Privacy Regulations 2020

  • latest version but not yet in force

Regulations

1 Title

These regulations are the Privacy Regulations 2020.

2 Commencement

These regulations come into force on 1 December 2020.

3 Interpretation

(1)

In these regulations, unless the context otherwise requires,—

Act means the Privacy Act 2020

Commissioner means the Privacy Commissioner

serve includes to give or issue

Tribunal means the Human Rights Review Tribunal.

(2)

A term or expression defined in the Act and used, but not defined, in these regulations has the same meaning as in the Act.

4 Transitional, savings, and related provisions

The transitional, savings, and related provisions (if any) set out in Schedule 1 have effect according to their terms.

5 Service of documents

Any notice or other document that is required by the Act to be served on a person may be served on the person in any of the following ways:

(a)

by personally delivering it to the person:

(b)

by electronic transmission (for example, by email or facsimile):

(c)

by leaving it at the person’s usual or last known place of residence or business:

(d)

by leaving it at an address specified by the person as an address to which the document may be delivered:

(e)

by leaving it at a document exchange for direction to the person’s document exchange box number:

(f)

by posting it to—

(i)

the person’s usual or last known place of residence or business; or

(ii)

the address specified by the person as an address to which the document may be delivered.

6 Service by electronic transmission

(1)

If a document is transmitted electronically under regulation 5(b) before 5 pm on any working day, then, unless the contrary is shown, the document is treated as served at the time it first enters an information system outside the control of the sender.

(2)

If a document is transmitted electronically under regulation 5(b) on a day that is not a working day, or after 5 pm on a working day, the document is treated as served on the first subsequent working day.

(3)

In proving service, it is sufficient to prove that the electronic transmission was properly addressed and sent.

(4)

In this regulation, information system means a system for producing, sending, receiving, storing, displaying, or otherwise processing electronic communications.

7 Service by means of document exchange

(1)

If a document is left at a document exchange under regulation 5(e), the document is treated as being served on the earlier of the following:

(a)

the second working day after the day it was left at the document exchange:

(b)

the day on which it was received.

(2)

In proving service, it is sufficient to prove that the envelope containing the document was left at the document exchange.

8 Service by post

(1)

If a document is posted under regulation 5(f), the document is treated as being served on the earlier of the following:

(a)

the fifth working day on which it was posted:

(b)

the day on which it was received.

(2)

In proving service, it is sufficient to prove that the envelope containing the document was properly addressed and posted.

9 Service on overseas agency

(1)

If a document is required to be served on an overseas agency that has a place of business in New Zealand or a New Zealand agent or representative, the document may be—

(a)

served in any of the ways specified in regulation 5 on—

(i)

an employee of the overseas agency at the overseas agency’s place of business in New Zealand, or, if the overseas agency has more than 1 place of business in New Zealand, at the overseas agency’s principal place of business in New Zealand; or

(ii)

the overseas agency’s New Zealand agent or representative; or

(b)

served abroad in any of the ways specified in regulation 5(a) to (e) on the overseas agency.

(2)

If a document is required to be served on an overseas agency that does not have a place of business in New Zealand or a New Zealand agent or representative, the document may be served abroad on the overseas agency in any of the ways specified in regulation 5(a) to (e).

10 Service on deceased

If a document is required to be served on a deceased person, the document may be served on the person’s personal representatives.

11 Commissioner or Tribunal may direct manner of service

(1)

This regulation applies in the following circumstances:

(a)

the person on whom or on which a document is required to be served is not known; or

(b)

for any reason it is not practicable to serve a document on a person in any of the ways specified in regulation 5.

(2)

If the Act does not prescribe a particular and exclusive mode of serving a document, the Commissioner or Tribunal may direct—

(a)

the manner in which the document is to be served; or

(b)

that the document need not be served.

12 Procedure for giving public notice of notifiable privacy breach

(1)

Public notice of a notifiable privacy breach required to be given by an agency under section 115(2) of the Act must be published—

(a)

on an Internet site that—

(i)

is maintained by or on behalf of the agency; and

(ii)

is publicly accessible free of charge at all reasonable times; and

(b)

in at least 1 other medium (whether electronic or non-electronic) that the agency considers is most likely to bring the notice to the attention of the greatest number of affected individuals.

