You are here: Home Publications Publications A-Z g Government response to Law Commission report "Review of the Privacy Act 1993"

Government response to Law Commission report "Review of the Privacy Act 1993"

On 27 March 2012 the Government presented to the House of Representatives its response to the Law Commission report Review of the Privacy Act 1993.

On 27 March 2012 the Government presented to the House of Representatives its response to the Law Commission report Review of the Privacy Act 1993.

Other Resources 

Questions and Answers - Government Response to Law Commission Report: Review of the Privacy Act (PDF)

Cabinet Minute and Paper - Government Response to Law Commission Report: Review of the Privacy Act (PDF)

Regulatory Impact Statement - Privacy Act Reform

More information about the Law Commission's review of privacy law

Introduction

The Government has considered the Law Commission's report Review of the Privacy Act 1993 (NZLC 123) presented to the House of Representatives on 2 August 2011 (the report) and responds to the report in accordance with Cabinet Office Circular CO (09) 1. 

Executive Summary

The Privacy Act 1993 (the Act) regulates what can be done with information about individuals.  The Law Commission has reviewed the Act in the context of a wider review of privacy laws in New Zealand and has made recommendations to the Government.  

The Government agrees with the Law Commission’s key recommendation to replace the Act with a new Act.  The Government also agrees with the Law Commission’s recommendation that a principles-based approach to the regulation of privacy should be retained.  The detail of the new Act and how that approach will be shaped, however, still needs to be worked through.  The Ministry of Justice will analyse the recommendations and report to the Government in September 2012. 

Background

Privacy Act 1993

The Act regulates what can be done with information about individuals and has wide-reaching implications – it applies to every “agency”, including Government, businesses, the voluntary sector and non-Government organisations (footnote 1).

The Act generally requires agencies to handle personal information in accordance with 12 information privacy principles.  The principles are designed to govern personal information at all points of its lifecycle, from its collection to destruction.  The principles are intended to be flexible enough to enable agencies to develop their own information-handling policies, tailored to the needs of the agency and its users or customers.

The Act is 20 years old, and concerns have been raised about its ongoing fitness for purpose.  Individuals, private sector and government agencies, and businesses that use the Act struggle to make it work in modern scenarios.  This encourages “work arounds” or the development of conflicting sector- or agency-specific regulatory schemes.


The Act requires updating to respond to:

  • a generational shift in technology;

  • public expectations about security of personal information; and

  • how business (government and private) is conducted today, both domestically, and internationally. 

Law Commission review of the Act

In 2006, the Government asked the Law Commission to conduct a review of privacy values, changes in technology, international trends and their implications for New Zealand civil, criminal and statute law.

The first three stages of the review produced 45 recommendations to the Government to reform the law relating to public registers and private surveillance activities.  The Government responded in August 2010 substantially agreeing to six recommendations and indicating that further consideration would be given to the remaining 39 recommendations in the course of future statutory reviews such as a Crimes Act review and after the Government has responded to the Law Commission’s report on the Act (footnote 2).

The final stage of this work was a review of the Act which culminated in the report.  The report makes a total of 149 recommendations (footnote 3) to consolidate and bolster the Act.


Government Response

The Government wishes to thank the Law Commission for the report and for its work throughout its comprehensive review of privacy law.

A new Privacy Act

The Law Commission recommends that a new Privacy Act, to replace the Act, be enacted (footnote 4).  The Law Commission also recommends that the new Act retain a principles-based approach to regulating privacy (footnote 5).  The Government agrees with these recommendations.

A new Privacy Act will improve the clarity, certainty, navigability and user-friendliness of the Act and will incorporate many of the changes recommended by the Law Commission, as well as additional proposals to strengthen the regime.  Retaining a principles-based approach to regulating privacy will ensure that the new Act retains flexibility and that New Zealand law remains in line with its primary trading partners.

