Category: Central North Island

Source:

15 May 2025, 09:00

The annual privacy survey of New Zealanders was released today during Privacy Week 2025. 

Privacy Commissioner Michael Webster says public concern about privacy remains high, with particular unease around children’s privacy, social media use, and AI decision-making.  

“More people are worried about the impact of technology on their privacy and are questioning what their personal information is being used for and why.”

The impact of technology is reflected in people’s privacy concerns: 

• 67% of respondents are concerned about the privacy of children, including when using social media
• 63% are concerned about the management of personal information by social media companies
• 62% are concerned about government agencies or businesses using AI in decision-making.

“New Zealanders are great adopters of technology, but this survey suggests that we’re increasing becoming aware there’s also a price to pay through the loss of control over our personal information and we’re increasing worried about the implications of that.”

Nearly half of respondents say they’ve become more concerned about issues of individual privacy and personal information over the past few years.  Two thirds of respondents now say protecting their personal information is a major concern in their lives.  And over 80% said they wanted more control and choice over the collection and use of their personal information.

The level of concern also means many New Zealanders are willing to consider taking action if they think their right to privacy is not being protected and respected.  Two-thirds of respondents said they would consider changing service providers – such as businesses – due to poor privacy practices.

Source:

15 May 2025, 09:00

Read the 2025 survey, ‘Research on Privacy Concerns and use of personal information’ (opens to PDF, 2.1MB).

Privacy Commissioner Michael Webster says public concern about privacy remains high, with particular unease around children’s privacy, social media use, and AI decision-making.  

“More people are worried about the impact of technology on their privacy and are questioning what their personal information is being used for and why.”

The impact of technology is reflected in people’s privacy concerns:

• 67% of respondents are concerned about the privacy of children, including when using social media
• 63% are concerned about the management of personal information by social media companies
• 62% are concerned about government agencies or businesses using AI in decision-making.

“New Zealanders are great adopters of technology, but this survey suggests that we’re increasing becoming aware there’s also a price to pay through the loss of control over our personal information and we’re increasing worried about the implications of that.”

Nearly half of respondents say they’ve become more concerned about issues of individual privacy and personal information over the past few years.  Two thirds of respondents now say protecting their personal information is a major concern in their lives.  And over 80% said they wanted more control and choice over the collection and use of their personal information.

The level of concern also means many New Zealanders are willing to consider taking action if they think their right to privacy is not being protected and respected.  Two-thirds of respondents said they would consider changing service providers – such as businesses – due to poor privacy practices.

Source:

7 May 2025, 09:00

Privacy Week 2025 lands on the second week of May (12-16 May), with a full week of free webinars to promote privacy education. 

Privacy Commissioner Michael Webster says, “New Zealanders’ concerns over the collection and use of their personal information remains high, and they want to see organisations and businesses responding positively to this challenge.”  

“Now’s the time to brush up on your privacy skills, and take up the opportunity to learn more about subjects like AI and privacy, Māori data privacy, privacy and business, or media rules around privacy.

“We’re lucky to have attracted some of Aotearoa’s top privacy experts to speak on AI governance, biometrics and children’s toys, privacy in property management, and more,” he says.

OPC staff will share their expertise on the new IPP3a amendment, how to be a good privacy officer, and local government specific privacy issues.

“The programme is full to bursting with topics that are relevant and interesting,” says Mr Webster.

You don’t need to be a privacy expert to engage with Privacy Week or to be proactive about your privacy rights.

Webinars this year have been rated from beginner to advanced, showing which is suitable for your level of knowledge. All webinars are free.

“I encourage you to have a look at the programme and attend a talk. 

Privacy is a basic human right, and the more we can educate ourselves and ensure businesses and organisations understand the breadth of their privacy obligations, the better,” the Commissioner says.

Find more information and register for webinars.

Source:

Print | Email this page

Office of the Privacy Commissioner | Privacy News – April 2025

30 Apr 2025, 17:00

Read about our Privacy Week 2025 lineup and resources, IPP3A guidance and how to have your say, and new tips for using AI to contact OPC.

