The new Privacy Act 2020 applies to governmental, commercial and community organisations, as, under section 4(1), the Act applies to a “New Zealand agency” which is defined in section 8(a)(iii) as including “a New Zealand private sector agency,” and s. 7(1) of the Act makes it clear that “In this Act, New Zealand agency … means … a New Zealand private sector agency.”
Most people are probably not unduly concerned about privacy issues (most have their address and phone number published in telephone directories and electoral rolls, many are active on social media, and their names and contact details are on the membership lists of a number of organisations to which they belong). However, most people would still object to their private information being made more widely available, and there are also people who want to protect their privacy for a variety of reasons. New Zealand’s first privacy statute was enacted in 1991, and was quickly replaced by the 1993 Act and more recently by the 2020 statute. A statutory officer called the Privacy Commissioner is established by the Act, and the Commissioner’s functions include promotion “by education and publicity, an understanding and acceptance of the information privacy principles and of the objectives of those principles,” and “to inquire generally into any matter, including any other enactment or law, or any practice or procedure, whether governmental or non-governmental … if it appears to the Commissioner that the privacy of individuals is being, or may be, infringed …”
The Privacy Commissioner’s website has helpful information and resources about the legislation and its implications, with specific information for clubs and societies here. As a minimum, every commercial, professional or community organisation should:
- Appoint a senior person as its privacy officer,
- Have an up-to-date privacy statement which is drawn to the attention of all the entities’ members, staff and “customers” (those people who may avail themselves of the entity’s services, activities or products) and any volunteers,
- Have a privacy breach response plan, and
- Ensure that all people involved in its governance and activities are aware of privacy issues and of the obligations under the Privacy Act.
Those governing or managing commercial and community entities need to think very carefully about privacy issues, for instance, whether the entity infringes against statutory privacy principles when emails are sent to multiple recipients without using the “blind copy” feature, if client or member contact lists are made widely available without checking that the clients or members are happy to have those details “broadcast,” publish or allow to be published photographs and names of their clients or members, produce and distribute lists of clients or members, or allow ready access to their client or membership lists.
When interpreting the provisions in the Privacy Act one must bear in mind that section 3 is expressed in broad terms and makes the purpose of the Act very clear:
The purpose of this Act is to promote and protect individual privacy by—
(a) providing a framework for protecting an individual’s right to privacy of personal information, including the right of an individual to access their personal information, while recognising that other rights and interests may at times also need to be taken into account; and
(b) giving effect to internationally recognised privacy obligations and standards in relation to the privacy of personal information, including the OECD Guidelines and the International Covenant on Civil and Political Rights.
In summary, it is very probable that most commercial, professional and government organisations as well as most not-for-profit organisations in New Zealand fall within the definition of a “New Zealand agency” to which the Privacy Act applies.
Section 7(1) briefly defines “personal information” as meaning “information about an identifiable individual …,” which is an all-embracing phrase, and under the Act a “document” is defined as including:
(a) any writing on any material:
(b) any information recorded or stored by means of any computer or other device; and any material subsequently derived from information so recorded or stored:
(c) any label, marking, or other writing that identifies or describes any thing of which it forms part, or to which it is attached by any means:
(d) any book, map, plan, graph, or drawing:
(e) any photograph, film, negative, tape, or other device in which 1 or more visual images are embodied so as to be capable (with or without the aid of some other equipment) of being reproduced.
Section 10 states that:
- For the purposes of this Act, personal information held by a person in the person’s capacity as an officer, an employee, or a member of an agency is to be treated as being held by the agency.
- However, subsection (1) does not apply to—
- personal information held by an officer, an employee, or a member of a public sector agency (A) if—
- the information is held only because of the person’s connection with a private sector agency; and
- that connection is not in the person’s capacity as an officer, an employee, or a member of A; or
- personal information held by an officer, an employee, or a member of a private sector agency (B) if—
- the information is held only because of the person’s connection with another agency (whether a public sector agency or private sector agency); and
- that connection is not in the person’s capacity as an officer, an employee, or a member of B.
- personal information held by an officer, an employee, or a member of a public sector agency (A) if—
- Despite subsection (1), information that is held by an employee of a department carrying out the functions of a departmental agency must be treated for the purposes of this Act as held by the departmental agency.
Commercial, professional, governmental and not-for-profit organisations must appoint a “Privacy Officer” because section 201(1) of the Privacy Act provides that:
An agency must appoint as privacy officers for the agency 1 or more individuals (within or outside the agency) whose responsibilities include—
(a) encouraging the agency to comply with the IPPs:
(b) dealing with requests made to the agency under this Act:
(c) working with the Commissioner in relation to investigations conducted under Part 5 in relation to the agency:
(d) ensuring that the agency complies with the provisions of this Act.
