The Government has announced that it will repealing the current Privacy Act, passed in 1993, and replacing it a new one, partly based on the the Law Commission's 2011 report.
Note that this will be a repeal and re-enactment rather than merely an amendment, so we can expect the changes to be significant.
The government's press release calls out the following changes:
- Mandatory reporting of data breaches to the Privacy Commissioner and in some cases directly to the people affected.
- New offence of impersonation and existing fines increased.
- Privacy Commissioner to be given more power including the ability to issue compliance notices.
- Technical changes to make the law easier to understand along with a requirement for the Office of the Privacy Commissioner to issue more advice and guidance notes.
The accompanying Q&A document (PDF) contains more information about these changes. It also adds that there will be new guidelines and responsibilities about storing and processing data overseas.
The most interesting section is about data sharing. It references the changes made in 2013 to allow more data sharing and includes the line: "The reforms will also allow government and businesses to efficiently and effectively use information to deliver services and grow the economy."
This seems to imply a significant rebalancing of some of the principles in the Act to allow further data sharing without explicit permission from the people who that data is about.
The NZ Data Futures Forum recently held a breakfast meeting in Wellington where they seemed confident that, as they put it in their discussion paper, "An approach based principally on data ownership will become increasingly unworkable". This is because "informing people about data collection may not always be possible in the new environment" and "it is impossible to ask for consent for unanticapated innovative data uses at the time data is collected".
In other words, we won't be able to do whatever we want with the data if we have to ask people's permission before we collect it (Privacy Act principles 2, 3 & 4) and before we use it for purposes other than what we collected it for (Privacy Act principle 10).
Overall these changes to the Privacy Act look very good. We think it's great that the Privacy Commissioner will receive these additional powers, that there will be more advice and guidance, that issues with overseas storage & processing of data will be clarified, and that there will be some form of mandatory data breach reporting.
However we are concerned that the changes to the Act may go beyond this. The intention to repeal and re-enact indicates that we can expect major changes and we wonder just how far these will go in rewriting the principles to make data sharing easier for business and government. It would be sad if the Privacy Act finally got some teeth at the point that the principles that guide it are watered down.
We look forward to being involved in the consultation process and will be reviewing the bill when it is released.