Privacy Commissioner (New Zealand)

Last updated

Privacy Commissioner
Te Mana Matapono Matatapu
Privacy Commissioner Logo.png
Agency overview
Formed1993
Agency executive
  • Michael Webster, Privacy Commissioner
Key document
  • The Privacy Act 2020
Website www.privacy.org.nz

The Office of the Privacy Commissioner (New Zealand) administers the Privacy Act 2020. [1] The Privacy Commissioner is entrusted to protect personal information of New Zealanders in accordance with the Privacy Act. Current Privacy Commissioner, Michael Webster, began his role in July 2022.

Contents

The Privacy Commissioner oversees personal information held by agencies in both the public and private sectors. [2] This is achieved through monitoring compliance with the 13 Information Privacy Principles. Amid his varied responsibilities, the Commissioner administers a complaint system and issues Codes of Practice or rules for particular industries, contexts and sectors. [3] Most cases involve investigation, conciliation and settlement. [4] Serious breaches are referred to the Human Rights Review Tribunal. [5] The Commissioner inherently considers international obligations and worldwide developments in privacy protection.

History

The now repealed Privacy Commissioner Act 1991 established the role of the Privacy Commissioner. The Commissioner had a principal role in the development of the Privacy Bill 1993, which passed into law as the Privacy Act 1993 and established the revised Office of the Privacy Commissioner. [6]

In March 2018, the Privacy Bill was introduced to Parliament. The Bill was passed by New Zealand Parliament in June 2020 and the Privacy Act 2020 came into law on 1 December 2020. The Privacy Act 2020 significantly updates the 1993 Act. Many of the changes are based on recommendations from the New Zealand Law Commission's 2011 review of New Zealand's privacy laws.

List of privacy commissioners

Webster in 2017 Michael Webster (cropped).jpg
Webster in 2017

The Office of Privacy Commissioner has been held by: [7]

Privacy Act 2020

The Privacy Act 2020 is primarily concerned with information privacy; other aspects of privacy are protected by the common law right to privacy in New Zealand. The Act controls the collection, use, disclosure, storage and granting of access to personal information by agencies. [11] Personal information covers any information about an identifiable natural person. [12]

The key changes in the Privacy Act 2020 include:

The Privacy Act was originally enacted in 1993 in an era of heightened national awareness for human rights, and sits alongside the New Zealand Bill of Rights Act 1990 and the Human Rights Act 1993. The Privacy Act similarly addressed international concerns, [13] acknowledging privacy obligations under the Universal Declaration of Human Rights, [14] and the International Covenant on Civil and Political Rights. [15]

The Privacy Act extended protection to "any person or body of persons whether corporate and unincorporate," in both the public and private sectors. [16] Inclusion of the private sector was considered revolutionary. The Commissioner thus oversees government departments, companies, religious organisations, and schools. [17] Some limited exemptions to the Privacy Act exist: the sovereign, the House of Representatives, courts and tribunals acting in judicial capacity, news media activities, and individuals holding personal information for private use. [18]

The Information Privacy Principles (IPPs), monitored by the Commissioner, are based on guidelines established by the Organisation for Economic Co-operation and Development (OECD) in 1980. [19] The IPPs cover: [20]

In ANZ National Bank Ltd v Tower Insurance, the High Court held the privacy principles require that personal information can only be collected for "a lawful purpose and is necessary for that purpose." [21] The principles do not outline their practical application, giving the Commissioner flexibility to deal with varying fact situations as they arise. [22]

In exceptional circumstances, when the Privacy Commissioner is satisfied the public interest outweighs privacy protection, agencies can be authorised to use personal information in a manner that would usually breach the IPPs or other provisions under the Act. [23]

Roles, functions and powers

The Office of the Privacy Commissioner is an independent Crown entity, funded by the state but acts independently of government or Ministerial control. [24] In addition to monitoring compliance with the IPPs and PRPPs, the Commissioner's roles are extensively outlined in Section 13 of the Privacy Act. The central focus is to better protect the privacy of individuals, and includes: [25]

Functions listed elsewhere in the Act include consultation with the Ombudsman, Health and Disability Commissioner and the Inspector General of Intelligence and Security, and publishing personal information directories. [26] The Commissioner is conferred functions in several other enactments, which can be categorised as: [27]

