Data Protected - New Zealand

Contributed by Buddle Findlay

Last updated December 2017

General | Data Protection Laws

National Legislation
National Supervisory Authority
Scope of Application
Personal Data
Sensitive Personal Data
Data Protection Officers
Accountability and Privacy Impact Assessments
Rights of Data Subjects
Security
Transfer of Personal Data to Third Countries
Enforcement

ePrivacy | Marketing and cookies

National Legislation
Cookies
Marketing by E-mail
Marketing by Telephone

_____________________________________________________________________

General | Data Protection Laws

____________________________________________________________

National Legislation

General data protection laws 

The Privacy Act 1993 (the "Privacy Act").

The Privacy Principles in the Privacy Act may be superseded by a code issued by the Privacy Commissioner for particular sectors. There are currently six codes in operation: the Civil Defence National Emergencies (Information Sharing) Code, the Credit Reporting Privacy Code, the Health Information Privacy Code, the Justice Sector Unique Identifier Code, the Superannuation Schemes Unique Identifier Code and the Telecommunications Information Privacy Code.

Over recent years, there has been extensive discussion regarding reform of privacy law in New Zealand. Both the New Zealand Law Commission and the Office of the Privacy Commissioner have made recommendations for particular areas of reform (including mandatory breach notification and stronger enforcement powers) to bring New Zealand's privacy law in to line with other jurisdictions. A Privacy Law Reform Bill was scheduled for 2017, but has not yet been tabled in Parliament.

Entry into force

The majority of the provisions of the Privacy Act came into force on 1 July 1993.

_____________________________________________________________________ Top

National Supervisory Authority

Details of the competent national supervisory authority

Office of the Privacy Commissioner
Level 8
109-111 Featherston Street
Wellington 6143

www.privacy.org.nz

Notification or registration scheme and timing

There is no notification or registration scheme for organisations that deal with personal data.

Exemptions to notification

Not applicable.

_____________________________________________________________________ Top

Scope of Application

What is the territorial scope of application?

The Privacy Act applies to activities of agencies within New Zealand.

Is there a concept of a controller and a processor?

The Privacy Act contains concepts similar to that of controllers and processors. Where an agency: (i) holds personal information as agent for, or for the sole purpose of processing the information on behalf of, another agency; and (ii) does not use or disclose the information for its own purposes, then the information will be deemed to be held by the agency on whose behalf it is held or processed.

Are both manual and electronic records subject to data protection legislation?

Yes. The Privacy Act applies to all information collected, stored or held by an agency and is not reliant on the form in which the information is recorded.

Are there any national derogations?

The Privacy Act applies to all “agencies”, being any person or body of persons, whether corporate or unincorporated, and whether in the public sector or the private sector.

Most organisations will fall within the definition of an 'agency'. Organisations specifically excluded from this definition include members of Parliament, courts and tribunals in relation to their judicial functions and the news media when they are conducting their news activities.

In addition, individuals who collect or hold personal information for their own personal, family or household affairs are exempt from the Privacy Act (although this does not apply where the collection, disclosure, or use would be highly offensive to an ordinary reasonable person).

_____________________________________________________________________ Top

Personal Data

What is personal data?

The Privacy Act uses the term "personal information" and defines it as "information about an identifiable individual", including information relating to a death that is maintained by the Registrar-General pursuant to the Births, Deaths, Marriages, and Relationships Registration Act 1995 or its predecessors. 

“Information” is not defined in the Privacy Act, but it has been held in interpreting other relevant legislation that "information" is not confined to the written word but embraces any knowledge, however gained or held.

Is information about legal entities personal data?

No. Personal information must concern a natural person.

What are the rules for processing personal data?

The collection, use, and disclosure of personal information, by public and private sector agencies, must comply with the 12 Information “Privacy Principles” set out in the Privacy Act. 

