Privacy Commissioner John Edwards has recommended to the Government that the penalty for a serious breach of personal information could be a civil penalty of up to $1 million.
A report from Mr Edwards with six recommendations for reform of the Privacy Act 1993 has been tabled in Parliament. The report, pursuant to section 26 of the Act, reviews the Act and examines developments in the five years since the last review.
Mr Edwards says his recommendation on the civil penalty will address a gap in the Act's enforcement framework. If accepted, the Privacy Commissioner would be empowered to apply to the High Court for a civil penalty of up to $100,000 in the case of an individual and up to $1 million in the case of a body corproate to be imposed where there are serious breaches.
The other recommendations in the report are:
- an update to protect against the risk that individuals can be unexpectedly identified from data that had been purportedly anonymised.
- Introducing data portability as a consumer right.
- An additional power to require an agency to demonstrate its ongoing compliance with the Act which would enable the Privacy Commissioner to proactively identify and respond to systemic issues.
- Narrowing the defences available to agencies that obstruct the Privacy Commissioner or fail to comply with a lawful requirement of the Commissioner.
- Reforming the public register principles in the Act and providing for the suppression of personal information in public registers where there is a safety risk.
Mr Edwards' report says a lot has changed since the Law Commission’s review of the Act from 2008 to 2011.
"Important developments since 2011 that impact on the operation and adequacy of the privacy legislation include developments in data science and information technology, and new business models built on data driven enterprise. These developments have highlighted the importance for both the public and private sectors to optimise trust in the digital economy," he says.
"While the Act’s principles-based privacy regulation is inherently flexible, this new environment is revealing or confirming gaps and pressure points that add to those identified or considered in previous reviews. There are also apparent gaps and weaknesses in the Act’s enforcement framework that need to be addressed if the reforms proposed are to introduce an effective and modernised form of privacy regulation."
He notes that the international context has also seen significant developments, in particular the adoption of revised privacy laws in Europe that will come into force in 2018.
"These should now be taken into account in preparing revisions to New Zealand’s privacy law."