Complaints and decisions

The Privacy Commissioner can investigate potential breaches of the IPPs, PRPPs, or other Privacy Act provisions, on his or her own initiative or on receipt of a complaint. [28] The onus is on the complainant to establish that an agency's action both breached a privacy principle and caused harm. [29] Harm can include financial loss, adverse effect on rights or interests, or a significant injury to feelings. Breaches of principles 6 and 7, the refusal to grant access to or allow correction of information, need not establish harm as these situations are considered interferences per se. [30] The Commissioner can decide to take no action based on issues of time, triviality, bad faith, or if another course of action is more appropriate.

Should the Commissioner decide to pursue a complaint, his role is both investigatory and conciliatory. With this mediation rather than litigation focus, the Commissioner can call "compulsory mediation conferences," and seek a resolution agreement and assurance of non-recurrence. [31] Both parties to a complaint must be informed of the commencement of proceedings and the result of an investigation. The Commissioner has no power to force compensation payments from an agency, dismiss an employee or prosecute anyone. [32]

In the 2019/2020 year, the Commissioner closed 769 investigation files. Outcomes mostly included information being released or partly released, followed by the giving of assurances, an apology, a change of policy, correction of information, and monetary payment. The majority of complaints involved a breach of the IPPs, ahead of the Health Information Privacy Code. [33] The actions of government agencies, including education providers and local authorities, trigger most complaints, followed by health sector agencies.

Where settlement is unobtainable or an agency repeatedly contravenes prior assurances, the Commissioner may refer the complaint to the Director of Human Rights Proceedings. [34] The Director has the discretion to determine whether the Human Rights Review Tribunal should institute proceedings. [35] Aggrieved individuals may also self-refer proceedings before this body. If satisfied of privacy interference, the Tribunal may issue a declaration, grant orders restraining repeated interference or requiring specific acts be performed, award compensatory damages up to $350,000 NZD, or give another appropriate remedy. [36] Where the powers of the Tribunal are exceeded, remedial instructions may be referred to the High Court or extended remedial powers conferred on the Tribunal by written agreement between the parties. [37] Case notes and Tribunal decisions are published on the Commissioner's website.

The Commissioner does not operate a system of binding precedent in the outcomes of his decisions, instead considering each case independently. [38] The IPPs, except principle 6, and the PRPPs are not enforceable in a law court. [39] The Privacy Act however does not preclude complainants from taking court action for a breach of the common law right to privacy where the Commissioner has dealt with a statutory complaint on the same issue. [40]

Codes of Practice

As the IPPs are generally worded, the Commissioner may issue more specific Codes of Practice for different "industries, agencies activities or types of personal information." [41] The codes modify the application of the Privacy Act, including less or more stringent rules than contained in the privacy principles, as is appropriate. Extensive advertisement, consultation and invitation for submissions are stipulations. Codes must be approved as delegated legislation by the House of Representatives. [42] Thereafter the codes become enforceable under the Act and the same complaints process applies. Further remedies may be available for breaches of legislation related to a particular industry. The Privacy Commissioner commends the codes as a flexible means of regulation, more readily capable of amendment or revocation than legislative provisions. [43] The current Codes of Practice include:

International

New Zealand's Privacy Commissioner participates internationally to promote global co-ordination in privacy protection. Such forums include the Global Privacy Assembly, [44] APEC's Cross Border Privacy Arrangement, [45] and the Global Privacy Enforcement Network. [46] The Commissioner's Annual Report 2013 emphasised the need for cross-border protection given the accessibility of private information online. [47]

In December 2012, New Zealand gained international approval for its privacy protection from the European Commission. The Commission stated that the Privacy Act and common law "cover all the basic principles necessary for an adequate level of protection for natural persons, and also provide for exemptions and limitations to safeguard important public interests." [48] The invaluable role of the Commissioner, commended for the position's independence and adequate powers to protect individual privacy, was also noted. [49]

See also

Related Research Articles

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 185 national constitutions mention the right to privacy. On December 10, 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR), originally written to guarantee individual rights of everyone everywhere; while the right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

<i>Personal Information Protection and Electronic Documents Act</i> 2000 Canadian law

The Personal Information Protection and Electronic Documents Act is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. In addition, the Act contains various provisions to facilitate the use of electronic documents. PIPEDA became law on 13 April 2000 to promote consumer trust in electronic commerce. The act was also intended to reassure the European Union that the Canadian privacy law was adequate to protect the personal information of European citizens. In accordance with section 29 of PIPEDA, Part I of the Act must be reviewed by Parliament every five years. The first Parliamentary review occurred in 2007.