Thirteen “information privacy principles” are set out in section 22 of the Privacy Act (extending to 8 pages), and are subject to some statutory qualifications. All or most of those Principles could be relevant to some not-for-profit entities, and what follows is a rather brief summary of those Principles that may be relevant to most commercial, professional, governmental and not-for-profit organisations:
- “Personal information shall not be collected by any agency unless … the information is collected for a lawful purpose connected with a function or activity of the agency; and … the collection of the information is necessary for that purpose” (Principle 1),
- “If an agency collects personal information, the information must be collected from the individual concerned” (Principle 2) subject to a number exceptions, including if the agency believes on reasonable grounds that the non-compliance would not prejudice the interests of the individual concerned, the information is publicly available (e.g. the full name, address and occupation of most adults can be found in Electoral Rolls or a person authorises the collection of personal information from someone else),
- Individuals should be made aware of the fact that the information is being collected and why (Principle 3) – that should be obvious when common membership information is being collected or updated,
- Personal information should not be collected by unlawful means, unfairly, or by unreasonably intrusive methods (Principle 4),
- Personal information should be protected by reasonable security safeguards against loss, unauthorised access, use, modification, or disclosure and other misuse (Principle 5),
- In general, where personal information is held in such a way that it can readily be retrieved, the individual concerned shall be entitled to obtain from the agency confirmation of whether or not the agency holds such personal information and to have access to that information and to have information corrected (Principles 6 and 7).
- Agencies must take reasonable steps to ensure that personal information they record is accurate, complete, relevant and not misleading (Principle 8),
- “An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used” (Principle 9) – if a society member ceases to be a member the information should be deleted.
- Subject to some exceptions, an agency that holds personal information that was obtained in connection with one purpose shall not use the information for any other purpose (Principle 10).
- An agency that holds personal information must not disclose the information to a person or body or agency unless the agency believes, on reasonable grounds, that this was permissible and the grounds that are likely to be most commonly applicable are that:
- The disclosure of the information is one of the purposes in connection with which the information was obtained or is directly related to the purposes in connection with which the information was obtained to the purposes in connection with which the information was obtained, or
- The source of the information is a publicly available publication and that, in the circumstances of the case, it would not be unfair or unreasonable to disclose the information, or
- The disclosure is to the individual concerned, or
- The disclosure is authorised by the individual concerned, or
- Non-compliance is necessary prevent or lessen a serious threat to public health or public safety, or to the life or health of the individual concerned or another individual (Principle 11).
- Under Principle 12 (a new Principle introduced by the 2020 Act), an agency may only disclose personal information to overseas persons or entities (this Principle will be of particular relevance to New Zealand entities that are affiliates of international organisations, such as some professional, sports and community organisations) if it reasonably believes the foreign person or entity meets at least one of the following criteria:
- is carrying on business in New Zealand and is subject to the Privacy Act
- is subject to privacy laws that overall, provide comparable safeguards to those in the Privacy Act, or
- is required to protect the information in a way that, overall, provides comparable safeguards to those in the Privacy Act (for example, by agreement between the agencies)
- is subject to the privacy laws of a country, province or State, or is a participant in a binding scheme for international disclosures of personal information that has been prescribed in regulations by the New Zealand Government as providing comparable safeguards to the Privacy Act.
- Under Principle 13:
- An agency (A) may assign a unique identifier to an individual for use in its operations only if that identifier is necessary to enable A to carry out 1 or more of its functions efficiently.
- A may not assign to an individual a unique identifier that, to A’s knowledge, is the same unique identifier as has been assigned to that individual by another agency (B), unless—
- A and B are associated persons within the meaning of subpart YB of the Income Tax Act 2007; or
- the unique identifier is to be used by A for statistical or research purposes and no other purpose.
- To avoid doubt, A does not assign a unique identifier to an individual under subclause (1) by simply recording a unique identifier assigned to the individual by B for the sole purpose of communicating with B about the individual.
- A must take any steps that are, in the circumstances, reasonable to ensure that—
- a unique identifier is assigned only to an individual whose identity is clearly established; and
- the risk of misuse of a unique identifier by any person is minimised (for example, by showing truncated account numbers on receipts or in correspondence).
- An agency may not require an individual to disclose any unique identifier assigned to that individual unless the disclosure is for one of the purposes in connection with which that unique identifier was assigned or is for a purpose that is directly related to one of those purposes.
In addition, it should be noted that s 53 of the Privacy Act entitles an agency to refuse access to personal information requested if “the information requested does not exist or, despite reasonable efforts to locate it, cannot be found,” “the disclosure of the information would involve the unwarranted disclosure of the affairs of … another individual …,” the disclosure of the information would be likely to prejudice the maintenance of the law by any public sector agency,” “ the disclosure of the information would constitute contempt of court,” “the request is frivolous or vexatious, or the information requested is trivial,” and other grounds.