NZ Engine

Blog

  • Privacy Commissioner announces intent to issue Biometrics Code

    Source:

    The Privacy Commissioner has today announced his intention to issue a Biometrics Code.

     

    He is releasing the Biometric Processing Privacy Code for consultation and is calling for submissions on the draft Code from the public and any agencies it would apply to. 

     

    “The Code will help agencies implement the technology, while giving people confidence it’s being done safely and fairly”, Privacy Commissioner Michael Webster says.

     

    “New Zealand doesn’t currently have special rules for biometrics. The Privacy Act regulates the use of personal information in New Zealand, including biometric information, but biometrics needs special protections especially in specific circumstances.”

     

    Biometric processing is the use of technologies, like facial recognition technology, to collect and process people’s biometric information to identify them or learn more about them.

     

    A Biometrics Code would modify some of the principles in the Privacy Act and create more specific privacy rules for agencies using biometric technologies to collect and process biometric information.

     

    The major additional rules in the Code are: 

    1. adding a requirement to do a proportionality test and put in place privacy safeguards
    2. stronger notification and transparency obligations
    3. limits on some uses of biometric information (e.g. emotion analysis and types of biometric categorisation).

     

    Mr Webster said that earlier in 2024, OPC had consulted on an exposure draft version of a Biometrics Code. 

     

    “We consulted on these draft rules and that showed we have broad support for these proposals, but also that some changes were needed, which we have made”. 

     

    The Code has been simplified to improve understanding of what processes were included and excluded and some rules, like the notice requirements, have been clarified. 

     

    The restrictions on using biometrics (fair use limits) are now targeted to the most intrusive and highest risk uses. We’ve also added a new requirement for organisations to tell people where they can find a rundown of their assessment of the pros and cons of using biometrics, where they’ve made this public. 

     

    Other changes included increasing the commencement period from 6 months to 9 months for organisations already using biometrics and adding a new provision to allow for a trial for organisations to assess biometric processing.

     

    Draft guidance material has been developed to help organisations know what the rules are and explain how to comply with the Code. We are releasing this draft guidance alongside the Code consultation and also want people’s feedback on that. 

     

    “The feedback we’ve gained, and our own analysis has helped us to develop a code that will help ensure biometric technologies are used safely and fairly. But it’s important to get this right, so people have the chance to provide feedback through a public consultation to March 2025.

     

    The Code is expected to come in force in 2025. 

     

  • Privacy News – March 2025

    Source:

    This issue includes a note that the Biometric Code consultation has now closed, and that the final version of the Code will likely be published mid-2025. It also includes policy advice for government agencies, Kordia research and what OPC said about that, the Global Privacy Assembly’s new comparison tables, and the delay of the UK’s adequacy review. We also announce a special guest for Privacy Week 2025.

    Read the March 2025 issue.

  • New research shows business leaders fear being on the hook for others’ privacy breaches

    Source:

    New research just out from Kordia shows 35% of business leaders said cyber-attacks or data leaks coming through third-party suppliers were their biggest business concern.

    Privacy Commissioner Michael Webster says, “The law is very clear that when an agency outsources services to a third-party provider, the agency remains responsible for ensuring the data remains secure and used in a way that is compliant with the Privacy Act.

    “At the end of the day, if your third-party provider has a privacy breach, it’s your problem as well,” he said.

    Mr Webster says OPC isn’t alone in emphasising that privacy and security considerations need to be at the fore when using third-party providers.

    “Kordia’s research backs up what we’ve long said; that businesses need to factor third parties into business continuity and cyber-response plans.

    “It’s clear that more consideration needs to be given to these privacy issues and it’s not a case of out of sight out of mind and thinking a third-party provider has everything covered.

    “You can’t outsource the responsibility of taking care of personal information.”

    Mr Webster, says it’s not just an issue for the private sector, with the recent PSC Inquiry and the Stats NZ report raising privacy issues linked to the use of third parties.

    This research is yet more evidence that agencies need to pay more attention to privacy and cyber security risks when using third party providers and to make sure there’s a plan in place should that provider suffer a privacy or cyber breach.

    The Office of the Privacy Commissioner has recently issued guidance to help agencies working with third-party providers understand their responsibilities in this area. It takes businesses through all the considerations they should make before engaging a third-party provider.

  • Privacy News – February 2025

    Source:

    The February 2025 issue of Privacy News includes a reminder about giving feedback on the Biometrics Code, a piece about the Public Services Commission and Stats NZ reports, how to apply to speak in Privacy Week 2025, and new guidance for tenants and landlords on our website. You can also read about the EU Guidelines and task force on AI, and a note about privacy.org.nz being updated.