Read the April 2025 issue.

Source:

Did you know that not everyone has to have their details published on the electoral roll? This makes sense if you and your family members could face a personal risk if your information was accessible to people who may want to cause you harm.

With just a few months to go until the general election, everyone is being reminded to register on the electoral roll. But it is also a timely reminder to people who may face a threat to their safety that not everyone has to have their details published.

The Electoral Act, under section 115, says the Electoral Commission may include you on the unpublished roll if it would be prejudicial to your personal safety, or your family, to have your details on the printed roll.

It particularly applies to those of you who have a protection or restraining order against someone who knows you. It also includes members of the Police and their families.

This unpublished roll can only be viewed by the Registrar of Electors. According to the Ministry of Justice, there were nearly 16,000 registered to vote on the unpublished electoral roll in 2014.

If you think this applies to you, you could request that your information be included only on the confidential unpublished roll. To do so, you will need to download the unpublished roll application form from here. Or you can phone the Electoral Commission free on 0800 36 76 56, and they will post an application form to you.

You will need to give your full name, address, date of birth, contact telephone number and evidence of your situation, such as a copy of a protection order that is in force under the Domestic Violence Act, or a copy of a restraining order that is in force under the Harassment Act.

Other evidence of your personal circumstances can include a statutory declaration from a member of the Police about the threat to your personal safety or that of your family’s, or a letter from a barrister or solicitor, employer or a Justice of the Peace that supports your application on the grounds of personal safety.

You remain on the unpublished roll until such time as your circumstances change. Your area Registrar of Electors will write to you from time to time to confirm that your circumstances are the same. You will also need to check your enrolment details and update them during enrolment update campaigns.

As your name will not appear on the printed electoral roll used on polling day, you will need to cast a special vote. These are available from the Returning Officer in your electorate ahead of Election Day or from any voting place on the actual day.

Back

Source:

We’ve been grappling with a difficult question recently, and one that’s featured in New Zealand’s courts too. What is and isn’t news media and when should the Privacy Act apply?

This is a difficult question because its answer can have a real impact on privacy. If we decide that a person is exempt from the Privacy Act, people have no recourse to our office. While there are self regulatory industry bodies like the Online Media Standards Authority, the Press Council and the Broadcast Standards Authority, there are gaps in the regulation of online media content.

A major rationale for exempting various bodies from the Privacy Act is the availability of more appropriate forms of regulation. The Law Commission noted the problem and recommended that new forms of media regulation could be developed to address this uncertainty in the law (particularly to address issues posed by digital communications).

Traditional news media is easy to recognise – newspapers, television broadcasters, magazines – we know it when we see it, right? What about journalists who publish news in other ways – in blogs or books? Let’s take books in this discussion because this has been our recent focus.

To be considered news media in the Privacy Act, a person or agency must have news activities as their core business. News activities are defined as the gathering and disseminating of news, observations on news, and current affairs. The grey area comes with the method a journalist uses to disseminate this news. The Privacy Act requires that news is disseminated in an “article or programme”. This seems rather limited. Does it really reflect the way the news media works today?

Where a journalist is seeking to disseminate news that they believe is in the public interest, and they can establish that this is a major part of what they do, then we think a broad interpretation of the exemption is warranted. There is some support for this in the Bill of Rights Act. Section 14 of the Act enshrines the right to freedom of expression. Section 6 of the Act states that, where an enactment (such as the Privacy Act) can be given a meaning that is consistent with the freedoms contained in the Bill of Rights Act, that meaning shall be preferred to any other meaning. We must bear this in mind.

Taking that as our starting point, we’re fairly comfortable that, in the case of a book, an “article” should be broadly interpreted in a way that is consistent with an established journalist’s right to freedom of expression, provided that what they’re writing in the book is news.

