Privacy (Cross-border Information) Amendment Act 2010

Crest

Privacy (Cross-border Information) Amendment Act 2010

Public Act2010 No 113
Date of assent7 September 2010
Commencementsee section 2

The Parliament of New Zealand enacts as follows:

1 Title
  • This Act is the Privacy (Cross-border Information) Amendment Act 2010.

2 Commencement
  • This Act comes into force on the day after the date on which it receives the Royal assent.

3 Purpose
  • The purpose of this Act is to—

    • (a) remove the current restrictions on who may make an information privacy request; and

    • (b) enable public sector agencies to charge for making personal information available to overseas foreign nationals; and

    • (c) provide for the referral of cross-border complaints to the appropriate privacy enforcement authority; and

    • (d) establish a mechanism for controlling the transfer of information outside New Zealand where the information has been routed through New Zealand to circumvent the privacy laws of the country from where the information originated.

Part 1
Amendments to Privacy Act 1993

4 Principal Act amended
5 New section 34 substituted
  • Section 34 is repealed and the following section substituted:

    34 Individuals may make information privacy requests
    • An information privacy request may be made only by an individual.

6 Commissioner may authorise public sector agency to charge
  • (1) Section 36 is amended by inserting the following subsection after subsection (1):

    • (1A) The Commissioner may authorise a public sector agency to impose a charge in respect of the matter referred to in section 35(1)(e) if the information privacy request is received from, or on behalf of, an individual who—

      • (a) is residing outside New Zealand; and

      • (b) is not a New Zealand citizen or a permanent resident of New Zealand.

    (2) Section 36(2) is amended by inserting or (1A) after subsection (1).

    (3) Section 36(3) is amended by inserting or (1A) after subsection (1).

7 New section 72C inserted
  • The following section is inserted after section 72B:

    72C Referral of complaint to overseas privacy enforcement authority
    • (1) Where, on receiving a complaint under this Part, the Commissioner considers that the complaint relates, in whole or in part, to a matter that is more properly within the jurisdiction of an overseas privacy enforcement authority, the Commissioner may consult with that authority in order to determine the appropriate means of dealing with the complaint.

      (2) As soon as practicable after consulting with the overseas privacy enforcement authority under subsection (1), the Commissioner must determine whether the complaint should be dealt with, in whole or in part, under this Act.

      (3) If the Commissioner determines that the complaint should be dealt with, in whole or in part, by the overseas privacy enforcement authority, and both the authority and the complainant agree, the Commissioner may refer the complaint or, as the case requires, the appropriate part of the complaint, to the authority to be dealt with.

      (4) In this section, overseas privacy enforcement authority or authority means any overseas public body that is responsible for enforcing legislation that protects personal information, and that has the power to conduct investigations and pursue enforcement proceedings.

8 New Part 11A inserted
  • The following Part is inserted after section 114:

    Part  11A
    Transfer of personal information outside
    New Zealand

    114A Interpretation
    • In this Part, unless the context otherwise requires,—

      OECD Guidelines means the Organisation for Economic Co-operation and Development Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data

      State includes any State, territory, province, or other part of a country

      transfer prohibition notice means a notice given under section 114B prohibiting the transfer of personal information from New Zealand to another State.

    114B Prohibition on transfer of personal information outside New Zealand
    • (1) The Commissioner may prohibit a transfer of personal information from New Zealand to another State if the Commissioner is satisfied, on reasonable grounds, that—

      • (a) the information has been, or will be, received in New Zealand from another State and is likely to be transferred to a third State where it will not be subject to a law providing comparable safeguards to this Act; and

      • (b) the transfer would be likely to lead to a contravention of the basic principles of national application set out in Part Two of the OECD Guidelines and set out in Schedule 5A.

      (2) In determining whether to prohibit a transfer of personal information, the Commissioner must also consider, in addition to the matters set out in subsection (1) and section 14, the following:

      • (a) whether the transfer affects, or would be likely to affect, any individual; and

      • (b) the general desirability of facilitating the free flow of information between New Zealand and other States; and

      • (c) any existing or developing international guidelines relevant to transborder data flows, including (but not limited to)—

        • (i) the OECD Guidelines:

        • (ii) the European Union Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data.

