Compliance and Enforcement

Under the 1993 Act, the failure by agencies to take their obligations seriously has seen complaints take the centre.

An individual makes a complaint and the Office of the PC investigates it and notifies the agency, informs them of their obligations and persuade them. If the agency provides reassurance that they have/will change their practice and do what is expected of them then the Office of the PC backs out and marks the complaint as resolved

Places the onus on the individual; threshold of significant harm needs to be reached

There has been little proactive enforcement except for areas such as credit reporting, where the Office of the PC has been more active

The new legislation will introduce a new tool called Compliance Notices

With a Compliance Notice, John will be able to respond to breaches of the Act more proactively, whether John has received a complaint or not, in the course of investigating a complaint, or perhaps as a result of being notified of a privacy breach

John will be able to issue a notice to an agency setting out obligations under the Act – “it appears to us you are not meeting them; this is what we are requiring you to do”, and he can later come back and check compliance. If compliance is not occurring, the Office of the PC will be able to seek enforcement of that Compliance Notice in the Human Rights Review Tribunal.  This now enables access to a judicial body to enforce compliance with the Act – this signals a significant shift from previously

Sorts of scenarios where a Compliance Notice might be used where an agency is not meeting its obligations under the Act?

Could be right across the board and concern any of the 12 Information Privacy Principles

Example: the front end of any personal information transaction

Sign up for a service and you suddenly find that your personal information is being used for an unexpected purpose not disclosed to you – this would constitute a breach of IPP 3

The individual concerned may not have suffered significant harm enabling them to bring a complaint (simply suffered annoyance), the Office of the PC could go to the agency and say “your obligation is to tell people why you are collecting information and what is going to happening to it – you are clearly not meeting that obligation and I now require that you do it”

If misleading? A breach of IPP 4

Someone might notify the Office of the PC in respect of a security vulnerability in respect of personal information

Example: a company recruiting for staff using an online facility that uploads an applicants’ details to a publicly accessible platform. In that case, the Office of the PC can issue a Compliance Notice saying to that agency that they are breaching obligations to secure information securely, and they must stop using that service, stop disclosing information to another party and review their retention policy

Right across the board, the Office of the PC will now be able to proactively identify and correct breaches of the Privacy Act

The Office of the PC will be able to take actions to prevent issues arising; no longer have to wait for a privacy complaint as a result of an individual suffering adverse consequences from a privacy breach

Risky behaviours à put in place measures to address

Agencies will still have to have an opportunity to comment and explain to the Office of the PC, but the Office of the PC will be able to get ahead and tell them to bring their practices up to standard ahead of a data breach occurring

The Office of the PC will look at factors such as:

  • The seriousness of the issue
  • Numbers of people that could be affected by the practices

New enforcement tools with offences targeting problematic behaviours:

  • Impersonation of another person for the purpose of obtaining their personal information à  a criminal offence (likely scenario: a former partner with account information and personal information etc of their former partner, etc)
  • Limiting agencies from destroying personal information concerning an individual after a request has been made for that information by an individual à a criminal offence

In addition:

  • Obstructing / misleading the Office of the PC
  • Failure to comply with the Office of the PC’s lawful requests for information

will now see fines of up to NZD $10,000