    Read the February 2025 issue.

  • Two reports show privacy must be at the heart of trust in government

    Source:

    Today’s release of two reports into the protection of personal information show agencies must be better at privacy, says Privacy Commissioner Michael Webster.

    The Inquiry into how government agencies protected personal information for the 2023 Census and COVID-19 vaccination programme (the PSC Inquiry) and the Independent investigation and assurance review of allegations of misuse of 2023 Census information (the Stats NZ report), show the protection of personal information needs to be treated as a priority.

    Several matters have now been referred to the Office of the Privacy Commissioner (these are detailed below).

    Privacy Commissioner Michael Webster said he is carefully reviewing the referrals raised in the two reports. That work will be done in the context of the Privacy Act and the need to ensure individuals’ rights to privacy is protected and respected.

    “New Zealanders need to be confident that when they do activities, like filling in their Census form, or giving over information for medical services, that their information is collected, used, and shared as the law outlines it should be,” says Mr Webster.

    “The Privacy Act is very clear that agencies collecting personal information need to keep it safe and treat it with care. This responsibility extends to the use of third-party service providers. 

    Agencies need to be confident that personal information is protected wherever and whatever organisation is handling it.”

    The Office of the Privacy Commissioner has recently issued guidance to help agencies working with third-party providers understand their responsibilities.

    Mr Webster said he was encouraged to see that work on a new information sharing standard is underway, supporting the information stewardship framework at the core of the Privacy Act.

    “Its important people can trust that their information is treated with care. In our 2024 Privacy Survey the percentage of people who said they are “more concerned” about privacy issues over the last few years has increased to 55%, a 14% increase from two years ago. New Zealanders were clear in their response to these concerns:

    • 80% want more control and choice over the collection and use of their personal information.
    • 63% said protecting their personal information is a major concern in their lives.
    • around two-thirds of New Zealanders are concerned about businesses or government organisations sharing their personal information without telling them.

    “Good privacy is an essential part of providing services and doing business in a digital economy. Today’s findings should be a reminder to government organisations that good privacy practices aren’t an optional extra but are fundamental to the work they do,” says the Commissioner.

    A number of questions have now been referred to the Privacy Commissioner by the PSC Inquiry:

    • Whether systems and controls were appropriate for personal data following its transmission by Te Whatu Ora, the Ministry of Health and Stats NZ to service providers
    • Whether there were appropriate means in place for these public agencies to be confident that their service providers were meeting their contractual privacy requirements
    • Whether personal information was collected or used by Manurewa Marae for unauthorised purposes
    • Whether separation of personal data from Census data was maintained at Manurewa Marae, and whether privacy statements were adequate to inform people about the use of their information.

    A further matter has been referred to the Privacy Commissioner by the Stats NZ report about the collection and management of personal information and confidential census data.

    While the review of the referrals takes place, the Office will not be making any further comment.

  • Tenants’ privacy rights in the spotlight

    Source:

    The hunt to land a flat over summer shouldn’t come at the expense of people’s privacy rights, warns Privacy Commissioner Michael Webster.

    “There’s often a lot of pressure on people, especially students, to find a flat quickly, which risks privacy shortcuts being taken and that can put both tenants and landlords at risk.

    Tenants should be aware they have privacy rights when applying for a flat and that landlords have obligations under the Privacy Act, Mr Webster says.

    “Tenants are often desperate to find a flat, so they might disclose a whole lot of personal information that isn’t legally required. Essentially, they’re giving others power over their own details and that isn’t a great strategy.”

    The desire to get a tenant quickly could also lead some landlords to take privacy shortcuts, which puts people at risk.

    “The majority of landlords care about their tenants’ privacy, but there can be a lot of factors to weigh up when considering applications and it can be tempting to over collect personal information and to get details that aren’t legally allowed. It can also mean they can end up with a large amount of information with no way to manage or store it safely.

    “Landlords need to know what information they can legally collect, and when. They also need to make sure personal information collected during the rental application process is kept secure and is not disclosed without authorisation.”

    “Personal information has value and is protected under the Privacy Act at all stages of the rental process. It’s important shortcuts aren’t taken to fill a flat and that only the necessary personal information is supplied and only when its needed.”

    Personal characteristics, including relationship status, age, gender identity and employment status are protected under the Human Rights Act. Things like spending habits, experience of family violence, employment history and social media URLS are protected under other Acts.

    To help educate landlords and tenants OPC had updated its guidance for the rental sector to help make sure that privacy is respected throughout the application process.

    Read our updated privacy guidance for tenants and landlords.