In summary, a new Privacy Act will:

  • retain aspects of the Act that work well

  • make the Act easier to navigate and understand

  • decrease uncertainty for government, business, private sector agencies, and individuals

  • improve flexibility, and the ability to respond to ongoing technological advances

  • increase the efficiency and effectiveness of government and business privacy practices

  • maintain public confidence in the security of, and appropriate use of, personal information. 

Recommendations that the Government has already made progress on

Bills already introduced 

The Government responded to 12 of the Law Commission’s recommendations on Government information sharing when it introduced the Privacy (Information Sharing) Bill (footnote 6).

Once the Criminal Procedure Act 2011 comes into force it will implement the Law Commission’s recommendation (footnote 7) that the Criminal Disclosure Act 2009 refer to the Evidence Regulations 2007 rather than the repealed Evidence (Videotaping of Child Complainants) Regulations 1990.

Work plans for better guidance and privacy education 

Three recommendations (footnote 8) request minor changes to the Legislation Advisory Committee Guidelines on Process and Content of Legislation.  The Government has invited the Legislation Advisory Committee to review its Guidelines in the light of these recommendations.

Seventeen recommendations (footnote 9) request that Government agencies provide education or develop guidance on the Act to improve understanding of definitions, access requests, employee ‘browsing’ rules, unique identifiers, exceptions, exemptions, crime reporting, privacy by design, privacy enhancing technologies, capacity and disability issues and disclosure of information overseas.  The Government has invited the Privacy Commissioner to consult the Ministry of Justice and relevant partner agencies and submit a plan for developing the guidance and education material recommended by the Law Commission.  It is likely that most of the guidance and education material will need to be developed during and after the reform of the Act. 

Recommendations that the Government agrees to do further work on

There are 39 recommendations (footnote 10) that appear on their face to be sensible but may have unforeseen implications requiring further analysis.  These recommendations include:

a new purpose section for the Act; enabling the Privacy Commissioner to determine access complaints;

  • introducing representative complaints; adding new exceptions and accountabilities;

  • clarifying the relationship between the Act and other legislation;

  • ensuring that age and cultural characteristics factor into the Privacy Commissioner’s decision-making; and

  • removing ambiguity and redundant provisions, filling unintended loopholes, correcting errors in the Act, and improving clarity and navigability.

The Government has directed the Ministry of Justice to analyse the implications of these recommendations and to report back to the Government in September 2012.

Recommendations that need further analysis before a Government view is possible

There are 55 recommendations (footnote 11) that require further investigation before the Government is able to form a view.  Most of these recommendations are to make significant changes to the Act; will have regulatory implications that are more than minor; and will have flow on effects that need to be carefully analysed.  These recommendations include proposals to:

  • create new information privacy principles and exceptions;

  • bring new agencies under the Act;

  • enhance the Privacy Commissioner’s enforcement powers;

  • introduce compulsory data breach notification; and

  • clarify and enhance how the Act operates on information transferred and held overseas.

 

Recommendations that will be considered later

 

There are 17 recommendations that it is more appropriate for the Government to respond to in the context of other work.

Seven recommendations (footnote 12) relate to accessing and disclosing personal information and are best dealt with when the Government responds to the Law Commission’s report on the Official Information Act 1982.  The access and withholding provisions in the Act are based on and mirror the Official Information Act.  Amending the Act before the review of the Official Information Act is complete may lead to temporary uncertainty and cost.  The Law Commission is expected to publish its report on the Official Information Act in the first half of 2012.

Two recommendations (footnote 13) relate to the exemption of the news media from the Act and are best dealt with when the Government responds to the Law Commission’s report reviewing regulatory gaps and the new media.  That report is likely to consider what counts as “news media” in a world where “news” is quickly and easily produced online to a massive audience.  An issues paper has been published and submissions are sought until March 2012.

One recommendation (footnote 14) relates to public registers.  The Government has previously announced that it will deal with the Law Commission’s recommendations on public registers after policy decisions on the Act are made.

