Law Commissioner Professor John Burrows released the Law Commssion's report on Privacy Act 1993 today.

Some parts of the release:

 “Technological advances have allowed personal information to be collected, stored, analysed, copied and distributed with an ease and level of sophistication that would have been unimaginable when the Privacy Act was passed”, Professor Burrows said. “Any review of privacy law must consider whether new technologies pose new threats to privacy, and whether the law needs to change to meet such threats.”  

On the whole, the Law Commission thinks that the flexible, principles-based approach of the Privacy Act is well suited to dealing with an ever-changing technological landscape. However, some reforms are needed.  

The accumulation of data made possible by digital technologies is one reason for the report’s recommendations that the Privacy Commissioner should be given new powers to require audits of agencies in certain circumstances and to issue notices requiring agencies to bring their practices into compliance with the Act. With agencies routinely collecting, using and disclosing vast amounts of personal information, the Privacy Commissioner needs stronger powers to ensure that they are complying with the Act.  

The Law Commission also recommends that agencies should be required to notify people if their personal information is lost or otherwise compromised in a serious way. “Technological development has made it possible for personal information relating to huge numbers of people to be compromised through the loss of a single memory stick”, Professor Burrows pointed out. 

The flow of information across borders has likewise been transformed by technology. The rise of “cloud computing”, for example, means that information about New Zealanders may be stored in servers located overseas. Privacy protection in other countries may not meet New Zealand standards, and it may be more difficult for New Zealanders to complain about the mishandling of their information if it has been transferred overseas. The Law Commission is recommending new provisions in the Privacy Act that would put stronger obligations on agencies to check, before they send personal information overseas, that the privacy of that information will be adequately protected.  

The Law Commission‟s Privacy Act report, released today, recommends the introduction of a new mechanism for the sharing of personal information between government agencies.

“There are many good reasons for government departments to share citizens‟ personal information”, said Law Commissioner Professor John Burrows. “For example, agencies may wish to collaborate to provide better, „smarter‟ services to people. They may wish to provide a „one stop shop‟ at which people can interact with a number of agencies at once. Or they might want to work together to tackle a social problem such as child abuse. Sharing of personal information between agencies is vital to the effective functioning of such programmes.”

At the moment, such sharing is not always possible under the Privacy Act. Sometimes agencies are simply unsure about whether sharing is allowed, and want reassurance that it is legal. The government sometimes passes legislation which specifically overrides the Privacy Act, to allow information sharing.

The Law Commission thinks that a new mechanism is needed to provide greater certainty for government agencies and citizens alike. At the same time, the Commission recognises the considerable privacy risks that would be posed by unconstrained information sharing. It is essential that any new framework should include strong privacy protections.

The Commission recommends that proposals for sharing of personal information between government agencies should be drawn up as agreed programmes. They should go through a process of consultation, including with the Privacy Commissioner. Finally, they should be approved by Cabinet, providing they comply with criteria that would be set out in the Act. There would be safeguards applying to all information sharing programmes, and all programmes would be required to be published on agencies‟ websites as well as being listed in a schedule to the Privacy Act. Information sharing programmes would be subject to review by Parliament and by the Privacy Commissioner.  

The Law Commission’s just-released report on the Privacy Act recommends that the Act should include a requirement for agencies to notify people affected by serious privacy breaches.  

At the moment, voluntary guidelines issued by the Privacy Commissioner encourage notification, but there is nothing in the Privacy Act requiring it. An increasing number of countries around the world are making notification of privacy breaches mandatory, and the Law Commission thinks that New Zealand should join them.  

“Data breach notification”, as it is commonly known, relates to situations in which personal information held by an agency is lost or accessed by unauthorised people. Such breaches can put members of the public at risk from identity theft and other threats. There have been some very high-profile cases of data breaches internationally, and some significant breaches have also occurred in New Zealand. Examples include cases of laptop computers or memory sticks containing personal information about large numbers of individuals being lost. There have also been cases in which databases of personal information have been accessed by computer hackers.