A privacy policy is a statement or legal document that discloses some or all of the ways a party gathers, uses, discloses, and manages a customer or client's data. Personal information can be anything that can be used to identify an individual, not limited to the person's name, address, date of birth, marital status, contact information, ID issue, and expiry date, financial records, credit information, medical history, where one travels, and intentions to acquire goods and services. In the case of a business, it is often a statement that declares a party's policy on how it collects, stores, and releases personal information it collects. It informs the client what specific information is collected, and whether it is kept confidential, shared with partners, or sold to other firms or enterprises. Privacy policies typically represent a broader, more generalized treatment, as opposed to data use statements, which tend to be more detailed and specific.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

<span class="mw-page-title-main">Privacy Act 1988</span> Act of the Parliament of Australia

The Privacy Act 1988 is an Australian law dealing with privacy. Section 14 of the Act stipulates a number of privacy rights known as the Australian Privacy Principles (APPs). These principles apply to Australian Government and Australian Capital Territory agencies or private sector organizations contracted to these governments, organizations and small businesses who provide a health service, as well as to private organisations with an annual turnover exceeding AUD$3M. The principles govern when and how personal information can be collected by these entities. Information can only be collected if it is relevant to the agencies' functions. Upon this collection, that law mandates that Australians have the right to know why information about them is being acquired and who will see the information. Those in charge of storing the information have obligations to ensure such information is neither lost nor exploited. An Australian will also have the right to access the information unless this is specifically prohibited by law.

<i>Privacy Act</i> (Canada) Canadian federal legislation (1983)

The Privacy Act is the federal information-privacy legislation of Canada that came into effect on July 1, 1983. Administered by the Privacy Commissioner of Canada, the Act sets out rules for how institutions of the Government of Canada collect, use, disclose, retain, and dispose of personal information of individuals.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

<span class="mw-page-title-main">Canadian privacy law</span> Privacy law in Canada

Canadian privacy law is derived from the common law, statutes of the Parliament of Canada and the various provincial legislatures, and the Canadian Charter of Rights and Freedoms. Perhaps ironically, Canada's legal conceptualization of privacy, along with most modern legal Western conceptions of privacy, can be traced back to Warren and Brandeis’s "The Right to Privacy" published in the Harvard Law Review in 1890, Holvast states "Almost all authors on privacy start the discussion with the famous article 'The Right to Privacy' of Samuel Warren and Louis Brandeis".

Ombudsmen in Australia are independent agencies who assist when a dispute arises between individuals and industry bodies or government agencies. Government ombudsman services are free to the public, like many other ombudsman and dispute resolution services, and are a means of resolving disputes outside of the court systems. Australia has an ombudsman assigned for each state; as well as an ombudsman for the Commonwealth of Australia. As laws differ between states just one process, or policy, cannot be used across the Commonwealth. All government bodies are within the jurisdiction of the ombudsman.

The Health And Disability Commissioner is a New Zealand Crown entity responsible for promoting and protecting the rights of health and disability services consumers, and facilitating the fair, simple, speedy, and efficient resolution of complaints.

There is no absolute right to privacy in Australian law and there is no clearly recognised tort of invasion of privacy or similar remedy available to people who feel their privacy has been violated. Privacy is, however, affected and protected in limited ways by common law in Australia and a range of federal, state and territorial laws, as well as administrative arrangements.

