Privacy Law and Policy Reporter
The Privacy Act 1993 (NZ) represents an important milestone in the evolution of human rights legislation in NZ. Its preamble makes that point abundantly clear. The new law is intended to ''promote and protect individual privacy'. While decision-makers in NZ have frequently paid lip-service to the importance of protecting the individual's legitimate interests in privacy in the past, NZ law has been slow to provide appropriate recognition.
Despite its generic title, the new Act is largely concerned with promoting and protecting the individual's interests in information privacy. Other major privacy areas, for example, privacy and intrusions, privacy and telecommunications, are not directly covered in the sense that the complaint jurisdiction does not apply.
The focus of the Act is a comprehensive legal regime covering the handling of ''personal information'. ''Personal information' is defined as information about an ''identifiable individual'; that is, a natural person, as distinct from a body corporate or any other non-human persona (s2(1)). The Act covers any personal information which an agency might hold about an identifiable individual. The definition of ''agency' covers natural and legal persons. ''Any person or body of persons, whether corporate or unicorporate, and whether in the public sector or the private sector' is covered (s2(1)). The Privacy Act is therefore very comprehensive in its scope much more so than equivalent legislation in Australia, Canada, the UK or the US.
Despite its breadth, the definition of ''agency' does not include the Governor-General, MPs, the courts, tribunals, Ombudsmen and Commissions acting in a judicial capacity. In addition, one major private sector group which deals heavily in personal information, sometimes of a most sensitive nature, has been exempted effectively from the legislation. The definition of ''agency' does not include ''in relation to its news activities, any news medium'. ''News activity' is very broadly defined. So too is ''news medium' which covers ''any agency whose business consists of a news activity' (s2(1)). Radio NZ and TVNZ, however, are not exempted in relation to individuals seeking access to or correction of, personal information held by the State-funded organisations of the media. This represents a continuation of the position under the Official Information Act 1982(as amended).
The Act makes provision for the appointment of a Privacy Commissioner. The office is not new in NZ. Since 1976, the office of Wanganui Computer Centre Privacy Commissioner has existed. More recently, the office of Privacy Commissioner was established by the Privacy Commissioner Act 1991. That Act has now been repealed with the enactment of the Privacy Act 1993. The office of Wanganui Computer Centre Privacy Commissioner has also ceased to exist.
Under the Privacy Act, the Commissioner is appointed by the Governor-General on the recommendation of the Minister of Justice. Although this manner of appointment confers an independent status on the Commissioner (that is, independent Crown entity with a right to report directly to the Prime Minister in certain circumstances), concern has been expressed that the Commissioner's independence may be limited, in theory, if not in practice, by the fact that the Commissioner is appointed on the recommendation of a member of the Executive, the Minister of Justice. That Minister also has the responsibility of presenting the Privacy Commissioner's annual report to parliament (s24).
Key functions of the Privacy Commissioner include monitoring compliance by government agencies with the provision in the Act relating to information matching; providing advice to these agencies on their legal obligations under the Privacy Act; and undertaking regular reviews of information matching programs (s13). Given the ongoing political sensitivity of these programs, and the possibility that the Privacy Commissioner may come into conflict with the government of the day it is to be regretted that the Privacy Commissioner was not given the additional independence of being an Officer of Parliament. Existing Officers of Parliament include the Ombudsman and the Parliamentary Commissioner for the Environment.
Other functions of the Commissioner include investigating complaints; issuing codes of practice; inviting representations from members of the public and making public statements; examining any proposed legislation or any proposed policy of the government; inquiring into any matter, law, practice, or procedure in the private or public sector, or any technical development, if it appears to the Commissioner that the privacy of the individual is being or is likely to be infringed; and promoting, by education and publicity, an understanding and acceptance of the information privacy principles and their objectives (s13)
The Commissioner is required to have ''due regard for the protection of important human rights and social interests that compete with privacy'. This includes ''the general desirability of a free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way' (s14(a)). The Commissioner must also take ''account of international obligations accepted by NZ, including those concerning the international technology of communication' (s14(b)).
Information privacy principles (IPPs) are at the heart of any information privacy law worthy of the name. They did not form part of the Privacy Commissioner Act 1991, hence the NZ Commissioner's oft-quoted remark that he was at that time ''the only Privacy Commissioner without principles'.
The Act contains a detailed set of principles which have their origin in the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data 1981. The 12 IPPs cover the collection, storage, use and disclosure of personal information. Rights of access and/or correction of personal information by the individual to whom it relates are also recognised. Some of these principles, for example, those placing limits on the collection or use of personal information, apply only to personal information obtained by an agency after 1 July 1993 (the date when the new law came into force). Other principles, for example, those covering the storage and security of personal information, rights of access and/or correction, and disclosure, apply to personal information obtained before or after 1 July 1993 (s8).