These principles can be summarised as obligations to: (i) collect the information via legal means and directly from the data subject (subject to the provided exceptions); (ii) identify and communicate to the data subject the fact of collection and the lawful purpose for the collection of the information; (iii) protect the information against loss, access, use, modification, disclosure and other misuse and maintain the information in such a way that the agency can confirm the existence of, correct or provide access to the information on the request of the data subject; (iv) take reasonable steps to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date, complete, relevant and not misleading; and (v) not disclose the information unless permitted to do so by law. 

There are a number of exceptions, for example: (i) the Privacy Act applies only to the extent that it is not inconsistent with another Act of Parliament; and (ii) in special circumstances, the Privacy Commissioner can authorise agencies to collect, use or disclose information even when that would usually breach specified Privacy Principles.

Are there any formalities to obtain consent to process personal data?

No. However, Privacy Principle 3 sets out the information that the data subject must be made aware of before, or as soon as practicable after, information is collected.

Are there any special rules when processing personal data about children?

The Privacy Act does not contain any special rules relating to the personal information of children.

_____________________________________________________________________ Top

Sensitive Personal Data

What is sensitive personal data?

The Privacy Act does not contain any concept or definition of sensitive personal data.

However, the Privacy Act does require agencies collecting personal information to only do so for a "lawful purpose connected with a function or activity of the agency", and the collection must be "necessary" for that purpose (Privacy Principle 1). In addition, information may not be collected by unlawful, unfair or unreasonably intrusive means (Privacy Principle 4). In practice, this may constrain the collection of certain types of personal information where they cannot be reasonably connected to a lawful purpose of the agency. 

Health information is subject to specific protection through the Health Information Privacy Code (the "HIPC").

Are there additional rules for processing sensitive personal data?

No. However, health information may be processed only for purposes allowed by the HIPC.

Are there additional rules for processing information about criminal offences?

Some criminal records are subject to specific protection through the Criminal Records (Clean Slate) Act 2004 (the "Clean Slate Act"). The criminal records of those who are deemed by the Clean Slate Act to have a clean criminal record may be processed only for purposes allowed by the Clean Slate Act.

 

Are there any formalities to obtain consent to process sensitive personal data?

No. However, the HIPC notes that agencies may need to give a more detailed explanation as to the intended use of information when particularly intimate or sensitive information is sought, or where it plans to use the information in an unexpected way.

_____________________________________________________________________ Top

Data Protection Officers

When must a data protection officer be appointed?

Every public and private sector agency must have at least one privacy officer.

What are the duties of a data protection officer?

The Privacy Act sets out some of the responsibilities of the privacy officer, namely: (i) encouraging the agency to comply with the Privacy Principles; (ii) dealing with requests made to the agency under the Privacy Act (e.g. requests for access to personal information, or correction of personal information); (iii) working with the Office of the Privacy Commissioner in relation to investigations conducted pursuant to complaints made under the Privacy Act in relation to the agency; and (iv) otherwise ensuring compliance by the agency with the Privacy Act.

The Office of the Privacy Commissioner also recommends that a privacy officer should: (i) be familiar with the privacy principles in the Privacy Act and with any other legislation governing what the agency can and cannot do with personal information; (ii) should deal with any complaints from the agency's clients about possible breaches of privacy; should train other staff at the agency to deal with privacy properly; and (iii) should advise managers on how to ensure the agency's business practices comply with privacy requirements, the privacy impacts (if any) of changes to the agency's business practices, and whether improving privacy practices might improve the business.

_____________________________________________________________________ Top

Accountability and Privacy Impact Assessments

Is there a general accountability obligation?

There is no general accountability obligation in New Zealand privacy law. Agencies are required to adhere to the Privacy Principles outlined in the Privacy Act, and the Office of the Privacy Commissioner's website publishes guidance on how companies can do so. As part of Privacy Act reform, the Privacy Commissioner has recommended the introduction of a new power allowing the Privacy Commissioner to require an agency to: (i) establish a privacy management programme or plan that is adequate for its purposes; and (ii) demonstrate its ongoing compliance with the Privacy Act by reporting on the agency's privacy management programme or plan, either directly to the Commissioner or publicly.