      (3) Subsection (1) does not apply if the transfer of the information, or the information itself, is—

      • (a) required or authorised by or under any enactment; or

      • (b) required by any convention or other instrument imposing international obligations on New Zealand.

    114C Commissioner's power to obtain information
    • (1) To enable the Commissioner to determine whether to prohibit a transfer of personal information, the Commissioner may hear or obtain information from such persons as the Commissioner considers necessary, and for this purpose Part 9 applies as if the Commissioner were carrying out an inquiry under section 13(1)(m).

      (2) In exercising his or her powers under subsection (1), the Commissioner may regulate his or her procedure in such manner as the Commissioner thinks fit.

    114D Transfer prohibition notice
    • (1) A prohibition under section 114B(1) is to be effected by the service of a transfer prohibition notice on the agency proposing to transfer the personal information concerned.

      (2) A transfer prohibition notice must—

      • (a) state the name of the agency to whom it relates; and

      • (b) describe the personal information concerned; and

      • (c) state that the transfer of the personal information concerned from New Zealand to a specified State is prohibited either—

        • (i) absolutely; or

        • (ii) until the agency has taken the steps stated in the notice to protect the interests of any individual or individuals affected by the transfer; and

      • (d) state the time when the notice takes effect; and

      • (e) state the ground for the prohibition; and

      • (f) state that the agency on whom the notice is served may lodge an appeal against the notice to the Human Rights Review Tribunal, and the time within which the appeal must be lodged.

      (3) The time when the notice takes effect under subsection (2)(d) must not be before the end of the period within which an appeal against the notice can be lodged.

      (4) If an appeal is brought, the notice does not take effect pending the determination or withdrawal of the appeal.

      (5) If the Commissioner, by reason of special circumstances, considers that the prohibition should take effect as a matter of urgency in relation to all or any part of the notice,—

      • (a) subsections (3) and (4) do not apply; and

      • (b) the notice takes effect on the sixth working day after the date on which the notice is served; and

      • (c) the notice must include—

        • (i) a statement that the Commissioner considers that the prohibition must take effect as a matter of urgency; and

        • (ii) a statement of the reasons why the Commissioner has reached that conclusion.

      Compare: Data Protection Act 1988 s 11 (Ire)

    114E Commissioner may vary or cancel notice
    • (1) If, at any time, the Commissioner considers that all or any of the provisions of a transfer prohibition notice served on an agency need not be complied with in order to avoid a contravention of basic principles of privacy or data protection, the Commissioner may vary or cancel the transfer prohibition notice by serving notice to that effect on the agency concerned.

      (2) An agency on whom a transfer prohibition notice has been served may, at any time after the end of the period during which an appeal under section 114G(1)(a) can be lodged, apply in writing to the Commissioner for the notice to be varied or cancelled under subsection (1).

      (3) The Commissioner must, within 20 working days after the date on which an application under subsection (2) is received, notify the agency of—

      • (a) his or her decision; and

      • (b) his or her reasons, if the application is refused.

      (4) If the Commissioner exercises his or her discretion under subsection (1), the variation or cancellation of the transfer prohibition notice takes effect on the day after the date on which notice of the Commissioner’s decision to vary or cancel the transfer prohibition notice is served.

      Compare: Data Protection Act 1998 s 41 (UK)

    114F Offence in relation to transfer prohibition notice
    • Every person who, without reasonable excuse, fails or refuses to comply with a transfer prohibition notice commits an offence and is liable on summary conviction to a fine not exceeding $10,000.

