Privacy Law and Policy Reporter
The Review makes 154 recommend-ations, many of which are of a minor or technical nature. In the introduction to the review report, Privacy Commissioner Bruce Slane summarises selected recommendations under seven ‘themes’. This section of the report is reproduced here with the permission of the Commissioner to provide a reference point for the ‘commentary’ articles in this issue. A full list of the recommendations is contained in the report and is also available on the Commissioner’s web site at http://www.privacy.org.nz.
A principal feature of the Act is its broad coverage:
Broad coverage gives confidence that the information privacy principles apply in nearly all circumstances. The greater the inroads into the types of agencies or information covered, the greater the possibility of privacy being left unprotected. The broad coverage of the Act is also the surest guarantee that our law will be considered to offer ‘adequate protection’ in respect of the tests established in the EU Directive on Data Protection. It also avoids compliance costs, creates certainty, avoids demarcation disputes and avoids gaps between codes of practice.
Coverage is not absolute. There are bodies which are expressly excluded from the definition of ‘agency’. There are also partial exemptions applying to particular classes of agency or information. I examined the existing coverage of the Act to see whether changes should be made to extend or restrict the coverage.
Some recommendations are:
There has been considerable interest in the exemption which applies to the news media in their news activities. I propose no change. The exemption is discussed at various places in the report in particular at paras 1.4.49 to 1.4.62 and at paras 4.4.49 to 4.4.55.
The objective of the privacy law is to ‘promote and protect individual privacy’. I have examined the Act to consider whether it is effective in that respect and make a number of recommendations to better promote and protect privacy by enhancing individual rights and entitlements.
The 12 information privacy principles, and other controls relating to public registers and information matching, are at the heart of the Act. Aspects of the regime can be modified in certain ways by codes of practice. Through a mixture of constraints on agencies and entitlements for individuals these provisions establish a framework to protect individual privacy rights.
In the review I have studied ways in which privacy rights for individuals can be enhanced consistently with the international approach to the protection of privacy while taking account of competing interests. Few of the enhancements that I propose are entirely novel. Most involve adjustments to existing entitlements or the borrowing of ideas from international or overseas initiatives. In a number of cases I suggest specific entitlements consistent with the existing general entitlements. For example, I make proposals to change the information privacy principles and public register privacy principles to address direct marketing issues. Although the specific provisions will be new they will give effect to an objective of the existing principles — constraining a secondary use of information without the knowledge or authorisation of the individual.
Some recommendations are:
I do not consider that these changes will entail any significant compliance costs.
The Privacy Commissioner established by the Act is given a number of tasks. The Act grants various powers to enable those tasks to be effectively performed. I have considered whether the provisions of the Act are adequate, or can be improved, to ensure that my office is able to perform effectively. For the most part I believe that the provisions in the Act are satisfactory. Nonetheless, I have identified a number of areas where potential effectiveness will be enhanced by amendment to the Act.
Relevant recommendations include:
The Privacy Act is obviously not the only law bearing upon the handling of personal information. These include, amongst others, laws concerning:
The Act currently spells out how it is to relate to other pieces of legislation. Generally it provides that the information privacy principles are subordinate to provisions in most other enactments.
I have considered whether the way the Act currently deals with the interaction of other laws is satisfactory. One of the main problems that I have attempted to address concerns the lack of awareness by some users of the Act of the provision saving the effect of other laws. Amongst other things, my recommendations seek to make the interrelationship plainer so as to reduce misunder-standing. The term ‘savings’ is a technical legal term which is not readily understood by lay readers of the Act. Some would appear to be unaware that the privacy principles do not override other laws.
Relevant recommendations include:
Business compliance cost reduction has been an issue for government in recent years. Indeed, the matter has been a central feature leading to the present design of the Act. Most notable is the absence of a registration or licensing system which is the norm in Europe. The Privacy Act adopts an outcomes-oriented approach whereby the Act prescribes the standards but agencies have a great deal of flexibility in the way that they may comply with them. In my review I examined various features which contribute to the low compliance costs imposed by the Act and examined whether it would be possible through amendment to the Act to improve the position even further with respect to compliance costs.
Compliance costs revolve around the costs borne by agencies in complying with the requirements of the Act. It should not be assumed that, in the absence of an Act, there would be an absence of costs associated with meeting privacy risks and issues. Where statutes do not broadly cover privacy issues a variety of sectoral laws is normally combined with voluntary self-regulation and laws relating to confidentiality. All these involve compliance costs. Costs borne by agencies cannot be considered in isolation from the costs imposed upon individuals in exercising their rights and entitlements under the Act. Accordingly, I also examined the regime established by the Act in that regard particularly with respect to charges that individuals may have to pay in order to have access to information or to seek to have it corrected.
