Commissioner (New Zealand) administers the Privacy Act 2020.[1] The Privacy Commissioner is entrusted to protect personal information of New Zealanders in accordance with the Privacy Act. Current Privacy Commissioner, Michael Webster, began his role in July 2022.

The Privacy Commissioner oversees personal information held by agencies in both the public and private sectors.[2] This is achieved through monitoring compliance with the 13 Information Privacy Principles. Amid his varied responsibilities, the Commissioner administers a complaint system and issues Codes of Practice or rules for particular industries, contexts and sectors.[3] Most cases involve investigation, conciliation and settlement.[4] Serious breaches are referred to the Human Rights Review Tribunal.[5] The Commissioner inherently considers international obligations and worldwide developments in privacy protection.

History

The now repealed Privacy Commissioner Act 1991 established the role of the Privacy Commissioner. The Commissioner had a principal role in the development of the Privacy Bill 1993, which passed into law as the Privacy Act 1993 and established the revised Office of the Privacy Commissioner.[6]

In March 2018, the Privacy Bill was introduced to Parliament. The Bill was passed by New Zealand Parliament in June 2020 and the Privacy Act 2020 came into law on 1 December 2020. The Privacy Act 2020 significantly updates the 1993 Act. Many of the changes are based on recommendations from the New Zealand Law Commission's 2011 review of New Zealand's privacy laws.

List of privacy commissioners

Webster in 2017

The Office of Privacy Commissioner has been held by:[7]

Privacy Act 2020

Main article: Privacy Act 2020

The Privacy Act 2020 is primarily concerned with information privacy; other aspects of privacy are protected by the common law right to privacy in New Zealand. The Act controls the collection, use, disclosure, storage and granting of access to personal information by agencies.[11] Personal information covers any information about an identifiable natural person.[12]

The key changes in the Privacy Act 2020 include:

  • new criminal offences
  • introduction of compliance orders
  • binding access determinations
  • controls on the disclosure of information overseas
  • mandatory notification of harmful privacy breaches
  • the law now explicitly applies to overseas-based entities that carry on business in New Zealand.

The Privacy Act was originally enacted in 1993 in an era of heightened national awareness for human rights, and sits alongside the New Zealand Bill of Rights Act 1990 and the Human Rights Act 1993. The Privacy Act similarly addressed international concerns,[13] acknowledging privacy obligations under the Universal Declaration of Human Rights,[14] and the International Covenant on Civil and Political Rights.[15]

The Privacy Act extended protection to "any person or body of persons whether corporate and unincorporate," in both the public and private sectors.[16] Inclusion of the private sector was considered revolutionary. The Commissioner thus oversees government departments, companies, religious organisations, and schools.[17] Some limited exemptions to the Privacy Act exist: the sovereign, the House of Representatives, courts and tribunals acting in judicial capacity, news media activities, and individuals holding personal information for private use.[18]

The Information Privacy Principles (IPPs), monitored by the Commissioner, are based on guidelines established by the Organisation for Economic Co-operation and Development (OECD) in 1980.[19] The IPPs cover:[20]

  • Collection of personal information (principles 1 – 4);
  • Storage and security of personal information (principle 5);
  • Requests for access to and correction of personal information (principles 6 – 7);
  • Accuracy of personal information (principle 8);
  • Retention of personal information (principle 9);
  • Use and disclosure of personal information (principles 10 – 11);
  • Cross border disclosures (principle 12); and
  • Using unique identifiers (principle 13).

In ANZ National Bank Ltd v Tower Insurance, the High Court held the privacy principles require that personal information can only be collected for "a lawful purpose and is necessary for that purpose."[21] The principles do not outline their practical application, giving the Commissioner flexibility to deal with varying fact situations as they arise.[22]

In exceptional circumstances, when the Privacy Commissioner is satisfied the public interest outweighs privacy protection, agencies can be authorised to use personal information in a manner that would usually breach the IPPs or other provisions under the Act.[23]

Roles, functions and powers

The Office of the Privacy Commissioner is an independent Crown entity, funded by the state but acts independently of government or Ministerial control.[24] In addition to monitoring compliance with the IPPs and PRPPs, the Commissioner's roles are extensively outlined in Section 13 of the Privacy Act. The central focus is to better protect the privacy of individuals, and includes:[25]

  • Legislation and policy; reporting to the Prime Minister on "legislative, administrative, or other action," and examining proposed legislation involving the collection or disclosure of personal information;
  • Compliance; auditing personal information held by agencies, investigating and reporting on complaints, and inquiring into possible infringements;
  • Education and awareness; a user-friendly website, training workshops, and monitoring developments in data processing technologies;
  • Monitoring government information matching programmes;
  • Issuing Codes of Practice; which modify the privacy principles for different industries;
  • Liaison and development with international counterparts; especially in the Asia-Pacific region; and
  • Undertaking any other function, power or duty; conferred by the Privacy Act or any other enactment.

