Bill / 17 April 2019
In June 2018, we wrote about the Privacy Bill (Bill) which proposed a number of changes to the Privacy Act 1993 (Act). The Select Committee has now reported on the Bill and recommendations include the following:
- The introduction of a higher threshold of mandatory reporting of privacy breaches, to the Privacy Commissioner and affected individuals. The Select Committee determined the suggested threshold was too low and instead recommends mandatory reporting only be required where it is reasonable to believe that the breach may have caused serious harm to affected individuals, or is likely to do so;
- The introduction of a new Information Privacy Principle to specifically regulate the disclosure of personal information outside of New Zealand;
- Amending the Bill to ensure clarity around the Act applying to any actions of a New Zealand entity regardless of where the action occurs, where the information was collected, or where the person who is the subject of the information resides; and
- Mandatory publishing where the Privacy Commissioner has issued a compliance notice, except where the publication would cause undue hardship to the agency and this hardship outweighs the public interest in the publication.
The Select Committee did not agree with the Bill’s proposal to introduce the “right to be forgotten” principle, or that the Privacy Commissioner be given the power to impose more significant fines for breaches of privacy.
What does this mean for employers?
Disclaimer: We remind you that while this article provides commentary on employment law and health and safety topics, it should not be used as a substitute for legal or professional advice for specific situations. Please seek legal advice from your lawyer for any questions specific to your workplace.