Privacy Commissioner (New Zealand)

The Office of the Privacy Commissioner (New Zealand) administers the Privacy Act 2020. The Privacy Commissioner is entrusted to protect personal information of New Zealanders in accordance with the Privacy Act. Current Privacy Commissioner, Michael Webster, began his role in July 2022.

The Privacy Commissioner oversees personal information held by agencies in both the public and private sectors. This is achieved through monitoring compliance with the 13 Information Privacy Principles. Amid his varied responsibilities, the Commissioner administers a complaint system and issues Codes of Practice or rules for particular industries, contexts and sectors. Most cases involve investigation, conciliation and settlement. Serious breaches are referred to the Human Rights Review Tribunal. The Commissioner inherently considers international obligations and worldwide developments in privacy protection.

History
The now repealed Privacy Commissioner Act 1991 established the role of the Privacy Commissioner. The Commissioner had a principal role in the development of the Privacy Bill 1993, which passed into law as the Privacy Act 1993 and established the revised Office of the Privacy Commissioner.

In March 2018, the Privacy Bill was introduced to Parliament. The Bill was passed by New Zealand Parliament in June 2020 and the Privacy Act 2020 came into law on 1 December 2020. The Privacy Act 2020 significantly updates the 1993 Act. Many of the changes are based on recommendations from the New Zealand Law Commission's 2011 review of New Zealand's privacy laws.

List of privacy commissioners
The Office of Privacy Commissioner has been held by:
 * Sir Bruce Slane, KNZM CBE (1993–2003)
 * Dame Marie Shroff, DNZM CVO (2003 – February 2014)
 * John Edwards (17 February 2014 – 31 December 2021)
 * Michael Webster (since 5 July 2022)

Privacy Act 2020
The Privacy Act 2020 is primarily concerned with information privacy; other aspects of privacy are protected by the common law right to privacy in New Zealand. The Act controls the collection, use, disclosure, storage and granting of access to personal information by agencies. Personal information covers any information about an identifiable natural person.

The key changes in the Privacy Act 2020 include:


 * new criminal offences
 * introduction of compliance orders
 * binding access determinations
 * controls on the disclosure of information overseas
 * mandatory notification of harmful privacy breaches
 * the law now explicitly applies to overseas-based entities that carry on business in New Zealand.

The Privacy Act was originally enacted in 1993 in an era of heightened national awareness for human rights, and sits alongside the New Zealand Bill of Rights Act 1990 and the Human Rights Act 1993. The Privacy Act similarly addressed international concerns, acknowledging privacy obligations under the Universal Declaration of Human Rights, and the International Covenant on Civil and Political Rights.

The Privacy Act extended protection to "any person or body of persons whether corporate and unincorporate," in both the public and private sectors. Inclusion of the private sector was considered revolutionary. The Commissioner thus oversees government departments, companies, religious organisations, and schools. Some limited exemptions to the Privacy Act exist: the sovereign, the House of Representatives, courts and tribunals acting in judicial capacity, news media activities, and individuals holding personal information for private use.

The Information Privacy Principles (IPPs), monitored by the Commissioner, are based on guidelines established by the Organisation for Economic Co-operation and Development (OECD) in 1980. The IPPs cover:
 * Collection of personal information (principles 1 – 4);
 * Storage and security of personal information (principle 5);
 * Requests for access to and correction of personal information (principles 6 – 7);
 * Accuracy of personal information (principle 8);
 * Retention of personal information (principle 9);
 * Use and disclosure of personal information (principles 10 – 11);
 * Cross border disclosures (principle 12); and
 * Using unique identifiers (principle 13).

In ANZ National Bank Ltd v Tower Insurance, the High Court held the privacy principles require that personal information can only be collected for "a lawful purpose and is necessary for that purpose." The principles do not outline their practical application, giving the Commissioner flexibility to deal with varying fact situations as they arise.

In exceptional circumstances, when the Privacy Commissioner is satisfied the public interest outweighs privacy protection, agencies can be authorised to use personal information in a manner that would usually breach the IPPs or other provisions under the Act.

Roles, functions and powers
The Office of the Privacy Commissioner is an independent Crown entity, funded by the state but acts independently of government or Ministerial control. In addition to monitoring compliance with the IPPs and PRPPs, the Commissioner's roles are extensively outlined in Section 13 of the Privacy Act. The central focus is to better protect the privacy of individuals, and includes:
 * Legislation and policy; reporting to the Prime Minister on "legislative, administrative, or other action," and examining proposed legislation involving the collection or disclosure of personal information;
 * Compliance; auditing personal information held by agencies, investigating and reporting on complaints, and inquiring into possible infringements;
 * Education and awareness; a user-friendly website, training workshops, and monitoring developments in data processing technologies;
 * Monitoring government information matching programmes;
 * Issuing Codes of Practice; which modify the privacy principles for different industries;
 * Liaison and development with international counterparts; especially in the Asia-Pacific region; and
 * Undertaking any other function, power or duty; conferred by the Privacy Act or any other enactment.

