Second on the list of Bills to come before the House was the Privacy Amendment Bill, which had its beginnings under the previous Labour-led government and was considered by the committee last year. On its first reading, it drew support from all parties.
There were 55 submissions to the Bill, and as a result of considering them, some amendments were proposed, unanimously supported within the committee.
The law will improve transparency about the collection of personal information gathered other than from a person themselves. The new privacy principle means that an agency that collects information from a third party must take reasonable steps to ensure individuals know the information has been collected, what for, who will get the information, and how people can access and correct their information.
As Justice Minister Paul Goldsmith pointed out, our lack of coverage of this aspect of privacy in our law was highlighted by the European Union during its assessment of New Zealand’s EU adequacy status.
There was concern from some submitters about the compliance burden, but Mr Goldsmith said the Bill had been designed to minimise compliance costs with flexibility in how individuals may be notified and reasonable periods within which this could occur.
There are also some exemptions to notification, when compliance is not reasonably practicable or where compliance would prejudice the purposes of the collection. Changes were also made to allow for archiving materials in the public interest after gallery, library and archives, and the museum sector told the committee the new principle as originally planned could disrupt their operations and have a chilling effect on organisations collecting personal information for archival purposes.
The changes introduced by the amendment will not be the last we will hear of privacy rules this year.
In December Privacy Commissioner Michael Webster announced he will be issuing a Biometrics Processing Privacy Code.
Mr Webster’s decision to proceed with this followed consultation on an exposure draft of the code last year. The draft is now out for public consultation until mid- March with the code expected to be introduced this year.
Among other requirements, those wanting to use biometric technology will need to be able to show their collection of such information is for a lawful purpose, necessary, effective and proportionate, and that there is no alternative with lower privacy risk.
The new code will not apply to health agencies or health information where that biometric information is also health information which comes under the Health Information Privacy Code, and the biometric processing is being done by a health agency.
Privacy requirements are often not well understood by the public. Even though we have had privacy law since 1993, as we have said before, plenty of people have used its name in vain, often exaggerating its reach, either in ignorance or to suit their own purposes. Others have chosen to overlook its ramifications.
In his latest annual report, Mr Webster said privacy breaches were increasing in frequency and complexity, partly due to many agencies having a low understanding about how to manage privacy well.
It was disturbing to read his office is also seeing an increase in unreasonable conduct from some members of the public, requiring the introduction of a new physical security threat response plan.
Funding was reduced this financial year, and Mr Webster points out even when it did receive increases in earlier years, they were insufficient. The office is funding a deficit through cash reserves, something which can only be short-term.
"There are many areas where resource constraints curtail our ambitions to improve privacy outcomes."
While it is encouraging to see consensus among our politicians on new requirements, there will be little point if funding is not enough to ensure any changes to privacy law can be properly explained and enforced.