New Zealand is committed to the Universal Declaration of Human Rights and has ratified the International Covenant on Civil and Political Rights, both of which contain a right to privacy. Privacy law in New Zealand is dealt with by statute and the common law. The Privacy Act 2020 addresses the collection, storage and handling of information. A general right to privacy has otherwise been created in the tort of privacy. Such a right was recognised in Hosking v Runting [2003] 3 NZLR 385, a case that dealt with publication of private facts. In the subsequent case C v Holland [2012] NZHC 2155 the Court recognised a right to privacy in the sense of seclusion or a right to be free from unwanted intrusion. For a useful summary see: court-recognises-intrusion-on-seclusion-privacy-tort-hugh-tomlinson-qc/

The Human Rights Review Tribunal is a statutorily established institution fundamental to the application, determination and up holding of human rights in New Zealand. The tribunal is established under the New Zealand Human Rights Act 1993. The Human Rights Review Tribunal is one of two key human rights bodies in New Zealand and provides the mechanism for adjudication and resolution of human rights issues. The jurisdiction of the tribunal extends to cover matters from domestic human rights law, principles given in the Privacy Act 1993 and the Health and Disability Commissioner Act 1994. Complaints may be bought by the Director of Human Rights or where it is deemed not appropriate to do so, a citizen may proceed with a claim at their own cost. The tribunal has the power to grant a wide range of remedies and in making a determination, is not required to give effect to technicalities but rather, the substantial merits of the case. The Human Rights Review tribunal also holds special status within the array of tribunals in New Zealands domestic legal system, with a far more significant legal jurisdiction than other inter partes tribunals. This special status reflects the fact that decisions of the tribunal can have substantial political and societal implications.

The Office of the Australian Information Commissioner (OAIC), known until 2010 as the Office of the Australian Privacy Commissioner is an independent Australian Government agency, acting as the national data protection authority for Australia, established under the Australian Information Commissioner Act 2010, headed by the Australian Information Commissioner.

<span class="mw-page-title-main">Mass surveillance in the United Kingdom</span> Overview of mass surveillance in the United Kingdom

The use of electronic surveillance by the United Kingdom grew from the development of signal intelligence and pioneering code breaking during World War II. In the post-war period, the Government Communications Headquarters (GCHQ) was formed and participated in programmes such as the Five Eyes collaboration of English-speaking nations. This focused on intercepting electronic communications, with substantial increases in surveillance capabilities over time. A series of media reports in 2013 revealed bulk collection and surveillance capabilities, including collection and sharing collaborations between GCHQ and the United States' National Security Agency. These were commonly described by the media and civil liberties groups as mass surveillance. Similar capabilities exist in other countries, including western European countries.

The National Privacy Commission, or NPC, is an independent body created under Republic Act No. 10173 or the Data Privacy Act of 2012, mandated to administer and implement the provisions of the Act, and to monitor and ensure compliance of the country with international standards set for data protection. It is attached to the Philippines' Department of Information and Communications Technology (DICT) for purposes of policy coordination, but remains independent in the performance of its functions. The Commission safeguards the fundamental human right of every individual to privacy, particularly Information privacy while ensuring the free flow of information for innovation, growth, and national development.

The authority for patient rights in New Zealand comes from the Health and Disability Commissioner Act 1994, the specific rules come from Health and Disability Commissioner Regulations 1996. This code improves the quality of healthcare in New Zealand and ensures that there is a consistent expectation for all consumers.

<span class="mw-page-title-main">Privacy Act 2020</span>

The Privacy Act 2020 is an Act of Parliament in New Zealand which replaced the Privacy Act 1993. It has a higher amount of detail regarding digital privacy, including that businesses and organisations keep personal information of customers, clients and employees safe. It also allows for people to order that agencies give them access to information held about them, and it is illegal for those organisations to destroy information after a request has been made for access. Foreign firms in New Zealand must comply with the Act, and it includes sending information outside of New Zealand.