Functions listed elsewhere in the Act include consultation with the Ombudsman, Health and Disability Commissioner and the Inspector General of Intelligence and Security, and publishing personal information directories. The Commissioner is conferred functions in several other enactments, which can be categorised as:
 * Complaints investigation;
 * Scrutiny or approval of information disclosure arrangements;
 * Consultation with other agencies;
 * Codes of Practice;
 * Information matching; and
 * Advice on privacy impact assessments.

Complaints and decisions
The Privacy Commissioner can investigate potential breaches of the IPPs, PRPPs, or other Privacy Act provisions, on his or her own initiative or on receipt of a complaint. The onus is on the complainant to establish that an agency's action both breached a privacy principle and caused harm. Harm can include financial loss, adverse effect on rights or interests, or a significant injury to feelings. Breaches of principles 6 and 7, the refusal to grant access to or allow correction of information, need not establish harm as these situations are considered interferences per se. The Commissioner can decide to take no action based on issues of time, triviality, bad faith, or if another course of action is more appropriate.

Should the Commissioner decide to pursue a complaint, his role is both investigatory and conciliatory. With this mediation rather than litigation focus, the Commissioner can call "compulsory mediation conferences," and seek a resolution agreement and assurance of non-recurrence. Both parties to a complaint must be informed of the commencement of proceedings and the result of an investigation. The Commissioner has no power to force compensation payments from an agency, dismiss an employee or prosecute anyone.

In the 2019/2020 year, the Commissioner closed 769 investigation files. Outcomes mostly included information being released or partly released, followed by the giving of assurances, an apology, a change of policy, correction of information, and monetary payment. The majority of complaints involved a breach of the IPPs, ahead of the Health Information Privacy Code. The actions of government agencies, including education providers and local authorities, trigger most complaints, followed by health sector agencies.

Where settlement is unobtainable or an agency repeatedly contravenes prior assurances, the Commissioner may refer the complaint to the Director of Human Rights Proceedings. The Director has the discretion to determine whether the Human Rights Review Tribunal should institute proceedings. Aggrieved individuals may also self-refer proceedings before this body. If satisfied of privacy interference, the Tribunal may issue a declaration, grant orders restraining repeated interference or requiring specific acts be performed, award compensatory damages up to $350,000 NZD, or give another appropriate remedy. Where the powers of the Tribunal are exceeded, remedial instructions may be referred to the High Court or extended remedial powers conferred on the Tribunal by written agreement between the parties. Case notes and Tribunal decisions are published on the Commissioner's website.

The Commissioner does not operate a system of binding precedent in the outcomes of his decisions, instead considering each case independently. The IPPs, except principle 6, and the PRPPs are not enforceable in a law court. The Privacy Act however does not preclude complainants from taking court action for a breach of the common law right to privacy where the Commissioner has dealt with a statutory complaint on the same issue.

Codes of Practice
As the IPPs are generally worded, the Commissioner may issue more specific Codes of Practice for different "industries, agencies activities or types of personal information." The codes modify the application of the Privacy Act, including less or more stringent rules than contained in the privacy principles, as is appropriate. Extensive advertisement, consultation and invitation for submissions are stipulations. Codes must be approved as delegated legislation by the House of Representatives. Thereafter the codes become enforceable under the Act and the same complaints process applies. Further remedies may be available for breaches of legislation related to a particular industry. The Privacy Commissioner commends the codes as a flexible means of regulation, more readily capable of amendment or revocation than legislative provisions. The current Codes of Practice include:


 * Health Information Privacy Code 2020
 * Telecommunications Information Privacy Code 2020
 * Credit Reporting Privacy Code 2020
 * Civil Defence National Emergencies (Information Sharing) Code 2020
 * Justice Sector Unique Identifier Code 2020
 * Superannuation Schemes Unique Identifier Code 2020.

International
New Zealand's Privacy Commissioner participates internationally to promote global co-ordination in privacy protection. Such forums include the Global Privacy Assembly, APEC's Cross Border Privacy Arrangement, and the Global Privacy Enforcement Network. The Commissioner's Annual Report 2013 emphasised the need for cross-border protection given the accessibility of private information online.

In December 2012, New Zealand gained international approval for its privacy protection from the European Commission. The Commission stated that the Privacy Act and common law "cover all the basic principles necessary for an adequate level of protection for natural persons, and also provide for exemptions and limitations to safeguard important public interests." The invaluable role of the Commissioner, commended for the position's independence and adequate powers to protect individual privacy, was also noted.