Privacy – more changes on the way

It was only 6 years ago that the Law Commission completed a substantive review of our privacy laws.  One outcome was that our Privacy Commissioner gained real teeth, with the prospect of significant penalties for any person or organisation that breaches privacy law.

We're at it again, with the Government's stated intention to reform the Privacy Act. 

Fair enough, it's overdue when you consider the sheer pace of change in the technology sector.  Even since 2006, technology has steadily advanced (some would sayintruded) into our personal lives – with the emergence of new data-driven business models and the many ways that technology learns our personal location, preferences and behaviours. 

Want to enter that prize competition?  No problem, just provide your email address and you're in to win.  But don't complain when your inbox fills with Spam from dozens of businesses that now have your details, even though you've had no previous contact with them.

Want that App?  Accept these terms – and don't bother reading them, because they're long and laced with legalese.  But don’t be alarmed if your personal information is transferred out of New Zealand to servers all around the world (good luck getting that back).

Want to stay connected on social media?  No problem, but don't expect anonymity.  In fact, expect their tracking technology to cleverly serve you up targeted advertising that just seems to know what you were last searching for on Google.

From a legal perspective, part of the problem is that our privacy law is consent-based.  Essentially, an organisation can collect, store, use and share information about you for any purpose that you have authorised.  Our anti-spam laws take the same approach, allowing anyone to email or text you marketing messages if they believe you have consented somehow, somewhere.

This is perhaps why, to date, the role of the Privacy Commissioner is largely reactionary in respect of your business, remaining somewhat invisible until a privacy complaint has been made.

However, the latest privacy reform proposals take a much more proactive approach to compliance and include stronger powers for our Privacy Commissioner, and stiffer penalties for getting it wrong (up to $1million for public or private sector organisations).

If we follow in the footsteps of the revised OECD Guidelines (an influential source of "best practice"), organisations will need to demonstrate how they address privacy risks.  This could mean:

  • Mandatory audits – essentially lifting the lid on the flow of personal information within your organisation, to determine whether you have implemented appropriate privacy measures in the management of these data flows.  Some of our trading partners (Australia included) already have this, but it is perhaps best reserved for repeat offenders.
  • Mandatory reporting – requiring your organisation to demonstrate how it addresses privacy risks and any evident inadequacies in its policies, processes or operating systems.  Arguably, a more proactive approach to compliance.
  • Privacy management programs – implementing a compliance program that is tailored to the structure, scale, volume and sensitivity of your organisation's operations, and providing appropriate safeguards based on privacy risk assessment.  This deeper dive could perhaps be required only of organisations with higher privacy risks – the less risky getting away with a less detailed privacy plan.

These law changes will be finalised soon and the implications will be noticeable. 

The Office of the Privacy Commissioner will be front-and-centre in your organisation's management, demanding proactive steps and ongoing dialogue. 

For some of you facing higher privacy risks, the Privacy Commissioner could become the gatekeeper that determines whether or not your organisation is compliant even before you encounter a complaint of privacy breach.

It will no longer be sufficient just to have an appointed privacy officer and a privacy policy to fulfil your compliance obligations.  Better systems and processes, and a deeper understanding of your privacy obligations, will become the new normal.

We know the privacy landscape and we advise businesses large and small.  If you have any questions about these law changes or if you need support with your organisation's privacy compliance, please contact the writer.

Michael Moyes website

Michael Moyes

Partner

E: michael.moyes@ah.co.nz

P: +64 9 920 6474

M: +64 21 997 289

More Thinking