The NEW ZEALAND PRIVACY module informs any person or body of persons, whether incorporated or unincorporated and whether in the public sector or the private sector, of the laws which they are required to comply with when dealing in any way with personal information and the right to confidentiality.
The main piece of legislation that governs privacy in New Zealand is the Privacy Act 1993 (NZ) (the Privacy Act). Additionally, there are codes of practice which are also legally binding. The codes of practice that are currently in force apply to the following industries;
- Telecommunications;
- Health;
- Credit reporting;
- Justice;
- Superannuation; and
- National emergency response.
There are other important pieces of legislation, apart from the Privacy Act, which also impose obligations on individuals and organisations pertaining to privacy and confidentiality. These include the;
- Human Rights Act 1993 (NZ);
- New Zealand Bill of Rights Act 1990 (NZ);
- Harmful Digital Communications Act 2015 (NZ);
- Harassment Act 1997 (NZ);
- Employment Relations Act 2000 (NZ);
- Criminal Records (Clean Slate) Act 2004 (NZ);
- Broadcasting Act 1989 (NZ);
- Official Information Act 1982 (NZ).
The Privacy Act contains a set of 12 information privacy principles (IPPs), which relate to personal information and its collection, use, disclosure, storage, quality and accuracy, access, correction, retention, and connection to unique identifiers. The NEW ZEALAND PRIVACY module covers the development and implementation by organisations of appropriate policies, procedures, systems and practices to support compliance with these IPPs as well as other legislative privacy obligations. The module provides information related to;
- Providing training to personnel regarding collection, use, disclosure, storage, retention and destruction of personal information;
- Making staff and other personnel aware of any workplace surveillance measures being undertaken;
- Dealing with unsolicited personal information;
- Specific requirements for electronic information;
- Relevance of electronic signatures;
- Appointing a privacy officer and taking steps to ensure that compliance with privacy obligations is an important facet of an entities culture and identity;
- Incorporating privacy impact assessments into project development and management to ensure privacy practices are regularly reviewed and remain adaptable to a changing environment.
The module also covers key additional privacy obligations which in some instances apply just to entities operating in the public sector;
- The Public Register Privacy Principles (PRPPs) which are in addition to the IPPs;
- Balancing the public interest of disclosing official information against an individual’s right to privacy;
- Reporting requirements for parties to approved information sharing agreements;
- Approved information matching program requirements;
- The different consequences for instances of breach of obligations.
The module covers best practice policies and processes an entity should employ in order to ensure ongoing compliance with all privacy obligations including;
- Developing a privacy culture with the appointment of a privacy officer and privacy champions who take responsibility for facilitating compliance;
- Having policies and processes that govern how personal information is handled from collection or receipt to destruction;
- Collection of personal information for legitimate purposes in a way that is fair and lawful;
- Storing personal information securely and putting in place controls and security measures to protect it from unauthorised use, misuse, damage and/or loss;
- Securely destroying or disposing of personal information once it is no longer required;
- Having processes in place to enable individuals to inquire about personal information held about them and access any information held;
- Having processes in place to enable individuals to request corrections and, where necessary, ensure the corrections are made;
- Maintaining accurate records and take steps to ensure the accuracy of any information before it is used;
- Having appropriate workplace employee/ employer management systems in place;
- Establish surveillance and whistleblower protections;
- Protection of confidential information;
- Protections for information transferred into or out of New Zealand;
- Implement a clear internal complaints procedure; and
- Comply with requirements of any information matching agreements;
- The requirements when information is forwarded outside of New Zealand.
The Privacy Commissioner is responsible for both conducting investigations into complaints about breaches of privacy and assisting entities to meet their compliance obligations. The module covers the obligations of entities to assist the Office of the Privacy Commissioner in the exercise of its duties. This includes providing reasonable assistance including the provision of documents and information when requested. Remedies for complainants that can be applied include ordering acts in reparation and the payment of money to complainants.
The NEW ZEALAND PRIVACY module provides comprehensive coverage of privacy and confidentiality laws for the receiver and user of personal information. The module does not focus on the actual collection of information or the rights of individuals during this process.