Frequently issues of compliance costs interrelate with the administration costs of agencies established by a law. I am of the opinion that the work that my office does or might undertake in relation to education and publicity, particularly in offering compliance advice, contributes to minimisation of compliance costs among agencies. There are severe restrictions upon what I can attempt on my present budget given the need to apply resources to a significant complaints backlog. A 12 month queue before complaints are investigated is not only unfair to the complainants, and may undermine the credibility of the processes established, but it also increases costs of the respondent agencies. In particular, where there is a continuing relationship between an individual and an agency, whether as customer, employee or otherwise, there is a great deal to be said for being able to promptly tackle the complaint through the Act’s conciliatory processes which frequently lead to settlements which may often enable the relationship to continue. A delay in commencing the investigation also means that the events are not so fresh in people’s minds leading to inefficiencies and problems in the investigation process and potential problems for the agency establishing its position, and may permanently sour the relationship.
In respect of the problem of administration costs, I believe that the solution is primarily to be found in the application of appropriate funding to meet the level of complaints being processed. Nonetheless, I have examined the provisions of the Act to see whether any amendments are desirable to ameliorate the problems. The recommendations I have made will contribute to the current low costs of compliance and help to prevent rises in costs in the future. I have considered requiring applicants to meet some costs of processing certain applications and giving me more statutory discretion to defer investigating complaints where it is reasonable that the individual first pursues an alternative.
A number of recommendations would improve ease of use of the Act. They also have an objective of reducing compliance costs.
In many cases, I am satisfied that the substantive law bearing on an issue is appropriate and yet some people have found provisions difficult to follow. My suggestions will help to achieve the law’s objectives through better agency compliance and better understanding of the rights of individuals.
My recommendations try to avoid substantial rewriting. This is to retain the benefits of familiarity gained by those using the Act over the last few years. So I have taken a minimalist approach which may deceive the reader into thinking that the changes are inconsequential. I am confident they have the potential to improve the Act’s ‘user-friendliness’ and thus avoid the chance of misinterpretation.
Some recommendations are:
The EU Directive on Data Protection is required to be implemented in EU countries by October this year. The EU Directive will oblige member states to restrict the transfer of personal data to third countries if that data will not be subject to ‘adequate protection’. The existence of the Privacy Act is the best guarantee that the Europeans will accept that data on Europeans will be protected when transmitted to NZ. Generally speaking, NZ’s Privacy Act is perceived by most commentators as one of the best in the world outside Europe. Indeed, the protection that it offers to personal information is superior to that offered in many European jurisdictions, particularly in respect of information which is not ‘automatically processed’.
Nonetheless, I have carefully scrutinised the Act to be sure that its provisions will be judged by European standards to be ‘adequate’. To be adequate our law does not need to have identical provisions to the EU Directive. It is believed that the law will largely be judged in its totality. Our Act should, in general terms, pass such an adequacy test with flying colours.
However, there are two aspects which somewhat cloud this rosy picture. New Zealand’s law is in danger of failing an adequacy test in so far as it denies access rights to foreigners except when they are actually in NZ. This would effectively deny most Europeans one of the key data protection entitlements in any law. In my view, that should be put right as soon as possible.
The Office of the Privacy Commissioner, with its complaints jurisdiction, provides the independent national institution that is a central feature of an adequate system for the protection of privacy in European eyes. I have no doubt that the basic legislative arrangements for the Privacy Commissioner would be a feature which supports an adequacy case in European eyes. However, the underfunding of my office, which has led to complaints waiting in a 12 month queue, may cause EU Commissioners to question the adequacy of a central feature of our Act. An investigation delayed for that long can lose credibility as a compliance mechanism. It is important in this context, in my view, that this central aspect be put right.
Another issue relates to the possibility of European agencies diverting data transmissions through NZ to another country so as to circumvent the EU prohibition. This also should be put right.
Amongst my recommendations is one concerning the deletion of details from mailing lists which is modelled upon provisions in the EU Directive. Its current absence in our law is not likely to call into question the adequacy of NZ’s laws. Rather, the EU Directive provides a very promising model to copy from in according appropriate protection to the privacy of New Zealanders’ personal information.
Reference may be made to the recommendations:
This is an edited version of Bruce Slane’s concluding remarks —Ed.
As we approach the dawn of the new millennium the Act provides a sound framework for addressing a range of privacy issues. Nonetheless, the appropriate protection of privacy is necessarily an ongoing process of refinement, evaluation, experimentation and consolidation. Technology will not remain static to suit a legal rule. Nor do the demands or expectations of the international community or New Zealanders. Already, I have identified issues which deserve further study and which may, at a future point, warrant amendment to the law ...
One of the discussion papers canvassed the possibility of new privacy protections and mentioned a number of the new principles being developed elsewhere. Twenty-seven submissions were received. In this report I have stopped short of recommending the adoption of the innovative principles mentioned in that paper. This is not because I believe that they are misconceived or of little importance. A number of new principles that have been proposed, such as those guaranteeing anonymity, promise to protect privacy better in some situations than our existing principles.
Some of the more novel ideas require more study than has been possible, or appropriate, in this review ...
Clearly there is much work to be done and challenges faced in the coming years. My confidence that the Act is soundly based, and works well in operation, should not be mistaken for complacency about the challenges to the protection of privacy. There are many chapters yet to be written in the report on our society’s response to privacy issues but these will need to await further specialist examinations and the next periodic review of the Act.
Compiled by Nigel Waters, Associate Editor.