Seven recommendations (footnote 15) would strengthen and clarify the information matching provisions of the Act and are best considered after the Privacy (Information Sharing) Bill has been passed and has had time to “bed-in”.  A high degree of uptake on information sharing agreements may make the information matching provisions redundant.  The timing of any work to amend or repeal the information matching provisions will be considered as the Government updates its regulatory review programme.

Recommendations that no further work will be done on

There are two recommendations (footnote 16) that the Government will not do any further work on.  These recommendations would create a power for the Privacy Commissioner to report on surveillance activities, and instigate a review of the handling of health information.

These recommendations do not appear to address any identifiable problem or issue, are likely to cause confusion, or add administrative burden without clear benefits.

Next steps for privacy reform

The Government will:

  • seek to progress the Privacy (Information Sharing) Bill in the House

  • request ongoing updates from the Privacy Commissioner and the Legislation Advisory Committee about their plans for better guidance and privacy education

  • receive reports from the Minister of Justice in September 2012 on the repeal and re-enactment of the Privacy Act, including:

    • the implications of implementing the Law Commission’s recommendations that require further work and additional analysis

    • additional proposals to strengthen the privacy regime

    • specific policy proposals for inclusion in a new Privacy Act.

  • consider the remaining recommendations made by the Law Commission in the context of the Law Commission’s Official Information Act 1982 and new media reviews, when considering the public registers, and after information sharing reforms have “bedded in”.

Footnotes

  1. Some agencies are excluded from the Act, including the House of Representatives, the Governor-General and the news media.

  2. http://www.justice.govt.nz/publications/global-publications/g/government-response-to-law-commission-report-invasion-of-privacy-penalties-and-remedies

  3. 146 of the recommendations are contained in the report Review of the Privacy Act 1993 (NZLC 123) (Recommendations 92 and 120 are each classified as two recommendations as they both have two distinct parts.  Recommendation 121 is not considered in this response as it is not a recommendation to the Government); two recommendations are contained in Invasion of Privacy: Penalties and Remedies (NZLC 113) (Recommendations 18 and 19); and one recommendation is contained in Public Registers (NZLC 101) (Recommendation 7).

  4. Recommendation 1

  5. Recommendation 2

  6. See recommendations 30, 31, 99, 130 and the eight recommendations in Appendix 1. See also http://www.justice.govt.nz/policy/constitutional-law-and-human-rights/human-rights/domestic-human-rights-protection/privacy-act-1993/privacy-information-sharing-bill/privacy-information-sharing-bill for the relevant Cabinet papers.

  7. Recommendation 91

  8. Recommendations 83, 84 and 92(b)

  9. Recommendations 4, 9, 15, 24, 34, 85, 92(a), 94, 95, 96, 98, 108, 113, 118, 120(b), 123 and 124

  10. Recommendations 3, 5, 6, 7, 8, 13, 14, 18, 20, 26, 28, 40, 41, 44, 47, 48, 51, 56, 57, 58, 59, 60, 80, 81, 82, 97, 101, 107, 109, 117, 119, 120(a), 122, 126, 132 and 134.  Included in this group are three recommendations to retain the status quo: recommendations 54, 62 and recommendation 19 of the Invasion of Privacy: Penalties and Remedies report.

  11. Recommendations 10, 11, 12, 16, 17, 19, 25, 32, 33, 35, 36, 37, 42, 43, 45, 46, 49, 50, 52, 53, 55, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 87, 88, 89, 90, 102, 103, 104, 105, 106, 110, 111, 112, 114, 115, 116 and recommendation 7 of the Public Registers report.

  12. Recommendations 21, 22, 23, 27, 29, 86 and 93

  13. Recommendations 38 and 39

  14. Recommendation 100

  15. Recommendations 127, 128, 129, 131, 133, 135 and 136

  16. Recommendation 125 and recommendation 18 of the Invasion of Privacy: Penalties and Remedies report

PDF document icon Government Response to Law Commission Report Review of the Privacy Act 1993 (website).pdf — PDF document, 91 kB (93711 bytes)