After all, it seems untenable to conclude that if a journalist published each chapter of a book as a separate article in, say, a magazine or newspaper, it would be news but if those articles were compiled in a book, it would not.

Rather than look to the length of a piece of journalistic writing, we need to look to the general business of the journalist, the content of what is written and the general means that journalist uses to disseminate their work. Such an interpretation recognises that news media today use more varied means to disseminate news than they did in 1993, when the Privacy Act was passed.

We haven’t come to this view lightly. Recent High Court cases have approached the issue in completely different ways: the Chief Justice in the Kim Dotcom litigation suggested that book publication could not fall within the exemption while the High Court in Slater vs Blomfield has recently found that blogging could be a journalistic activity that attracted some elements of legal protection. This strongly suggests there is room for disagreement.

We’ll tread carefully in this area but we see a need to ensure that the Privacy Act is not interpreted in a way that unjustifiably restricts the freedom of New Zealand’s media to disseminate news, express opinion and act in the public’s interest.

media

Back

Source:

We get it. As a lawyer, one of the least fun things about your job is chasing the money. Sometimes people just don’t cough up for the service you provide.

But this does not mean you can refuse to cough up personal information if it is requested by a client (or ex-client) under principle 6 of the Privacy Act (even if they owe you money for their legal bill). By way of case law on point, see CBN v McKenzie Associates.

The old idea of the “solicitor’s lien” – the right of a lawyer to retain a client’s property deposited with them, including crucial and original documents until the bill was paid – does not override principle 6 of the Privacy Act. Under principle 6, an individual is entitled to request a copy of their personal information held by an agency.   

If you hold personal information about an individual, and that individual requests it, you have obligations under the Privacy Act to respond to that request. Check out this handy flow chart.

You can charge them for the provision of information … BUT … that charge has to be reasonable (it can’t just be the amount of their outstanding bill – sorry – the Privacy Act says so).

Section 35(2) says what a private sector agency can’t charge for:

•           providing assistance to a requester;

•           the making of the request for information; or

•           processing the request, including deciding if the request is to be granted and, if so, in what manner.

Section 35(3) says what a private sector agency can charge for:

•           making the information available (copying/collating/sending) in compliance with the request.

We think this is a really helpful guideline on charging.

One of the best ways to ensure you are making a reasonable charge is to get a quote from a copy shop for a job. It’s likely that a quote from a copy shop will be a reasonable charge for making information available, as it will be a fair reflection of the amount of paper and time involved in the job.

And don’t worry. You don’t have to provide the information until you have, at least, received payment for the job of copying and sending the file.

IPP6 – access

Back

Source:

A recent Human Rights Review Tribunal case has attracted some attention as a result of its colourful facts – bad feelings between previously friendly neighbours, allegations about vandalism, and a compensation bill of $7000. Read the NZ Herald article about this case.

It isn’t just a human interest story, though. This is the first Tribunal decision to consider CCTV, and the effect of privacy enhancing technologies, and it has set some clear legal boundaries.

Armfield v Naughton [2014] NZHRRT 48 contains some straight-shooting advice from the Tribunal about how businesses need to set up and manage CCTV systems.

Briefly, a bed and breakfast owner had been having problems with property damage and set up eight CCTV cameras around his house. Three cameras overlooked his neighbour’s property. One camera was angled over the front garden with a children’s swing, the second pointed towards the neighbour’s side door, and the third covered an area of the backyard.

The relationship between the two men had become confrontational and the installation of the CCTV made it worse. The neighbour objected to what he saw as a significant intrusion into his family’s personal space. The bed and breakfast owner refused to talk to the neighbour about the camera system, and failed to respond to lawyers’ letters asking him to change the camera angles.

The Tribunal found the first camera breached the Act. The second and third were saved by the use of masking technology. There was also a breach of principle 3 (failure to notify) and principle 6 (failure to respond to a request for information). The Tribunal awarded $7000 after noting the neighbour’s request that the award should be moderate – but commented it would usually have been $15,000 or more.

