Supriya Ghosh (Editor)

Privacy Commissioner (New Zealand)

Updated on
Edit
Like
Comment
Share on FacebookTweet on TwitterShare on LinkedInShare on Reddit
Formed
  
1993

Website
  
www.privacy.org.nz

Key document
  
Privacy Act 1993

Privacy Commissioner (New Zealand)

Agency executive
  
John Edwards, Privacy Commissioner

The Office of the New Zealand Privacy Commissioner was established to administer the Privacy Act 1993. The Privacy Commissioner is entrusted to protect personal information of New Zealanders in accordance with the Privacy Act.

Contents

The Privacy Commissioner oversees personal information held by agencies in both the public and private sectors. This is achieved through monitoring compliance with the twelve Information Privacy Principles and four Public Register Privacy Principles established under the Privacy Act. Amid his varied responsibilities, the Commissioner administers a complaint system and issues Codes of Practice or rules for particular industries, contexts and sectors. Most cases involve investigation, conciliation and settlement. Serious breaches are referred to the Human Rights Review Tribunal. The Commissioner inherently considers international obligations and worldwide developments in privacy protection.

The New Zealand Law Commission have made a number of recommendations to alter the functions, roles and powers of the Commissioner.

History

The now repealed Privacy Commissioner Act 1991 established the role of the Privacy Commissioner. The Commissioner had a principal role in the development of the Privacy Bill 1993, which passed into law as the Privacy Act 1993 and established the revised Office of the Privacy Commissioner.

Past privacy commissioners

The Office of Privacy Commissioner has been held by:

  • Bruce Slane, KNZM CBE (1993 – 2003)
  • Marie Shroff, CNZM CVO (2003 – February 2014)
  • John Edwards (17 February 2014 – )

    • Privacy Act 1993

    The Privacy Act 1993 is primarily concerned with information privacy; other aspects of privacy are protected by the common law right to privacy in New Zealand. The Act controls the collection, use, disclosure, storage and granting of access to personal information by agencies. Personal information covers any information about an identifiable natural person.

    The Privacy Act was enacted in an era of heightened national awareness for human rights, and sits alongside the New Zealand Bill of Rights Act 1990 and the Human Rights Act 1993. The Privacy Act similarly addressed international concerns, acknowledging privacy obligations under the Universal Declaration of Human Rights, and the International Covenant on Civil and Political Rights.

    The Privacy Act extended protection to “any person or body of persons whether corporate and unincorporate,” in both the public and private sectors. Inclusion of the private sector was considered revolutionary. The Commissioner thus oversees government departments, companies, religious organisations, and schools. Some limited exemptions to the Privacy Act exist: the sovereign, the House of Representatives, courts and tribunals acting in judicial capacity, news medium activities, and individuals holding personal information for private use.

    The Information Privacy Principles (IPPs), monitored by the Commissioner, are based on guidelines established by the Organisation for Economic Co-operation and Development (OECD) in 1980. The IPPs cover:

  • Collection of personal information (principles 1 – 4);
  • Storage and security of personal information (principle 5);
  • Requests for access to and correction of personal information (principles 6 – 7);
  • Accuracy of personal information (principle 8);
  • Retention of personal information (principle 9);
  • Use and disclosure of personal information (principles 10 – 11); and
  • Using unique identifiers (principle 12).

    • In ANZ National Bank Ltd v Tower Insurance, the High Court held the privacy principles require that personal information can only collected be for “a lawful purpose and is necessary for that purpose.” The principles do not outline their practical application, giving the Commissioner flexibility to deal with varying fact situations as they arise.

    The four Public Register Privacy Principles (PRPPs) cover any “register, roll, list or other document” held by governmental or quasi-governmental agencies under Schedule 2 of the Privacy Act, to which the public has statutory rights of access. The PRPPs restrict the use of information compulsorily supplied from the public register.

    In exceptional circumstances, when the Privacy Commissioner is satisfied the public interest outweighs privacy protection, agencies can be authorised to use personal information in a manner that would usually breach the IPPs or other provisions under the Act.

    Roles, functions and powers

    The Office of the Privacy Commissioner is an Independent Crown Entity, funded by the state but acting independently of government or Ministerial control. In addition to monitoring compliance with the IPPs and PRPPs, the Commissioner’s roles are extensively outlined in Section 13 of the Privacy Act. The central focus is to better protect the privacy of individuals, and includes:

  • Legislation and policy; reporting to the Prime Minister on “legislative, administrative, or other action,” and examining proposed legislation involving the collection or disclosure of personal information;
  • Compliance; auditing personal information held by agencies, investigating and reporting on complaints, and inquiring into possible infringements;
  • Education and awareness; a user-friendly website, training workshops, and monitoring developments in data processing technologies;
  • Monitoring government information matching programmes;
  • Issuing Codes of Practice; which modify the privacy principles for different industries;
  • Liaison and development with international counterparts; especially in the Asia-Pacific region; and
  • Undertaking any other function, power or duty; conferred by the Privacy Act or any other enactment.

    • Functions listed elsewhere in the Act include consultation with the Ombudsman, Health and Disability Commissioner and the Inspector General of Intelligence and Security, and publishing personal information directories. The Commissioner is conferred functions in several other enactments, which can be categorised as:

  • Complaints investigation;
  • Scrutiny or approval of information disclosure arrangements;
  • Consultation with other agencies;
  • Codes of Practice;
  • Information matching;and
  • Advice on privacy impact assessments.

    • The Commissioner must deliver an annual report on his roles, powers and functions. Examples from the 2012/2013 report include contributions to the GCSB Amendment Act 2013, Privacy Amendment Act 2013 and the Social Security (Benefit Categories and Work Focus) Amendment Act 2013, nationwide workshops for government agencies addressing major data breaches, primary school resources, and media releases on topics including cloud computing and identity. Media releases in 2014 provided an advisory note to agencies on the Heartbleed virus, and a report criticising Veda Advantage’s charge rate for urgent information requests.

