Privacy Law and Policy Reporter
New Zealand’s innovative information privacy law — the Privacy Act 1993 (the Act) — did not come fully into force until July 1996. Now less than three years later, a comprehensive review of the Act has been completed by the Privacy Commissioner.
The commencement of the review was greeted with scepticism in some quarters. One MP — a member of the avowedly pro ‘free market’ ACT party — described the requirement in the Act for the Commissioner to conduct the review as ‘unusual and unfortunate’ (National Business Review (19/9/97)). Some newspaper editorial writers — who had campaigned against the Act since its inception — expressed similar sentiments.
The public might have more confidence in the review process if it is carried out by someone seen as totally impartial ... Mr Slane [the current Privacy Commissioner] is widely perceived — we believe correctly — to have a strong ideological commitment to the privacy principles outlined in the Act. (The Evening Post 21/10/97)
Despite these less than encouraging prognostications, most people reading the report — all 437 pages and 154 recommendations — will be impressed with its comprehensiveness and depth.
The review process is not unique within NZ law. An increasing number of laws provide for regular reviews by the entity established by the particular law. Nor is the review process unique in the information privacy field — Canadian provincial privacy laws contain similar provisions.
The Act required the Commissioner to review the Act after it had been in force for three years (s 26). Future reviews will take place every five years. The object of the review is to determine whether any amendments to the Act are ‘necessary or desirable’. The Privacy Commissioner reports to the Minister of Justice. Whether anything happens by way of a Government-sponsored Bill amending the Act, will depend on Cabinet. The NZ parliamentary scene is so volatile these days that even the success of such a Bill cannot be guaranteed.
The Act is silent on how the review is to be conducted. The Privacy Commissioner is to be commended for the thoroughness of the review involving extensive consultation with representatives of public sector agencies; business and professional associations; privacy advocates and academics; and interested members of the public.
Submissions, some of them very comprehensive, were prepared by central government organisations and departments; local government agencies; intelligence organisations; professional organisations; business and industry; credit reference agencies; educational organisations; and representatives of the news media.
Rather than release what might have been seen as an intimidating consultation document, the Privacy Commissioner’s Office released 12 short discussion papers addressing specific issues (eg compliance and administration costs; access and correction). This approach enabled people to focus on those issues of particular interest to them. This is reflected in the quality of many of the submissions, copies of which are publicly available.
The Commissioner’s detailed commentary refers to all 133 sections in the Act and the accompanying appendices. The overall quality of the commentary is most impressive. The review report and accompanying discussion papers will be an invaluable reference for anyone with a serious interest in the workings of the NZ Privacy Act.
In its present form, the Act is a complex law in places. The Commissioner recognises this — many of his recommendations are aimed at making the Act more ‘user friendly’. The Commissioner’s overall assessment is that the Act is firmly ‘on the right track’ — his objective is to ‘make the Act more effective and understandable’. Of importance is the recognition in the review report that unless the Office of Privacy Commissioner is adequately resourced — something which is not occurring at present with a ‘sinking lid’ staffing policy in place — the Act, and especially the remedies it provides, will be increasingly ineffective.
In the introduction to his report, the Privacy Commissioner highlights how the Act has ‘notably advanced the position of individuals in just a few short years’. For example, New Zealanders can now:
The Commissioner emphasises the new legal obligations on agencies (for example, the need for them to be open about their information handling practices). This is in contrast to the position before the Act when they ‘did not have to be open as to what they wanted personal details for and who they were going to share these with’. Certainly most private sector agencies appear to have taken their new legal obligations seriously and modified aspects of their information handling practices.
Given the dramatic restructuring and downsizing of the public sector in NZ, the Commissioner is right to highlight the fact that under the Act ‘outsourcing and privatisation do not deprive citizens of privacy rights in relation to personal data previously held by government agencies’. Had NZ simply followed the approach of many jurisdictions in limiting its information privacy law to the public sector, the Act’s application would have become increasingly limited.
While on paper it may be correct to say that the Act contains ‘a simple complaints mechanism with an ombudsman-like investigation of privacy complaints with a non-adversarial approach’, the reality is that the investigation and resolution of seemingly straight forward complaints may take months, even years to resolve. Partly this is due to the lack of sufficient staff in the Privacy Commissioner’s Office. It may also be due to respondents (and especially their legal advisers) taking an overly adversarial approach to privacy complaints made against them.
An impressive feature of the Privacy Commissioner’s work to date has been the production of high quality submissions on a wide range of issues with privacy implications (draft parliamentary Bills, departmental/ministerial/working party reports, etc). These are listed as an appendix to the review report. In themselves, they are valuable documents. What is not indicated is the extent to which the Privacy Commissioner’s observations and recommendations have been accepted by the relevant decision-makers.
The public reaction to the Commissioner’s Review of the Privacy Act is awaited with keen interest. The timing of the report’s release just before the summer holidays is unfortunate.
The report deserves careful consideration from those with political or legal authority, whose support is essential if necessary changes to the Act and how it operates, are to occur. Regrettably, the ‘honeymoon’ with the NZ Privacy Act appears to be well and truly over. Critics and detractors appear to be in ascendancy. Defenders of the Act and the sometimes beleaguered Commissioner seem to be fewer in number than during the early days of the Act’s implementation.
In fact, to keen observers of the NZ privacy scene, it appears that public and private sector threats to individual privacy have increased in regularity, rather than decreased, since the Privacy Act 1993 was enacted. In the few months between the Privacy Commissioner finalising the content of his report and its publication, a whole series of government Bills with major privacy implications were introduced into parliament. Areas covered included a sophisticated driver ID scheme (now passed by Parliament) and proposed new secret immigration procedures whereby migrants can be removed from NZ without ever knowing any of the details of the case against them.
The prevailing economic ideology in NZ continues to emphasise deregulation. Reducing business compliance costs has acquired a primacy over other competing considerations in a wide variety of contexts. The Privacy Commissioner has attempted to address this vexed issue in a number of recommen-dations, while at the same time attempting to enhance individual rights and entitlements under the Act. In assessing the reaction to the Commissioner’s report, it will be fascinating to see whether the Commissioner has got the mixture of recommendations right, so that all stakeholders feel at least partially satisfied by the review of the Privacy Act.
Tim McBride is Senior Lecturer in Law at the University of Auckland, and a member of the Editorial Board of PLPR.