Collecting or not collecting, that is the question

First, the Tribunal decided the Privacy Act applies to CCTV. It’s certainly the line that we have always taken – read our CCTV guidance. But at least one expert commentator has queried whether information gathered by CCTV is “collected” in terms of the Privacy Act because the camera system automatically captures everything within its range and does not solicit information from each individual.

The reason for the confusion is that the Privacy Act slightly unhelpfully defines “collect” in the negative – it “does not include the receipt of unsolicited information”. But the Tribunal has confirmed this doesn’t mean an agency has to ask for, or actively “solicit” information. Instead, “collection” is the “gathering together, the seeking of or acquisition of personal information.” [44.3]

So CCTV is clearly covered. The whole purpose of setting up a CCTV system is to gather together information within the range of the cameras. The Tribunal has firmly laid the ambiguity in the Act to rest.

Failed attempts to collect may now be covered

The Tribunal goes on to say that collection refers to the “framework or process for collection which must be in place before information is received”. [47] In other words, the agency has obligations before the cameras are switched on: in particular, the obligation to have a legitimate reason for setting up the camera system, which is necessary for some business purpose; the obligation to tell people the cameras are there and why; and the obligation to be fair and not unreasonably intrusive with how information is collected. Collection encompasses the actions that precede actually getting the information in one’s hand.

The logical upshot of this is that failed attempts to collect personal information might also breach the Act. This is a new angle for the Tribunal, though it had indicated there should be liability for attempts in an earlier case. The Law Commission has recommended that attempted collections should be covered, and the government has supported that recommendation. The stars are therefore lining up. Agencies need to be careful to set up their systems correctly from the start and not trust to luck.

Adopting PETs

The Tribunal acknowledged that CCTV can be a legitimate and valuable way to protect people and property. But it also has the capacity to cause significant intrusions into personal life. Complying with the privacy principles provides the right balance between the two. As part of this analysis, the Tribunal has usefully said that “leveraging technology to enhance privacy is a valuable approach and is to be encouraged.” [53] This is the role of “privacy enhancing technologies”, affectionately known to the profession as “PETs”.

The camera system here had a facility for cropping the field of vision, which was used on two of the cameras. Despite the apparent camera angle, the neighbour’s backyard and side door were not in fact visible to anyone watching the footage live and nothing in those areas was recorded to disc. Use of the masking technology saved those cameras from being in breach of the Act.  

What we’ve got here is failure to communicate…

The problem for the neighbour, of course, was that it was not obvious whether the cameras were recording and, if so, what they were recording. All he could see was that they were pointed at his house. The Tribunal said this highlighted the importance of communication. Agencies need to give clear statements about what the cameras are there to do (and other matters listed in principle 3). This is a continuing obligation. If the field of vision, or other aspects of the system are changed, they need to notify affected people again. They also have to respond to reasonable requests by affected people to see the system and know what information it was recording, so that those people can be confident the system is working lawfully.

Human Rights Review Tribunal, CCTV

Back

Source:

As a general rule in New Zealand, if you go to Court and you lose, you’re going to have to foot the bill – and not just your own legal bill but a chunk of the other party’s costs too. 

But this week, the Human Rights Review Tribunal released a decision saying Shannon Richard Andrews, the unsuccessful plaintiff, should not have to pay the costs of the New Zealand Police.

The reason behind this decision is that people should not be deterred from bringing a case in the human rights jurisdiction just in case it costs them later.

Mr Andrews claimed the Police had improperly disclosed personal information about him, contrary to principle 11 of the Privacy Act 1993.

In March 2014, the Tribunal dismissed Mr Andrews’ complaint. Subsequently, the Police sought a contribution to the costs they had incurred in the course of defending this complaint. The Police said the case had cost them approximately $21,000 and were seeking an order that Mr Andrews pay them an amount between $7,500 and $10,000. 

Mr Andrews is currently serving a custodial sentence and does not presently have the means (nor is he likely to on his release) to pay such costs – but the Police said this should not be a consideration.