Functions listed elsewhere in the Act include consultation with the Ombudsman, Health and Disability Commissioner and the Inspector General of Intelligence and Security, and publishing personal information directories.[26] The Commissioner is conferred functions in several other enactments, which can be categorised as:[27]

  • Complaints investigation;
  • Scrutiny or approval of information disclosure arrangements;
  • Consultation with other agencies;
  • Codes of Practice;
  • Information matching; and
  • Advice on privacy impact assessments.

Complaints and decisions

The Privacy Commissioner can investigate potential breaches of the IPPs, PRPPs, or other Privacy Act provisions, on his or her own initiative or on receipt of a complaint.[28] The onus is on the complainant to establish that an agency's action both breached a privacy principle and caused harm.[29] Harm can include financial loss, adverse effect on rights or interests, or a significant injury to feelings. Breaches of principles 6 and 7, the refusal to grant access to or allow correction of information, need not establish harm as these situations are considered interferences per se.[30] The Commissioner can decide to take no action based on issues of time, triviality, bad faith, or if another course of action is more appropriate.

Should the Commissioner decide to pursue a complaint, his role is both investigatory and conciliatory. With this mediation rather than litigation focus, the Commissioner can call "compulsory mediation conferences," and seek a resolution agreement and assurance of non-recurrence.[31] Both parties to a complaint must be informed of the commencement of proceedings and the result of an investigation. The Commissioner has no power to force compensation payments from an agency, dismiss an employee or prosecute anyone.[32]

In the 2019/2020 year, the Commissioner closed 769 investigation files. Outcomes mostly included information being released or partly released, followed by the giving of assurances, an apology, a change of policy, correction of information, and monetary payment. The majority of complaints involved a breach of the IPPs, ahead of the Health Information Privacy Code.[33] The actions of government agencies, including education providers and local authorities, trigger most complaints, followed by health sector agencies.

Where settlement is unobtainable or an agency repeatedly contravenes prior assurances, the Commissioner may refer the complaint to the Director of Human Rights Proceedings.[34] The Director has the discretion to determine whether the Human Rights Review Tribunal should institute proceedings.[35] Aggrieved individuals may also self-refer proceedings before this body. If satisfied of privacy interference, the Tribunal may issue a declaration, grant orders restraining repeated interference or requiring specific acts be performed, award compensatory damages up to $350,000 NZD, or give another appropriate remedy.[36] Where the powers of the Tribunal are exceeded, remedial instructions may be referred to the High Court or extended remedial powers conferred on the Tribunal by written agreement between the parties.[37] Case notes and Tribunal decisions are published on the Commissioner's website.

The Commissioner does not operate a system of binding precedent in the outcomes of his decisions, instead considering each case independently.[38] The IPPs, except principle 6, and the PRPPs are not enforceable in a law court.[39] The Privacy Act however does not preclude complainants from taking court action for a breach of the common law right to privacy where the Commissioner has dealt with a statutory complaint on the same issue.[40]

Codes of Practice

As the IPPs are generally worded, the Commissioner may issue more specific Codes of Practice for different "industries, agencies activities or types of personal information."[41] The codes modify the application of the Privacy Act, including less or more stringent rules than contained in the privacy principles, as is appropriate. Extensive advertisement, consultation and invitation for submissions are stipulations. Codes must be approved as delegated legislation by the House of Representatives.[42] Thereafter the codes become enforceable under the Act and the same complaints process applies. Further remedies may be available for breaches of legislation related to a particular industry. The Privacy Commissioner commends the codes as a flexible means of regulation, more readily capable of amendment or revocation than legislative provisions.[43] The current Codes of Practice include:

  • Health Information Privacy Code 2020
  • Telecommunications Information Privacy Code 2020
  • Credit Reporting Privacy Code 2020
  • Civil Defence National Emergencies (Information Sharing) Code 2020
  • Justice Sector Unique Identifier Code 2020
  • Superannuation Schemes Unique Identifier Code 2020.

International

New Zealand's Privacy Commissioner participates internationally to promote global co-ordination in privacy protection. Such forums include the Global Privacy Assembly,[44] APEC's Cross Border Privacy Arrangement,[45] and the Global Privacy Enforcement Network.[46] The Commissioner's Annual Report 2013 emphasised the need for cross-border protection given the accessibility of private information online.[47]

In December 2012, New Zealand gained international approval for its privacy protection from the European Commission. The Commission stated that the Privacy Act and common law "cover all the basic principles necessary for an adequate level of protection for natural persons, and also provide for exemptions and limitations to safeguard important public interests."[48] The invaluable role of the Commissioner, commended for the position's independence and adequate powers to protect individual privacy, was also noted.[49]

