STOP PRESS! The Privacy Bill, which is to repeal and replace the Privacy Act 1993, is due back from Select Committee (Justice) on 13 March 2019. I had the honour of being part of the Privacy Foundation’s team submitting to the Justice Committee and my fingers are crossed that we are going to see some changes to the Bill which reflect international trends in data protection.

Don’t get me wrong. There are already many really good things in the Bill:

  • mandatory reporting of privacy breaches: unauthorised or accidental access to, or disclosure of, personal information that pose a risk of harm to people must be notified to the Privacy Commissioner and to affected individuals.

  • compliance notices: the Privacy Commissioner will be able to issue compliance notices that require an agency to do something, or stop doing something, in order to comply with privacy law. The Human Rights Review Tribunal will be able to enforce compliance notices and hear appeals.

  • strengthening cross-border data flow protections: New Zealand agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards. The Bill also clarifies the application of our law when a New Zealand agency engages an overseas service provider.

  • new criminal offences: it will be an offence to mislead an agency in a way that affects someone else’s information and to knowingly destroy documents containing personal information where a request has been made for it. The penalty is a fine not exceeding $10,000.

  • Privacy Commissioner making binding decisions on access requests: this reform will enable the Privacy Commissioner to make decisions on complaints relating to access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions will be able to be appealed to the Human Rights Review Tribunal.

  • strengthening the Privacy Commissioner’s information gathering power: the Commissioner’s existing investigation power is strengthened by allowing the Commissioner to shorten the time frame within which an agency must comply, and increasing the penalty for non-compliance.

BUT, it would also be really good to see the Justice Committee address (amongst other things):

  • Issues of “big data”: predictive analytics from personal information data sets; identification from combining data sets, and access to metadata (data which provides information about personal information).

  • The right to be forgotten which allows individuals to erase electronic histories about them; and

  • The right to data portability which allows individuals to obtain and reuse their personal data for their own purposes across different services; and the right to be anonymous which allows individuals to transact online the same way they would as if they walked into a shop with minimal personal information collected.

Fingers crossed indeed!