Published: 15 May 2013
Pages: 105

Introduction  

2013 is the twentieth anniversary of the enactment of the Privacy Act, so it is fitting for the New Zealand Law Society to offer another seminar on the topic. Since the first NZLS Privacy Act seminar in 1993, there have been a number of changes in the privacy law landscape, including all existing case law on the legislation in the form of Privacy Commissioner case notes and many Tribunal and High Court decisions.

The Privacy Act deals with the currency of “personal information”, that is, information about individuals. Even if you are a corporate lawyer with little direct concern with personal information in your practice, all your clients will work with this type of information all the time, so it is vitally important that lawyers are able to orient themselves in the terrain and know the rights and duties that operate within it. That a number of Privacy Act cases have concerned breaches by lawyers indicates that not all practitioners have come to grips with their obligations under the legislation. That many defendants in privacy cases have been poorly advised by their lawyers is clear from decisions of the Tribunal. Furthermore, it is clear that privacy policies in at least some public sector agencies are not reasonably effective, as demonstrated by recent high profile data breaches at the Earthquake Commission, ACC, IRD, Immigration NZ, the Ministry of Social Development, the Ministry of Education, and (Queenstown) Lakes Environmental.

New Zealand is a member of an ever-growing number of nations with privacy legislation. The first national data privacy law was Sweden’s Data Act in 1973. At last count, 86 out of the 193 members of the United Nations now have privacy laws, including many of New Zealand’s trading partners. This is recognition that in the modern world, there is a need for regulating the collection and use of personal information by government and business, both of whose activities are now carried on across borders in an increasingly connected world.

Internationally, privacy regulation is now under pressure to replace the present notification and consent model of data protection (as contained, for example, in principle 3 of our Privacy Act) with a model based on the use of data. This would require agencies to be transparent in their processing; offer and honor appropriate choices; and entrust agencies to ensure that risks posed to individuals by use of their data are assessed and managed. The emphasis is proposed to be upon the way data isused rather than how it is collected, as is the position at present. This is on the basis that the true value of data may not be understood at the time of its collection, and that future uses that could have significant individual and societal benefits may be lost if regulations focus solely on the collection of data.

Our intention with this booklet is to equip lawyers to deal with privacy issues that arise under the current law on a day to day basis in their practices, and in their clients’ businesses, and to be ready to recognise the import of forthcoming changes in technology, policy and legislation.

John Edwards
Paul Roth