This year we mark a milestone in privacy law in New Zealand. On 5 May 1993, the Privacy Act was passed in Parliament with the complete support of the country’s political parties.
At the time, it was the first national information privacy law outside Europe to apply to both the public and private sectors. It did not, as some had predicted, paralyse business. It did not, as others had predicted, curtail the news media in reporting news.
Five years after its enactment, Assistant Privacy Commissioner Blair Stewart described the new statute in Necessary and Desirable: Privacy Act 1993 Review as a privacy law more comprehensive than any outside Europe and a ground-breaking piece of legislation. It had a set of information privacy principles (based on the privacy framework adopted by the OECD in 1980) and it established a national privacy commissioner.
Within a few short years, the Act notably advanced the privacy rights of individuals in New Zealand.
The new law gave New Zealanders the right to access their own medical records outside the public health system* which, at the time, was not a right individuals had in most parts of Australia and North America. It enabled New Zealanders to seek the correction of information held on credit reporting agencies’ files, if it happened to be inaccurate or wrong. Prior to the Privacy Act coming into law, there was no right even to see that information.
New Zealanders were also given the right to access information about them on their employer’s personnel files. While this had been a right public sector employees had since the 1980s, the Privacy Act extended it to include all employees.
The Act gave people a clear avenue for a privacy complaint. The Privacy Commissioner provided a simple mechanism with an ombudsman-like investigation into complaints and a non-adversarial approach.
Now, a quarter of a century later, we might view the Privacy Act with a degree of routine complacency, as a piece of legislation that has been around long enough not to be curious about its origins. But given the Privacy Act’s ‘silver jubilee’ year, we think it is time to mark the important role it plays in human rights protections in New Zealand.
During the 1960s and 1970s, people became increasingly concerned about privacy against a backdrop of the anti-Vietnam war protests, Cold War paranoia, and the perceived threat of larger computer databanks.
The concern continued on into the 1980s where significant efforts were made at international privacy standard setting and legislative developments to provide adequate protection to privacy. The approach of 1984 prompted a surge of interest in George Orwell’s dystopian novel of the same name and prompted many commentators and pundits to reflect on the technological challenges to individual privacy.
As a forerunner to the Privacy Act and as a response by lawmakers to concerns about the centralised collection of citizen data, New Zealand enacted the Wanganui Computer Centre Act 1976. This pioneering law was notable for being both New Zealand’s first data protection law and the nation’s first freedom of information law. Through it, individuals had the right to access to information held about them on the Wanganui computer – a database accessible by the justice sector and law enforcement agencies.
The 1990s arrived and we saw technological advances undreamed of by Orwell with the worldwide linking of computers, the electronic tracking of consumers and citizens through to global surveillance from orbiting satellites.
It was in this advanced technological age New Zealand’s Privacy Act was enacted. The Privacy Commissioner is an independent official. The information privacy principles apply to all agencies in the public and private sectors and govern the collection, holding, use and disclosure of personal information. Individuals have certain rights under the Act, including a way to seek redress for an interference with privacy.
Present and future
Up to now, the Privacy Act has provided a workable framework for addressing a range of privacy issues. But technology will not stand still. Nor will the demands and expectations of New Zealanders. Internationally, the European Union’s General Data Protection Regulation (GDPR) takes effect in May 2018 and this will have widespread implications on the rules that govern global data flows.
The government in New Zealand has moved to update New Zealand’s 25 year old Privacy Act. These changes can be traced back to the Law Commission’s review of the Privacy Act in 2011.
The Ministry of Justice, which is responsible for the proposed legislation, has indicated that a Bill amending the current Act is currently being drafted. The Ministry says reforms to the Act will better protect people’s personal information and help ensure businesses and organisations that hold such data safeguard and handle it appropriately. The proposals include stronger powers for the Privacy Commissioner, mandatory reporting of privacy breaches, new offences and increased fines. In particular, the reforms aim to encourage private and public sector agencies to identify risks and prevent incidents that could cause harm.
The law reform process is the culmination of many years of preparatory work by the Law Commission and the Office of the Privacy Commissioner.
In the meantime, it’s a cause for celebration that our privacy law, in its current form, has helped thousands of New Zealanders get access to their information, resolve their privacy issues and raised privacy bar among hundreds of businesses and organisations.
*The right to access records held by public hospitals had been in place since 1987.