The Police said there were no features in Mr Andrews’ case that should disrupt the “presumption” of a costs award.

The Tribunal disagreed, saying the fair and reasonable outcome would be for each party bear their own costs. “The State must expect and tolerate individuals to challenge the exercise of state power. Such challenge should not be inhibited by the fear of potentially ruinous financial consequences,” it said in its decision.

Another feature of the case was that it involved an issue that the Tribunal hadn’t considered before – it was a test case. This too suggested Mr Andrews shouldn’t have to pay costs.

Basically if you think your rights have been breached, including your rights to privacy, it shouldn’t cost you an arm and a leg to have the Tribunal take a look at it. 

This is probably a bitter pill to swallow for the agencies that are being taken to the Tribunal.  But might it be better than telling individuals (who may only just have the means to fund their own case) they have to pay for the other side too – if the decision doesn’t go in their favour?

But while Mr Andrews seems to indicate costs awards of thousands of dollars will no longer be the norm, there are circumstances in which it will still make sense to order costs, as illustrated by Rafiq v Commissioner of Police. 

Razdan Rafiq complained about the Police refusing to disclose information in response to a principle 6 access request. The Tribunal dismissed his complaint. Following this decision, the Police sought costs and in the end were awarded $13,632.32.

The difference in this case and the reason for the Tribunal making a high cost order against Mr Rafiq was because the Court said this was not a “finely balanced” case. In other words, it did not have the potential to go one way or the other. In fact, the Tribunal said the decision the Police made to withhold information from Mr Rafiq was justified “by a wide margin”.

The Tribunal also said Mr Rafiq conducted the proceedings “without regard to his obligation to participate in them meaningfully and in good faith”. He refused to participate in telephone conferences, declined to file meaningful evidence or submissions and subsequently declined to attend the hearing itself, even though he was warned about the costs implications by the Police and the Tribunal.

Because of the way Mr Rafiq conducted himself and his case, this created significant extra work for the Police in defending the complaint. Following Mr Rafiq’s rejection of a reasonable and responsible settlement offer and what the Tribunal said was a “characteristically incoherent and abusive reply”, the Tribunal decided this was a clear case in which increased costs were justified.

The moral of the story of the story is if you act in good faith when seeking a determination on your privacy rights, things will be good for you. If you act in bad faith, you get bad things (like a bill for $13,632.23). 

Human Rights Review Tribunal, IPP6 – access, IPP11 – disclosure, law enforcement

Back

Source:

A man applied for a pawnbroker’s licence. On his application he gave his work address. The rejection letter from the Ministry of Justice referred to historical criminal convictions which he hadn’t disclosed to his employer.

Even though the letter was addressed to him, the letter was opened by a staff member and read by four company employees. The information contained in the letter then prompted his employer to sack him. The employer said the decision to sack the man was based on the information about his criminal history.

The man’s complaint to us raised issues under principle 11 of the Privacy Act which says an agency that holds personal information should not disclose the information. The purpose of principle 11 is to place limits on disclosure of personal information by one agency to another person or agency.

In this case, we were told that at no point was the letter disclosed to any person or agency outside a small number of relevant staff members.

We also found out that the man, when giving his employer’s PO Box as his address, had used a different first name. The man’s employer had hundreds of employees and it was company practice to open all mail unless it was specifically marked “addressee only” or “confidential”. Neither of these labels appeared on the envelope.

When the mail clerk did not recognise the name on the letter, it was given to a senior manager who opened the envelope. The letter was then passed to two other senior managers. The company said the decision to dismiss the man was based on the fact that he had completed his application dishonestly when he applied for the job. He had not been truthful about his criminal convictions.

We concluded the disclosure of the man’s personal information within the agency, and the use of that information to sack him, was not a breach of the Privacy Act. The information had been received unsolicited by the employer, and then used appropriately, and not disclosed more widely than necessary.

IPP11 – disclosure, complaints

Back