The recommendation was made on the basis that the power would allow the Privacy Commissioner to identify and address significant gaps and weaknesses to mitigate the risk of future breaches.

Are privacy impact assessments mandatory?

The Office of the Privacy Commissioner's website contains guidance on Privacy Impact Assessments (PIAs) and the ways in which they are useful to agencies, but there is no requirement at law for agencies to carry out PIAs. The guidance notes that PIAs will help agencies to know if they are meeting their obligations under the Privacy Act.

_____________________________________________________________________ Top

Rights of Data Subjects

Privacy notices

Before collecting information, an agency must have identified a legal purpose for the collection that is connected to the agency's functions or activities. This purpose must be communicated to the data subject and will then govern how the information can be used (subject to exceptions within the Privacy Act).

The agency must also provide its details, the intended recipient(s) of the data subject's personal information, the authority and purpose of the collection, and the right of the data subject to access and correct his/her personal information.

Rights to access information

The data subject to whom particular information relates has a right to obtain confirmation from the agency of whether or not it holds such information and to have access to that information, provided the personal information is held in such a way that it can be readily retrieved (Privacy Principle 6).

Rights to data portability

There is no data portability right in New Zealand at this stage, but the Privacy Commissioner has recommended the introduction of data portability as a consumer right as part of modernisation of the Privacy Act.

Right to be forgotten

While there is no "right to be forgotten" in New Zealand privacy law, there is a limited right under the Privacy Act for a data subject to request that an agency holding personal information about that data subject make a correction to that information. Such a correction may be by way of a deletion of information (Privacy Principle 7). 

In addition, the Harmful Digital Communications Act 2015 (the "HDCA") has introduced, among other things, a right for individuals to apply to the District Court for a take-down order. The purpose of the HDCA is to: (i) deter, prevent, and mitigate harm caused to individuals by digital communications (i.e. any form of electronic communication); and (ii) provide victims of harmful digital communications with a quick and efficient means of redress.

Individuals who allege they have suffered or will suffer harm as a result of a digital communication can lay a complaint with Netsafe, the approved agency under the HDCA, and Netsafe will attempt to resolve the issue between the parties. If Netsafe is unable to resolve the matter, or decides to take it no further, affected individuals may apply to the District Court for a number of orders, including that the material is taken down or corrected.

Objection to direct marketing and profiling

The Privacy Act does not give data subjects a right to object to direct marketing. However, please see the section which follows dealing with ePrivacy for comments on data subjects' rights to object to direct marketing by email, telephone and fax.

Other rights

Where an agency holds personal information, Privacy Principle 7 entitles the data subject to request the correction of his/her information and to request that a statement be attached to his/her personal information noting that a correction has been sought but not made.

_____________________________________________________________________ Top

Security

Security requirements in order to protect personal data

Privacy Principle 5 of the Privacy Act requires agencies to protect personal information with such security safeguards as it is reasonable in the circumstances to take against loss, access, use, modification, disclosure and other misuse.

If it is necessary for the information to be given to a third party, the agency must do everything reasonably within its power to prevent unauthorised use or unauthorised disclosure of the information by that third party.

Specific rules governing processing by third party agents (processors)

The Privacy Act does not contain any specific rules regarding security requirements where information is processed by a third-party agent. 

However, as noted above, where an agency: (i) holds personal information as agent for, or for the sole purpose of processing the information on behalf of, another agency; and (ii) does not use or disclose the information for its own purposes, the information will be deemed to be held by the agency on whose behalf it is held or processed. In addition, the Privacy Act provides that a principal will be liable for the acts or omissions of its agent regarding the processing of personal information, unless done or omitted without the (principal) agency's express or implied authority.