See also

References

  1. ^ Privacy Act 2020
  2. ^ Privacy Act 1993, s 2(1)(a) in Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 58.
  3. ^ Privacy Act 1993, ss 13(1AA)(d) and s46(1) in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [5.4].
  4. ^ Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 51.
  5. ^ Privacy Act 1993, s 77 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [5.4].
  6. ^ Privacy Act 1993, Long Title and s 12 in Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 54.
  7. ^ Office of the Privacy Commissioner About Us: Introduction.. Retrieved 2 May 2014.
  8. ^ "Privacy Commissioner John Edwards announced as preference to be UK information commissioner". Radio New Zealand. 26 August 2021. Retrieved 26 August 2021.
  9. ^ "Who we are". www.privacy.org.nz. Retrieved 17 January 2022.
  10. ^ Keall, Chris (8 June 2022). "New Privacy Commissioner named". The New Zealand Herald. Retrieved 9 June 2022.
  11. ^ Office of the Privacy Commissioner Privacy Act & Codes: Introduction.. Retrieved 2 May 2014.
  12. ^ Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 59.
  13. ^ Ursula Cheer and John Burrows Media Law in New Zealand at 374.
  14. ^ Universal Declaration of Human Rights 1949, Article 12.
  15. ^ International Covenant on Civil and Political Rights 1976, Article 17.
  16. ^ Privacy Act 1993, s2(1)(a) in Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 58.
  17. ^ Office of the Privacy Commissioner Privacy Act & Codes: Introduction. Retrieved 2 May 2014.
  18. ^ APEC Cooperation Arrangement for Cross-Border Privacy Enforcement Summary Statement of Privacy Enforcement Authority enforcement practices, policies and activities at 1.
  19. ^ OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Part II: Guidelines.
  20. ^ Office of the Privacy Commissioner Privacy Acts & Codes: A Thumbnail Sketch of the Privacy Principles.. Retrieved 2 May 2014.
  21. ^ ANZ National Bank Ltd v Tower Insurance (2009) 15 ANZ Ins Cas 61-816 at [171].
  22. ^ Ursula Cheer and John Burrows Media Law in New Zealand at 375.
  23. ^ Office of the Privacy Commissioner Privacy Act & Codes: Introduction. Retrieved 2 May 2014.
  24. ^ Office of the Privacy Commissioner About Us: Introduction.. Retrieved 2 May 2014.
  25. ^ Office of the Privacy Commissioner Statement of Intent 2012 – 2015 (2012) at 4 – 5; Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 63.
  26. ^ Privacy Act 1993 ss 21, 36 and 117 – 177B in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [5.3].
  27. ^ New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 (R123, 2011) Archived 13 July 2014 at the Wayback Machine at [5.6].
  28. ^ Privacy Act 1993, ss 61 and 69(2) in Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 63.
  29. ^ Privacy Act 1993, s 66(1) in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.3].
  30. ^ Privacy Act 1993, s 66(2) in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.3].
  31. ^ Ursula Cheer and John Burrows Media Law in New Zealand at 375.
  32. ^ Office of the Privacy Commissioner Your Privacy: How to Complain. Retrieved 2 May 2014.
  33. ^ Privacy Commissioner's Annual Report 2013 – A Year of Rapid Change at 24.
  34. ^ Privacy Act 1993, s 77(2) in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.7].
  35. ^ Privacy Act 1993, ss 77(3) and 82 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.9].
  36. ^ Privacy Act 1993, ss 85(1) and 88(1); Human Rights Act 1993, s 92Q; District Courts Act 1947, s 29 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.16].
  37. ^ Human Rights Act 1993, ss 92R – W.
  38. ^ Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 77.
  39. ^ Privacy Act 1993, ss 11(2) and 62 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.2].
  40. ^ A v Hunt (Contempt) [2006] NZAR 577 at [62].
  41. ^ Office of the Privacy Commissioner Privacy Act & Codes" Codes of Practice. Retrieved 2 May 2014.
  42. ^ Privacy Act 1993, s 50 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [5.56].
  43. ^ Office of the Privacy Commissioner Privacy Act & Codes" Codes of Practice. Retrieved 2 May 2014.
  44. ^ "Global Privacy Assembly". Retrieved 14 June 2021.
  45. ^ APEC Cooperation Arrangement for Cross-Border Privacy Enforcement Summary Statement of Privacy Enforcement Authority enforcement practices, policies and activities at 1.
  46. ^ Office of the Privacy Commissioner About Us: International.. Retrieved 2 May 2014.
  47. ^ Privacy Commissioner's Annual Report 2013 – A Year of Rapid Change at 17.
  48. ^ Privacy Commissioner's Annual Report 2013 – A Year of Rapid Change at 18; European Commission Implementation Decision C(2012)9557 (19 December 2012) at [10].
  49. ^ European Commission Implementation Decision C(2012)9557 (19 December 2012) at [10].