New Zealand Privacy Bill Would Add Authorization and Data Breach Notification Requirements

As a proposed Privacy Bill works its way through the New Zealand Parliament, key changes aim to strengthen the protection of confidential and personal information. The Bill is intended to replace prior law on the topic, modernizing privacy regulations and partially adopting provisions included in the European General Data Protection Regulation (GDPR).1

Among other amendments to the Bill, the Privacy Commissioner2 will have increased enforcement powers, including the ability to issue compliance notices to organizations—including private employers—to take specific steps to comply with privacy law, and the ability to approve or deny requests for access to personal information.

Mandatory Notification Requirements in the Event of a Privacy Breach

One of the most significant changes that the Bill proposes to introduce is a mandatory requirement to notify both the New Zealand Privacy Commissioner and the affected individual of a privacy breach.

Under clause 118 of the Bill, an entity would be obligated to notify the Commissioner as soon as practicable after becoming aware that a notifiable privacy breach has occurred. Notifiable privacy breach means: (i) unauthorised or accidental access to, or disclosure, alteration, loss, or destruction of, the personal information; or (ii) an action that prevents the entity from accessing the information on either a temporary or permanent basis. The Privacy Commissioner would not take action immediately once the breach has been reported. But, in certain situations, there can be an informal engagement to seek assurance that the breach will be contained, which might involve an investigation or issuance of a compliance notice.

As proposed, if a breach has a risk of causing real harm, then the entity must notify the affected individuals or give a public notification. Harm is defined in the Privacy Bill3 as including loss, damage, detriment, adverse effects in rights, benefits, privileges etc. and significant humiliation, loss of dignity or injury to feelings. If an individual is directly affected by the breach, they could also lodge a complaint about the privacy interference under clause 119 of the Bill. When an entity fails to notify the individual of the breach, the individual has a private right to take action, which could require the entity to pay a fine not exceeding NZD10,000 to the Commissioner. Damages may be awarded by the Human Rights Tribunal for any interference of an individual’s privacy.

The Privacy Bill intends to replicate some of the GDPR’s substantive reporting requirements. For example, under the Bill, the entity would need to share specific information with the Privacy Commissioner. In the event of a breach, the entity would be required to:

  • Describe the notifiable breach, including: (1) the number of affected individuals (if known); and (2) the identity of any person or body the entity suspects may be in possession of personal information as a result of the privacy breach (if known).
  • Explain the steps that the entity has taken or intends to take in response to the privacy breach, including whether any affected individual has been or will be contacted; and the names of any other organizations that the entity has contacted about the breach and the reasons for that contact.
  • Give the details of a contact person within the entity for inquiries.

Transfer of Information

If adopted, the Bill would also bring New Zealand in line with the GDPR in another respect. As part of the Information Privacy Principles under the Privacy Act, the proposed Bill includes obligations on entities to secure authorization from individuals before their personal information can be sent outside of New Zealand to countries with comparable privacy laws. The person must authorise the disclosure of their personal information being transferred overseas by explicitly providing their consent. The Privacy Bill further recommends that entities inform individuals of the risks associated with transferring their personal information before obtaining consent.

In light of ongoing legislative developments regarding the Privacy Bill, we suggest that employers consider how to ensure the security of personal information in their possession and be aware of their privacy obligations. New policies may be necessary to account for the upcoming changes. We will continue to monitor the Bill’s progress; at this point, the Privacy Bill is expected to come into effect (in some form) in July 2019.

See Footnotes

1 The text of the Privacy Bill is available here.

The office of the Privacy Commissioner is an independent Crown entity set up in 1993 that “works to develop and promote a culture in which personal information is protected and respected.” John Edwards is the current Privacy Commissioner.

Privacy Bill § 75(2)(b).

Information contained in this publication is intended for informational purposes only and does not constitute legal advice or opinion, nor is it a substitute for the professional judgment of an attorney.