Accordingly, where an agency appoints a third-party agent to process personal information on its behalf, the agency will remain responsible under the Privacy Act for ensuring that the Information Privacy Principles (including the security requirements in Principle 5) continue to be met.

Notice of breach laws

There is currently no legal requirement to notify in the event of any breach or loss of personal information, though the New Zealand Government has signalled reform in this area (a Privacy Reform Bill was expected in 2017, but as yet no Bill has been introduced). 

However, the Office of the Privacy Commissioner has issued guidelines to help agencies take the appropriate steps in the event of a privacy breach and to provide guidance as to whether a voluntary notification to both affected data subjects and the Privacy Commissioner should be made. The key consideration in deciding whether to notify affected data subjects is whether notification is necessary in order to avoid or mitigate harm to the data subject. There may also be situations where the data subject cannot take any steps to mitigate potential harm but the privacy breach was so material as to warrant notification.

Agencies are also encouraged to inform the Office of the Privacy Commissioner of material privacy breaches so the Office is aware of the breach and can effectively handle any related enquiries or complaints.

_____________________________________________________________________ Top

Transfer of Personal Data to Third Countries

Restrictions on transfers to third countries

Subject to compliance with the Information Privacy Principles, personal information may be transferred to a third country without restriction. 

However, both the Privacy Act and the HIPC will continue to apply to personal information and health information even when it is transferred out of New Zealand. For the purposes of Privacy Principles 5 (Storage), 8 (Accuracy), 9 (Retention), 10 (Limits on use) and 11 (Limits on disclosure), information transferred out of New Zealand is still considered to be held by the agency. Similarly, for the purposes of Privacy Principles 6 (Access to personal information) and 7 (Correction of personal information), information held by an agency includes information held outside New Zealand by that agency.

In addition, the Privacy Commissioner may prohibit transborder dataflows of information where the Privacy Commissioner is satisfied, on reasonable grounds, that: (i) the information has been received in New Zealand from another state and the transborder dataflow is likely to be to a third state where it will not be subject to a law providing comparable safeguards to the Privacy Act; and (ii) the transborder dataflow would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and Schedule 5A of the Privacy Act. This power was added to the Privacy Act in the course of New Zealand's application to obtain whitelisted country status, in order to address European Commission concerns regarding the ability to regulate transfers from New Zealand of personal information which has originated in an EEA country.

The Privacy Commissioner's powers to prohibit transborder dataflows do not apply where the transborder dataflow is required by New Zealand law, or any convention or other instrument imposing international obligations on New Zealand.

Notification and approval of national regulator (including notification of use of Model Contracts)

There is no additional obligation to notify or obtain the consent of the Privacy Commissioner for transborder dataflows.

Use of binding corporate rules

There is no concept of binding corporate rules in New Zealand privacy law.

_____________________________________________________________________ Top

Enforcement

Fines

The Privacy Commissioner has very limited powers and does not have any ability to make rulings or determinations, issue fines or bring prosecutions, direct settlements, or order an agency to give a complainant particular information. Instead, the Privacy Commissioner operates as a body to receive and investigate complaints regarding interference with an individual's privacy.

It is an offence under the Privacy Act (punishable on summary conviction with a fine not exceeding NZ$ 2,000) to: (i) without reasonable excuse, obstruct, hinder, or resist the Privacy Commissioner or any other person in the exercise of its powers under the Privacy Act; (ii) without reasonable excuse, refuse or fail to comply with any lawful requirement of the Privacy Commissioner or any other person under the Privacy Act; (iii) make any statement or give any information to the Privacy Commissioner or any other person exercising powers under the Privacy Act knowing that the statement or information is false or misleading; or (iv) represent, directly or indirectly, that he or she holds any authority under the Privacy Act when he or she does not hold that authority.