A breach of any of the IPPs by an agency may lead to a complaint being made to the Privacy Commissioner. However, where a breach of some of these principles, for example, those placing limitations on the collection, use or disclosure of personal information is alleged, the full complaint jurisdiction does not apply before 1 July 1996. In these circumstances, although the Commissioner may determine that there has been an interference with an individual's privacy, the Commissioner is limited to making non-binding recommendations to the agency concerned (s79). A recommendation might include, for example, that the agency develop a code of practice. For other IPPs, that is, those relating to storage and security obligations and access/correction rights, the Privacy Commissioner's full complaint jurisdiction applies from 1 July 1993.
As with other formulations of IPPs, their essence is not difficult to summarize.
In the NZ Privacy Act, the 12 IPPs can be divided into four categories. The first four relate to the collection of personal information. Principle 5 covers storage and security obligations. Access to and correction of personal information are covered by IPPs 6 and 7. The remaining five IPPs relate to the use and disclosure of personal information. Many of the more important principles contain a lengthy list of exceptions to the basic principle. For example, IPP 2 states that where an agency collects personal information, the agency shall collect the information directly from the individual concerned.
However, non-compliance with this principle is permissible where, for example, the personal information is publicly available; the individual concerned authorises collection of the information from someone else; non-compliance would not prejudice the interests of the individual concerned; compliance would prejudice the purposes of collection; or where compliance is not reasonably practicable in the circumstances of the particular case. This is by no means a complete list of the circumstances in which non-compliance is permissible.
One cannot help being troubled by the number of permitted exceptions to some principles. A number appear to be so broad that some users of personal information may, for example, in relation to IPP 2, find it difficult to think of a situation where direct collection would be necessary. Clearly, this is overstating the intentions of the law's drafters. It is essential, however, that the Privacy Commissioner in interpreting this and other principles, ensures that agencies comply with the basic principle whenever possible and that the exceptions are applicable in exceptional situations.
Where personal information is collected directly from the individual concerned, or their representative, agencies are required to ensure that the individual is made aware of the fact the information is being collected; the purpose for which it is being collected; the intended recipients; the legal authorisation and whether the supply of the information is mandatory or voluntary; the consequences if the information is not supplied; and the rights of access and, if necessary, correction of personal information (IPP 3). Again, non-compliance is permissible in various circumstances.
One of the key barometers for determining the effectiveness of IPPs is the limits placed on the use and disclosure of personal information. In this regard, IPP 10 is a key principle. In essence it states that an agency that holds personal information which was obtained in connection with one purpose must not use that information for any other purpose. Similarly, IPP11 states, in essence, that an agency that holds personal information must not disclose that information unless the agency believes, on reasonable grounds, that the disclosure of the personal information is one of the purposes in connection with which the information was obtained.
Use for some other purpose or disclosure can, of course, be authorised by the individual concerned. In addition, there are many other grounds on which non-compliance is permissible. For example, the purpose for which the information is to be used may be regarded as being directly related to the purpose in connection with which the information was obtained. A definitive ruling by the Privacy Commissioner on what is meant by ''directly related' is eagerly awaited. Alternatively, non-compliance may be necessary for certain aspects of law enforcement or the use of the particular personal information for some other purpose is considered necessary to prevent or lessen a serious or imminent threat to public health or safety; or to the life of the individual or some other individual.
One of the most innovative features of the NZ Privacy Act is the provision made for codes of practice. These codes cover specified activities or agencies, or particular professions or callings, for example, health information. A code of practice operates, in the areas covered by it, as an alternative to the information principles in the Act (s46). A code may prescribe standards which are greater or lesser than those contained in the principles. Codes are prepared by a particular industry, profession or calling. When approved by the Privacy Commissioner, following a process of public consultation, a code has the force of law. That is, it has the same status as a regulation (s50). This means that codes are subject to the Regulations (Disallowance) Act 1989 (NZ) which provides for the disallowing of any regulation, in whole or in part, following scrutiny by the House of Representatives.
One effect of the existence of a Code of Practice is that an action that would otherwise be regarded as a breach of one of the information privacy principles is deemed not to be a breach of that principle if the action is done in accordance with the particular code of practice (s53). On the other hand, a failure to comply with a code of practice, where it applies, is for the purposes of the complaints procedures under the Privacy Act 1993 (NZ) deemed to be a breach of the particular principle although the action would not constitute an actionable breach of that principle if there was no code of practice in effect (for example, a breach of one of the collection principles before 1 July 1996).
To date, the Privacy Commissioner has approved one code of practice covering the area of health information. It will be covered in detail in a subsequent issue. The Health Information Privacy Code 1993 has been given the status of ''temporary' by the Privacy Commissioner. The Commissioner considered that it would be impracticable to follow the public notification procedures set out in the Act, given the perceived urgency that a code covering personal information in the health sector be issued. The urgency was heightened by the wide-ranging reforms to the delivery of health and disability services occurring in NZ last year. This code is due to expire on 30 June 1994. At the present time the Commissioner is conducting a wide-ranging review of the temporary code. A new permanent code is expected to be in force before the expiry date
Part II will appear in next month's issue and will examine complaints, access, public registers and data-matching.