New Zealand - Data Protection
History of Data Protection in NEW ZEALAND
The Privacy Commissioner Act 1991 established the office of the New Zealand Privacy Commissioner. This was quickly followed by the Privacy Act 1993, which entered into force on 1 July 1993. The Privacy Act is based on the principles of the OECD's 1991 Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data. The Privacy Commissioner's key function is to oversee the operation of the 1993 Act.
At the heart of the Privacy Act are the twelve information privacy principles that deal, inter alia, with the collection, holding, use and disclosure of personal information. The principles also grant the individual the right to access their personal information, and to request corrections.
The 1993 Act has been amended twice since its inception, in 1993 and 1994.
Summary of Data Protection in NEW ZEALAND
| Title of Data Protection Legislation | The Privacy Act 1993 |
| Name of supervisory authority | The Privacy Commissioner |
| General Powers of supervisory authority |
The functions of the Privacy Commissioner are listed
in section 13 of the 1993 Act. They include: To promote, by education and publicity, an understanding and acceptance of the information privacy principles and of the objects of those principles; When requested to do so by an agency, to conduct an audit of personal information maintained by that agency for the purpose of ascertaining whether or not the information is maintained according to the information privacy principles; To monitor the use of unique identifiers, and to report to the Prime Minister from time to time on the results of that monitoring, including any recommendation relating to the need for, or desirability of taking, legislative, administrative, or other action to give protection, or better protection, to the privacy of the individual; For the purpose of promoting the protection of individual privacy, to undertake educational programmes on the Commissioner's own behalf or in co-operation with other persons or authorities acting on behalf of the Commissioner; To make public statements in relation to any matter affecting the privacy of the individual or of any class of individuals; To receive and invite representations from members of the public on any matter affecting the privacy of the individual; To provide advice (with or without a request) to a Minister or an agency on any matter relevant to the operation of this Act; To inquire generally into any matter, including any enactment or law, or any practice, or procedure, whether governmental or non-governmental, or any technical development, if it appears to the Commissioner that the privacy of the individual is being, or may be, infringed thereby; To examine any proposed legislation (including subordinate legislation) or proposed policy of the Government that the Commissioner considers may affect the privacy of individuals, and to report to the responsible Minister the results of that examination. |
| Who has standing to notify the supervisory authority of breaches? | Anybody. See s13(i) of the Privacy Act. |
| What are the penalties for data controllers if they breach the law? |
Section 85 of the 1993 Act sets out the remedies that
the Complaints Review Tribunal can award. They are: "(a) A declaration that the action of the defendant is an interference with the privacy of an individual; (b) An order restraining the defendant from continuing or repeating the interference, or from engaging in, or causing or permitting others to engage in, conduct of the same kind as that constituting the interference, or conduct of any similar kind specified in the order; (c) Damages in accordance with section 88 of this Act; (d) An order that the defendant perform any acts specified in the order with a view to remedying the interference, or redressing any loss or damage suffered by the aggrieved individual as a result of the interference, or both; (e) Such other relief as the Tribunal thinks fit." |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Not in the data protection legislation. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | No |
| Who is able to indirectly identify the data subject? | This is not mentioned in the New Zealand Act. |