The Privacy Commissioner has recommended as part of privacy law reform the introduction of civil penalties into the Privacy Act, which would allow the Privacy Commissioner to seek the imposition of suitably significant civil penalties in cases of very serious or repeated breach of the Privacy Act. The recommendation is for these penalties to range up to NZ$ 100,000 (about GBP 52,000) for individuals, and up to NZ$ 1 million (about GBP 520,000) for companies.

Imprisonment

The offences under the Privacy Act are not punishable by imprisonment.

Compensation

The Privacy Commissioner will often try to settle the complaint by conciliation and mediation. If the complaint is not settled during the investigation, then the Privacy Commissioner may form the view either that there is no substance to a complaint (in which case the complainant may still file proceedings with the Human Rights Review Tribunal on his/her own account) or that there is substance to the complaint and refer it to the Director of Human Rights Proceedings (a separate statutory authority) to decide whether or not to bring proceedings at the Human Rights Review Tribunal (the "Tribunal").

If the complaint is referred to, or taken by the complainant to, the Tribunal, the Tribunal will hear the complaint afresh and is not bound by the Privacy Commissioner's opinion. The decision of the Tribunal on a Privacy Act complaint is legally binding.

The Tribunal can award various remedies, including: (i) a declaration that the agency breached the law; (ii) an order preventing repetition of the breach; (iii) an order to rectify the breach; (iv) damages; and/or (v) an award of costs against the losing party. The Human Rights Review Tribunal’s power to award damages is subject to a maximum of NZ$ 200,000 (approximately GBP 110,000).

Other powers

It is expected that increased powers for the Privacy Commissioner (including the ability to issue compliance notices and impose civil penalties as mentioned above, and independently investigate privacy issues) would be a feature of privacy law reform.

Practice

According to the Annual Report of the Privacy Commissioner 2016, the Privacy Commissioner received 969 privacy complaints from members of the public in the year ending 30 June 2016. Of the complaints closed for the year 2015/16, 49% were closed with some sort of settlement.

Recent enforcement action includes compensation of NZ$ 18,000 (approximately GBP 10,000) ordered payable by an individual, rather than the organisation for whom he worked, for humiliation and loss of dignity, caused by the disclosure of a damaging letter about the Plaintiff to a student magazine.

Other notable enforcement includes: (i) an award of NZ$ 168,000 (approximately GBP 87,000, the highest award to date) issued against a company which compelled an employee to access a former employee's (Ms H) Facebook page, in breach of Ms H's Facebook privacy settings, in order to access and maliciously distribute to third parties (including Ms H's new employer) a photo of a cake that Ms H had baked which featured derogatory language directed at her former employer; (ii) compensation of NZ$ 25,000 (approximately GBP 13,000) ordered payable by a telecommunications company which breached a customer's privacy by providing inaccurate information to a debt collection agency; (iii) compensation of NZ$ 21,000 (approximately GBP 11,000) ordered payable by a government agency which was found to be in breach of Principle 1 by collecting personal information which was not reasonably necessary for the purpose of assessing income-related rent applications; and (iv) compensation of NZ$7,500 (about GBP4,000) ordered payable by government entity Accident Compensation Corporation for failing to take reasonable steps to ensure information was accurate before use, having used an old medical report to determine that the complainant no longer needed compensation for an injury.

Two complaints were referred to the Director of Human Rights Proceedings for further action in 2016, one of which settled.

_____________________________________________________________________ Top

ePrivacy | Marketing and cookies

_____________________________________________________________

National Legislation

ePrivacy laws

The Unsolicited Electronic Messages Act 2007 ("UEMA") governs the sending of commercial electronic messages and prohibits the sending of unsolicited commercial electronic messages, in particular the use of address-harvesting software. UEMA came into force on 4 September 2007.

UEMA applies to any electronic message sent for a commercial purpose. "Electronic message" is defined broadly to cover any form of message sent using a telecommunications service (but excluding voice calls) or to an electronic address, and therefore covers email, fax, text messages and other forms of electronic messages.