  • Worker’s six-metre fall prompts industry call-out

    Worker’s six-metre fall prompts industry call-out

    Source:

    As winter creeps closer, WorkSafe New Zealand is reminding businesses to take heed of the risks when workers are operating at height.

    The consequences have been laid bare at the sentencing of a Wellington business, whose worker was critically injured in April 2023 when he fell six metres from a slippery, unsafe rooftop.

    38-year-old Josh Bowles had only been in his job for two months and had no experience or training in working at height when he fell from a commercial rooftop in central Wellington. He spent six months in hospital recovering from a traumatic brain injury and multiple broken bones. The father of five still lives with continuous pain, and has been unable to work since the fall.

    The scene on Hopper Street in central Wellington where Josh Bowles was left critically injured in 2023.

    A WorkSafe investigation found there was only limited edge protection to the roofline. In its absence, a harness system should have been used to keep workers safe but was not. Regardless, Mr Bowles had no formal training on use of a harness or roof-anchors.

    The business, Prowash, did not properly manage the risks of working in rainy conditions on a new iron roof with cleaning product on it. Prowash was unable to provide WorkSafe with any policies, or risk/hazard identification and control process, to prove it had a safe system of work in place.

    “This was a preventable fall which has permanently impacted a young father’s quality of life and job prospects,” says WorkSafe principal inspector, Paul Budd.

    “Falls from height are a well-known risk and there is no excuse for not putting proper protections in place – especially in bad weather. If the work needs to be postponed until conditions are more favourable, then do so.

    “The best controls are those that don’t require active judgement by a worker. This includes solutions such as edge protection or scaffolding. If a worker slips or missteps, as we saw in this case, there is a physical barrier between themselves and the ground below,” says Paul Budd.

    Businesses must manage their risks and where they don’t WorkSafe will take action. This is part of WorkSafe’s role to influence businesses to meet their responsibilities and keep people healthy and safe.

    Read the good practice guidelines for working on roofs

    Background 

    • Prowash Wellington Limited was sentenced at Wellington District Court on 15 April 2025
    • A fine of $40,000 was imposed, and reparations of $77,456 ordered
    • Prowash was charged under sections 36(1)(a), 48(1) and (2)(c) of the Health and Safety at Work Act 2015
      • Being a person conducting a business or undertaking (PCBU), having a duty to ensure, so far as reasonably practicable, the health and safety of workers who work for the PCBU, including Joshua Bowles, while the workers are at work, namely while carrying out work on the roof of 258 Taranaki Street, Wellington, did fail to comply with that duty, and that failure exposed workers to a risk of death or serious injury from a fall from height.
    • The maximum penalty is a fine not exceeding $1.5 million.

    Media contact details

    For more information you can contact our Media Team using our media request form. Alternatively:

    Email: media@worksafe.govt.nz

  • New guidance for adventure activity and outdoor recreation providers – managing the risks from natural hazards

    New guidance for adventure activity and outdoor recreation providers – managing the risks from natural hazards

    Source:

    WorkSafe has created new guidance to help adventure activity operators and outdoor recreation providers manage risks from natural hazards such as flooding, landslips, and snowfall.

    The guidance is relevant for:

    • Adventure activity providers
    • Outdoor recreation providers like schools and tertiary education providers, sports clubs, and recreation venues.

    Adventure activities, like bungy jumping, rock climbing, and white-water rafting, are popular in New Zealand and important to our tourism industry – but they also come with risks. All adventure activity businesses must comply with the Health and Safety at Work Act 2015 (HSWA) and have processes to keep workers, participants, and others safe.

    Recreation providers, such as schools, sports clubs, and tertiary education providers, also have duties under HSWA.

    The guidance helps businesses and organisations:

    • identify, assess, and manage risks from natural hazards that may affect participants, workers, and others
    • understand their duties under HSWA, the Adventure Activities Regulations, and GRWM Regulations
    • follow good practice for managing natural hazard risks.

    ​Read more about the adventure activities guidance here Adventure Activities – Managing the risks from natural hazards

  • Safety alert: Duties of importers and suppliers of safety net systems

    Safety alert: Duties of importers and suppliers of safety net systems

    Source:

    This safety alert highlights the serious health and safety risks for workers when using safety net systems that may not have been tested to a recognised standard by an accredited testing body.

    What we know

    Safety net systems are used in residential and commercial construction as a control to reduce the likelihood of harm if a worker falls from height.

