The Law Commission is recommending a massive overhaul of the Privacy Act providing stronger enforcement measures and changes that alternately offer better protection of individual privacy and make it easier for government agencies to bulk share private information.
Changes protecting individuals include a statutory "Do Not Call Register" which would allow New Zealanders to register their choice not to receive telephone marketing calls.
The Commission also recommends the current exemption for personal or domestic information should not apply if the collection or disclosure of the information would be highly offensive. The change would deal with situations such as when a person posts naked photographs of their ex-partner online without consent.
The Commission's final report, Review of the Privacy Act 1993, the last of a four-stage review of privacy law, was tabled in parliament today.
A key change, if the Commission's recommendations are accepted, would see agencies - which have lost personal data, or had it stolen through hacking or other means - required to notify victims of the data breach.
"People have a right to know if their information has been compromised in a serious way," said Law Commissioner Professor John Burrows.
The change would allow those whose information had been breached to take steps to protect themselves, such as cancelling credit cards or changing passwords. The change is designed to combat identity theft and includes steps agencies should take - such as number truncation - to limit the risk of misuse of unique identifiers.
Privacy in the Digital Age
The commission has also grappled with how the internet changes notions of privacy and recommends clarifying the Act so that "publication" of personal information includes the internet.
It also addresses concerns about the flow of information across country borders and how information can now be held in a nebulous "cloud" of computers located overseas.
The Commission points out protection other countries may not meet New Zealand standards and recommends putting new obligations on agencies to check before they send or store information overseas that privacy will be protected.
The commission also wants to give the Privacy Commissioner more teeth with the ability to issue compliance notices and order audits of how agencies handle personal information.
It also recommends a new complaints process whereby the Commissioner, rather than the Human Rights Review Tribunal, decides whether to bring a complaint to the Tribunal.
The Commissioner would also be able to make a binding decision about an agency's failure to release the personal information it holds on an individual.
Two new Privacy Act offences would be created: impersonating a person in order to access or misuse that person's information; and destroying personal information to evade a request for access under the Act.
On the vexed issue of data matching across government agencies which some see as creeping Big Brother government and ways to monitor citizens' every move, the commission argues there are many good reasons for government departments to share personal information.
Examples cited include collaboration to provide one-stop-shops and "smarter" services, plus working across agencies to tackle social problems such as child abuse.
At the moment such sharing is not always possible under the Privacy Act and the government has had to pass legislation to specifically override the Act.
The Commission recommends a new mechanism to provide greater certainty for government agencies, but notes there are considerable risks in "unconstrained information sharing."
The proposed process would involve consultation with final approval by Cabinet and details of all sharing programmes to be published on agencies' websites and listed in a schedule to the Privacy Act.
"It is vital that government has the trust of citizens whose information it holds," said Professor Burrows.
Other changes include clarifications to existing exemptions whereby people can pass on information when someone's health is at risk, or report suspected offending to the police.
Agencies will also be able to withhold information from individuals making requests for information about themselves, if the information held relates to a victim of a crime that would cause distress to that victim.
News media remain exempt from the Act - but only media subject to a code of ethics which deals with privacy such as the Press Council and the Broadcasting Standards Authority.
Online and other news media which are not covered by complaints bodies would be subject to the Act. In the field of health information, the Commission recommends a separate review to deal with the complexities of health care data.