_____________________________________________________________________ Top

Cookies

Conditions for use of cookies

Currently, New Zealand law does not contain any provisions regarding cookies and there is no legal requirement to notify users of cookies, third party or otherwise.

Regulatory guidance on the use of cookies

The Office of the Privacy Commissioner has suggested that the user should be informed when a cookie is intended to be received, stored or sent by the Internet. The notice should specify, in generally understandable language, which information is intended to be stored in the cookie, for what purpose and the period of validity of the cookie.

_____________________________________________________________________ Top

Marketing by E-mail

Conditions for direct marketing by e-mail to individual subscribers

UEMA sets out the conditions for direct marketing by e-mail. UEMA requires that all "commercial electronic messages" may only be sent with the consent of the recipient, include accurate information about the person who authorised the sending of the message and contain a functional unsubscribe facility in order to enable the recipient to instruct the sender that no further messages are to be sent to the recipient.

UEMA regulates the sending of commercial electronic messages which have a "New Zealand link", which is where: (i) the message originates from New Zealand; (ii) the person who sent the message, or the recipient of the message, is an individual who is physically present in New Zealand when the message is sent or accessed, or is an organisation whose central management and control is in New Zealand when the message is sent or accessed; or (iii) the message is sent to an electronic address that ends with ".nz" or begins with an international access code directly followed by "64".

UEMA expressly prohibits harvesting e-mail addresses for the purpose of sending bulk unsolicited commercial e-mails.

Conditions for direct marketing by e-mail to corporate subscribers

UEMA does not distinguish between individual and corporate recipients of commercial electronic messages.

However, with regard to the ability to deem or infer consent, UEMA provides that consent will be deemed to have been given when an email address (or other electronic address) has been conspicuously published by a person in a business or official capacity, it is not accompanied by a statement to the effect that the relevant electronic address-holder does not want to receive unsolicited electronic messages, and the message is relevant to the business, role, functions or duties of the recipient.

Exemptions and other issues

Exemptions from UEMA requirements include where the message provides a quote, facilitates a previously agreed commercial transaction, provides information about goods previously purchased, provides factual information about an ongoing membership or subscription, or delivers product upgrades, as well as certain messages authorised by a government body, court or tribunal, and certain messages in other specified circumstances where the sender and recipient have a special relationship and the message contains information relating to that relationship (such as information about employment or a related benefit plan, or information about a subscription, membership, account or loan). 

The Marketing Association has developed Best Practice Guidelines for Email Marketing which are complementary to the legislative framework provided by UEMA.

_____________________________________________________________________ Top

Marketing by Telephone

Conditions for direct marketing by telephone to individual subscribers (excludes automated calls)

There is no specific legislative scheme limiting direct marketing by telephone to individual subscribers and voice calls made using a standard telephone service are specifically excluded from the scope of UEMA.

However, telemarketing activities, particularly with regard to the collection and storage of personal data, must comply with the Privacy Act 1993 and the 12 Information Privacy Principles. In addition, telemarketing is captured by the scope of various other enactments. Organisations that engage in telemarketing must comply with consumer protection laws, most notably the Consumer Guarantees Act 1993 and the Fair Trading Act 1986.

Conditions for direct marketing by telephone to corporate subscribers (excludes automated calls)

There are no separate requirements for direct marketing by telephone to corporate subscribers.

Exemptions and other issues

The Marketing Association has developed a Telemarketing Code of Practice for the purpose of promoting best practice by those engaged in telemarketing.

The Marketing Association also runs a voluntary scheme called the "Do Not Call" service. The service caters for people who do not wish to receive unsolicited marketing calls to their home telephone. Responsible businesses who use the telephone as a marketing tool subscribe to the Do Not Call list to ensure they do not call any number on that list. The "Do Not Call" service does not extend to businesses.

_____________________________________________________________________ Top