    Complaints and decisions

    The Privacy Commissioner can investigate potential breaches of the IPPs, PRPPs, or other Privacy Act provisions, on his or her own initiative or on receipt of a complaint. The onus is on the complainant to establish that an agency’s action both breached a privacy principle and caused harm. Harm can include financial loss, adverse effect on rights or interests, or a significant injury to feelings. Breaches of principles 6 and 7, the refusal to grant access to or allow correction of information, need not establish harm as these situations are considered interferences per se. The Commissioner can decide to take no action based on issues of time, triviality, bad faith, or if another course of action is more appropriate.

    Should the Commissioner decide to pursue a complaint, his role is both investigatory and conciliatory. With this mediation rather than litigation focus, the Commissioner can call “compulsory mediation conferences,"and seek a resolution agreement and assurance of non-recurrence. The Office aims to settle 30 percent of cases annually. Both parties to a complaint must be informed of the commencement of proceedings and the result of an investigation. The Commissioner has no power to force compensation payments from an agency, dismiss an employee or prosecute anyone.

    In the 2011/2012 year, the Commissioner received 1,142 complaints, 1,026 of which were closed. In the 2012/2013 year there were substantially fewer, 824, complaints. Of the 896 cases closed in 2012/2013, 36 percent were settled. Outcomes mostly included information being released or partly released, followed by the giving of assurances, an apology, a change of policy, correction of information, and monetary payment. The majority of complaints involved a breach of the IPPs, ahead of the Health Information Privacy Code. The actions of government agencies, including education providers and local authorities, trigger most complaints, followed by health sector agencies.

    Where settlement is unobtainable or an agency repeatedly contravenes prior assurances, the Commissioner may refer the complaint to the Director of Human Rights Proceedings. The Director has the discretion to determine whether the Human Rights Review Tribunal should institute proceedings. Aggrieved individuals may also self-refer proceedings before this body.If satisfied of privacy interference, the Tribunal may issue a declaration, grant orders restraining repeated interference or requiring specific acts be performed, award compensatory damages up to $200,000 NZD, or give another appropriate remedy. Where the powers of the Tribunal are exceeded, remedial instructions may be referred to the High Court or extended remedial powers conferred on the Tribunal by written agreement between the parties. Case notes and Tribunal decisions are published on the Commissioner’s website.

    The Commissioner does not operate a system of binding precedent in the outcomes of his decisions, instead considering each case independently. The IPPs, except principle 6, and the PRPPs are not enforceable in a law court. The Privacy Act however does not preclude complainants from taking court action for a breach of the common law right to privacy where the Commissioner has dealt with a statutory complaint on the same issue.

    Codes of Practice

    As the IPPs are generally worded, the Commissioner may issue more specific Codes of Practice for different “industries, agencies activities or types of personal information.” The codes modify the application of the Privacy Act, including less or more stringent rules than contained in the privacy principles, as is appropriate. Extensive advertisement, consultation and invitation for submissions are stipulations. Codes must be approved as delegated legislation by the House of Representatives. Thereafter the codes become enforceable under the Act and the same complaints process applies. Further remedies may be available for breaches of legislation related to a particular industry. The Privacy Commissioner commends the codes as a flexible means of regulation, more readily capable of amendment or revocation than legislative provisions. Current Codes of Practice include the Health Information Privacy Code, Telecommunications Information Privacy Code and the Credit Reporting Privacy Code. In 2013 the Civil Defence National Emergencies (Information Sharing) Code was created.

    International

    New Zealand’s Privacy Commissioner participates internationally to promote global co-ordination in privacy protection. Such forums include the International Conference of Data Protection Commissioners, APEC’s Cross Border Privacy Arrangement, and the Global Privacy Enforcement Network. The Commissioner’s Annual Report 2013 emphasised the need for cross-border protection given the accessibility of private information online.

    In December 2012, New Zealand gained international approval for its privacy protection from the European Commission. The Commission stated that the Privacy Act and common law “cover all the basic principles necessary for an adequate level of protection for natural persons, and also provide for exemptions and limitations in order to safeguard important public interests." The invaluable role of the Commissioner, commended for the position’s independence and adequate powers to protect individual privacy, was also noted.

    Looking ahead

    The Privacy Commissioner has an important role as a “privacy watchdog” in an information-rich society of ever-changing technologies. The Office of the Privacy Commissioner is anticipating reforms to New Zealand’s 20-year-old privacy legislation, as recently occurred Australia with changes to their privacy law. According to the Privacy Commission, reforms to privacy law would take account of developments in “technology, people, processes, and governance and assurance measures.” A number of changes have been recommended both by former Commissioners and the New Zealand Law Commission.

    In the first five-yearly review, Necessary and Desirable, Commissioner Bruce Slane set out 154 recommendations to reform the Privacy Act 1993.

    The Law Commission’s Review on Privacy proposed several substantive alterations to the roles, powers and functions of the Commissioner. These include:

  • Consolidating the roles and stating that the listed roles are not exhaustive;
  • Extending the Commissioner’s functions to monitoring the use of rapidly growing surveillance technology;
  • Implementing periodic reviews by an independent committee of privacy, law, and technological experts, appointed by the Minister of Justice;
  • Mandatorily allowing only a 6-month period for government response to periodic review recommendations; and
  • Necessitating Governor-General assent or refusal to Codes of Practice, given their legally binding force.

    • To date, these recommendations have not resulted in significant legislative reform to the Commissioner’s role.

    References

    Privacy Commissioner (New Zealand) Wikipedia
    (Text) CC BY-SA