References

  1. Privacy Act 2020
  2. Privacy Act 1993, s 2(1)(a) in Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 58.
  3. Privacy Act 1993, ss 13(1AA)(d) and s46(1) in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [5.4].
  4. Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 51.
  5. Privacy Act 1993, s 77 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [5.4].
  6. Privacy Act 1993, Long Title and s 12 in Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 54.
  7. Office of the Privacy Commissioner About Us: Introduction.. Retrieved 2 May 2014.
  8. "Privacy Commissioner John Edwards announced as preference to be UK information commissioner". Radio New Zealand . 26 August 2021. Retrieved 26 August 2021.
  9. "Who we are". www.privacy.org.nz. Retrieved 17 January 2022.
  10. Keall, Chris (8 June 2022). "New Privacy Commissioner named". The New Zealand Herald . Retrieved 9 June 2022.
  11. Office of the Privacy Commissioner Privacy Act & Codes: Introduction.. Retrieved 2 May 2014.
  12. Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 59.
  13. Ursula Cheer and John Burrows Media Law in New Zealand at 374.
  14. Universal Declaration of Human Rights 1949, Article 12.
  15. International Covenant on Civil and Political Rights 1976, Article 17.
  16. Privacy Act 1993, s2(1)(a) in Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 58.
  17. Office of the Privacy Commissioner Privacy Act & Codes: Introduction. Retrieved 2 May 2014.
  18. APEC Cooperation Arrangement for Cross-Border Privacy Enforcement Summary Statement of Privacy Enforcement Authority enforcement practices, policies and activities at 1.
  19. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, Part II: Guidelines.
  20. Office of the Privacy Commissioner Privacy Acts & Codes: A Thumbnail Sketch of the Privacy Principles.. Retrieved 2 May 2014.
  21. ANZ National Bank Ltd v Tower Insurance (2009) 15 ANZ Ins Cas 61-816 at [171].
  22. Ursula Cheer and John Burrows Media Law in New Zealand at 375.
  23. Office of the Privacy Commissioner Privacy Act & Codes: Introduction. Retrieved 2 May 2014.
  24. Office of the Privacy Commissioner About Us: Introduction.. Retrieved 2 May 2014.
  25. Office of the Privacy Commissioner Statement of Intent 2012 – 2015 (2012) at 4 – 5; Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 63.
  26. Privacy Act 1993 ss 21, 36 and 117 – 177B in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [5.3].
  27. New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 (R123, 2011) Archived 13 July 2014 at the Wayback Machine at [5.6].
  28. Privacy Act 1993, ss 61 and 69(2) in Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 63.
  29. Privacy Act 1993, s 66(1) in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.3].
  30. Privacy Act 1993, s 66(2) in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.3].
  31. Ursula Cheer and John Burrows Media Law in New Zealand at 375.
  32. Office of the Privacy Commissioner Your Privacy: How to Complain. Retrieved 2 May 2014.
  33. Privacy Commissioner's Annual Report 2013 – A Year of Rapid Change at 24.
  34. Privacy Act 1993, s 77(2) in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.7].
  35. Privacy Act 1993, ss 77(3) and 82 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.9].
  36. Privacy Act 1993, ss 85(1) and 88(1); Human Rights Act 1993, s 92Q; District Courts Act 1947, s 29 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.16].
  37. Human Rights Act 1993, ss 92R – W.
  38. Steven Penk and Rosemary Tobin Privacy Law in New Zealand at 77.
  39. Privacy Act 1993, ss 11(2) and 62 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [6.2].
  40. A v Hunt (Contempt) [2006] NZAR 577 at [62].
  41. Office of the Privacy Commissioner Privacy Act & Codes" Codes of Practice. Retrieved 2 May 2014.
  42. Privacy Act 1993, s 50 in New Zealand Law Commission Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 Archived 13 July 2014 at the Wayback Machine at [5.56].
  43. Office of the Privacy Commissioner Privacy Act & Codes" Codes of Practice. Retrieved 2 May 2014.
  44. "Global Privacy Assembly" . Retrieved 14 June 2021.
  45. APEC Cooperation Arrangement for Cross-Border Privacy Enforcement Summary Statement of Privacy Enforcement Authority enforcement practices, policies and activities at 1.
  46. Office of the Privacy Commissioner About Us: International.. Retrieved 2 May 2014.
  47. Privacy Commissioner's Annual Report 2013 – A Year of Rapid Change at 17.
  48. Privacy Commissioner's Annual Report 2013 – A Year of Rapid Change at 18; European Commission Implementation Decision C(2012)9557 (19 December 2012) at [10].
  49. European Commission Implementation Decision C(2012)9557 (19 December 2012) at [10].