    114G Appeals against transfer prohibition notice
    • (1) An agency on whom a transfer prohibition notice is served may appeal to the Human Rights Review Tribunal—

      • (a) against the whole or any part of the notice; or

      • (b) if the notice contains a statement by the Commissioner in accordance with section 114D(5)(c), against the decision to include that statement in respect of all or any part of the notice; or

      • (c) against the decision of the Commissioner to vary the notice in accordance with section 114E(1); or

      • (d) against the refusal of an application under section 114E(2) to vary or cancel the notice.

      (2) An appeal under subsection (1) must be lodged,—

      • (a) in the case of an appeal under subsection (1)(a) or (b), within 15 working days from the date on which the transfer prohibition notice was served on the agency concerned:

      • (b) in the case of an appeal under subsection (1)(c) or (d), within 15 working days from the date on which notice of the decision or refusal was served on the agency concerned.

      (3) The Tribunal must allow an appeal or substitute any other decision or notice that could have been made or served by the Commissioner if it considers that—

      • (a) the decision or notice against which the appeal is brought is not in accordance with the law; or

      • (b) to the extent that the decision or notice involved an exercise of discretion by the Commissioner, the Commissioner ought to have exercised his or her discretion differently.

      (4) The Tribunal may review any determination of fact on which the decision or notice in question was based.

      (5) On any appeal under subsection (1)(b), the Tribunal may—

      • (a) direct—

        • (i) that the notice in question must have effect as if it did not contain the statement that is mentioned in the notice; or

        • (ii) that the inclusion of the statement must not have effect in relation to any part of the notice; and

      • (b) make any modifications required to give effect to that direction.

      Compare: Data Protection Act 1998 ss 48, 49 (UK)

    114H Application of Human Rights Act 1993
    • Section 87 and Part 4 of the Human Rights Act 1993 apply, with all necessary modifications (if any), in relation to proceedings under section 114G as if they were proceedings under that Act.

9 New section 128A inserted
  • The following section is inserted after section 128:

    128A Power to amend Schedule 5A
    • The Governor-General may, by Order in Council,—

      • (a) amend Schedule 5A by making such amendments to the text of the basic principles of national application set out in that schedule as are required to bring that text up to date:

      • (b) repeal Schedule 5A, and substitute a new schedule setting out, in an up-to-date form, the text of the basic principles of national application.

10 New Schedule 5A inserted

Part 2
Consequential amendment to Adoption (Intercountry) Act 1997

11 Principal Act amended
12 Access to information

Schedule 
New Schedule 5A inserted

s 10

Schedule 5A
Basic principles of national application set out in Part Two of the OECD Guidelines

s 114B(1)(b)

Collection limitation principle

There should be limits to the collection of personal data and any such data should be obtained by lawful and fair means and, where appropriate, with the knowledge or consent of the data subject.

Data quality principle

Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes, should be accurate, complete and kept up-to-date.

Purpose specification principle

The purposes for which personal data are collected should be specified not later than at the time of data collection and the subsequent use limited to the fulfilment of those purposes or such others as are not incompatible with those purposes and as are specified on each occasion of change of purpose.

Use limitation principle

Personal data should not be disclosed, made available or otherwise used for purposes other than those specified in accordance with [the Purpose specification principle above] except:

  • (a) with the consent of the data subject; or

  • (b) by the authority of law.

Security safeguards principle

Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data.

Openness principle

There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and usual residence of the data controller.

Individual participation principle

An individual should have the right:

  • (a) to obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;

  • (b) to have communicated to him, data relating to him

    • within a reasonable time;

    • at a charge, if any, that is not excessive;

    • in a reasonable manner; and

    • in a form that is readily intelligible to him;

  • (c) to be given reasons if a request made under subparagraphs (a) and (b) is denied, and to be able to challenge such denial; and

  • (d) to challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.

Accountability principle

A data controller should be accountable for complying with measures which give effect to the principles stated above.


Legislative history

2 July 2008Introduction (Bill 221–1)
1 April 2009First reading and referral to Justice and Electoral Committee
30 September 2009Reported from Justice and Electoral Committee (Bill 221–2)
24 August 2010Second reading, third reading
7 September 2010Royal assent

This Act is administered by the Ministry of Justice.