(2)

The notice must—

(a)

describe the notifiable privacy breach without identifying any affected individual; and

(b)

state any steps that an affected individual may take to mitigate or avoid potential loss or harm; and

(c)

confirm that the Commissioner has been notified of the privacy breach; and

(d)

state that an affected individual has the right to make a complaint to the Commissioner about the privacy breach; and

(e)

state the contact details of a person within the agency to whom inquiries may be made in respect of the privacy breach.

13 Reporting requirements for approved information sharing agreements

(1)

The Commissioner may specify to a lead agency that a report prepared by the lead agency under section 154(1)(b) of the Act on the operation of an approved information sharing agreement for a reporting period include any or all of the following matters:

(a)

a reasonable estimate of the financial and other costs incurred during the reporting period for the sharing of personal information under the approved information sharing agreement:

(b)

the details of any significant difference between the reasonable estimate of costs reported under paragraph (a) and the costs of sharing personal information under the agreement that were identified prior to approval of the agreement:

(c)

a reasonable estimate of the benefits of the approved information sharing agreement accrued during the reporting period:

(d)

the details of any significant difference between the reasonable estimate of benefits reported under paragraph (c) and the benefits of sharing personal information under the agreement that were identified prior to the approval of the agreement:

(e)

any difficulties experienced in the operation of the approved information sharing agreement, and how those difficulties are being, or have been, overcome:

(f)

whether internal audits or other forms of assessment have been undertaken by a party to the approved information sharing agreement in relation to the agreement and, if so, a summary of the results of those audits or assessments:

(g)

the number of individuals whose personal information has been shared under the approved information sharing agreement or, where the number is not known, the lead agency’s best estimate of that number:

(h)

the number of information sharing transactions between the parties to the approved information sharing agreement, calculated by adding together the number of persons whose personal information is shared on each occasion of sharing under the agreement, regardless of whether a person’s personal information is shared on more than 1 occasion:

(i)

if the same personal information is not shared between all parties to the approved information sharing agreement, then, for each kind of personal information shared under the agreement,—

(i)

the parties sharing that information; and

(ii)

the number of information sharing transactions between those parties referred to in subparagraph (i):

(j)

the number of individuals to whom notice of adverse action was given under the approved information sharing agreement:

(k)

the number of individuals given a notice of adverse action who disputed the correctness of the personal information on which the proposed action is based:

(l)

the number of individuals referred to in paragraph (k) in respect of whom an adverse action was not taken:

(m)

the number of individuals in respect of whom adverse action was taken after notice was given under the approved information sharing agreement:

(n)

the number of individuals in respect of whom adverse action was taken without prior notice being given under the approved information sharing agreement:

(o)

the number of individuals in respect of whom adverse action was taken where there was no requirement to give prior notice under the approved information sharing agreement:

(p)

the types of adverse actions taken as a result of the sharing of personal information under the approved information sharing agreement:

(q)

the particulars of any additional safeguards that have been put in place by any party to the agreement to protect the privacy of individuals and ensure that any interference with their privacy is further minimised:

(r)

the amendments made to the approved information sharing agreement (including amendments notified under section 157(2) of the Act) since,—

(i)

if the report is the first report prepared by the lead agency, the date on which the Order in Council approving the information sharing agreement came into force; or

(ii)

if the report is not the first report prepared by the lead agency, the date of the last report prepared by the lead agency:

(s)

statistical information about—

(i)

the number and types of complaints received by the Privacy Commissioner about an alleged interference with privacy under the approved information sharing agreement; and

(ii)

the disposition of those complaints.

(2)

In specifying under subclause (1) the matters that a report is to include, the Commissioner may impose any limitations in respect of those matters that the Commissioner considers appropriate in the circumstances.

Schedule 1 Transitional, savings, and related provisions

r 4

Part 1 Provisions relating to these regulations as made

There are no transitional, savings, or related provisions relating to these regulations as made.

Michael Webster,
Clerk of the Executive Council.

Explanatory note

This note is not part of the regulations, but is intended to indicate their general effect.

These regulations, which come into force on 1 December 2020, are made under the Privacy Act 2020 (the Act).

These regulations—

  • provide for the giving, issuing, and serving of documents for the purposes of the Act:

  • provide the procedure for giving public notice under section 115(2) of the Act of a notifiable privacy breach:

  • prescribe the matters that the Commissioner may require to be included in a report under section 154(1)(b) of the Act on the operation of an approved information sharing agreement.

Issued under the authority of the Legislation Act 2012.

Date of notification in Gazette: 13 August 2020.

These regulations are administered by the Ministry of Justice.