    The Health and Safety at Work Act places a duty on importers and suppliers of safety net systems to ensure that the nets that they are importing and supplying have been tested to ensure that it performs. WorkSafe New Zealand accepts testing to a recognised safety net standard, such as BS EN 1263.1, and that all reasonably practicable steps are taken to ensure that this testing has been undertaken by an accredited testing body.

    WorkSafe notes that the testing and resulting documentation provided by overseas testing bodies can be difficult to verify and, in some instances, be fraudulent.

    What are your duties as an importer or supplier of safety net systems?

    In addition to your primary duty of care, under the Health and Safety at Work Act 2015 you must also:

    • make sure the safety nets you import do not create health and safety risks to the people that use them
    • make sure the safety nets you import have been tested to a recognised standard, such as BS EN 1263.1, so they are safe for use in a workplace
    • give the following information to those you provide your safety nets to:
      • the results of calculations and tests
      • any general and current relevant information or conditions about how to safely use, handle, store, install, inspect, maintain, repair, or otherwise work with the products you have imported.

    WorkSafe advice

    Ensure that you have completed all necessary due diligence on the safety net and safety net manufacturer from which you are importing from.

    Ensure that any testing and certification of the safety net is carried out in accordance with BS EN 1263.1, or an equivalent standard that gives similar or better outcomes for safety, by an accredited testing body.

    If you have any doubt regarding the testing or certification of the safety net, including verification, engage the services of a New Zealand based reputable third party to undertake additional testing to demonstrate conformance with a recognised safety net standard.

    Guidance

    Safe use of safety nets
    This best practice guideline outlines safety net requirements and the safe use of safety nets

    Working at height in New Zealand
    This good practice guide will provide practical guidance to employers, contractors, employees and all others engaged in work associated with working at height.

    Safety alert – safety nets
    This safety alert highlights the serious health and safety risks for workers when using poorly installed safety nets.

    Download safety alert

    Duties of importers and suppliers of safety net systems – safety alert (PDF 153 KB)

  • Fraudulent asbestos removals catch up with industry veteran

    Fraudulent asbestos removals catch up with industry veteran

    Source:

    Solid ethics and legal compliance must underpin the asbestos industry, WorkSafe New Zealand says, after an unlicensed asbestos remover was sentenced for pocketing more than $20,000 by misrepresenting his employer.

    Barrie John Crockett was in a project management role at Demasol Limited. Between December 2021 and June 2022, Mr Crockett used Demasol’s name and letterhead to invoice three customers who paid into his personal bank account for work totalling $21,938. A dissatisfied customer contacted Demasol, leading to an investigation that revealed the illegal activity following Mr Crockett’s redundancy in May 2022.

    As Demasol was not involved in the work, it cannot give any assurance that the asbestos removal was carried out in line with the regulatory requirements. It also remains unclear exactly where the removed asbestos was disposed.

    “Not only is this dangerous work for an unlicensed person to do, but someone like Mr Crockett who had worked in the industry for over 25 years should have known far better. This type of criminal behaviour is not worth the risk because offenders will be held responsible,” says WorkSafe’s Head of Authorisations and Advisory, Kate Morrison.

    Most asbestos removals need to be carried out by a licensed asbestos remover, and the work must be notified to WorkSafe under the under the Health and Safety at Work (Asbestos) Regulations 2016.

    “Licensing exists for a reason and removal work is tightly regulated to ensure safety. Circumventing the rules is both reckless and deceitful when the harm done by asbestos exposure is well known. An estimated 220 people die each year from preventable asbestos-related diseases in New Zealand. A system with trained and qualified people to remove this dangerous material is critical to better safety for workers and all New Zealanders,” says Kate Morrison.

    Asbestos fibres can be blown a long way from a poorly managed removal site. The airborne fibres are so small they’re invisible to the naked eye, and can cause harm when breathed in. There are no safe levels of exposure, so there are no excuses for not managing asbestos safely.

    High-risk activities including asbestos removal are a priority focus within WorkSafe’s new strategy. We are focusing particularly on high-risk sectors and high-risk activities which may result in acute, chronic or catastrophic harm.

    Read about WorkSafe’s priority plan for Permitting
    Read WorkSafe’s latest guidance on managing asbestos

    Background

    • Barrie Crockett was sentenced at Auckland District Court on 21 March 2025.
    • An order to pay $15,000 in reparations was imposed, alongside a sentence of 140 hours community work.
    • Barrie Crockett was charged under sections 240(1)(a) and 241(a) of the Crimes Act 1961
      • By deception and without claim of right, obtained possession of a pecuniary advantage, namely $21,938.75
    • The maximum penalty is seven years imprisonment.

    Media contact details

    For more information you can contact our Media Team using our media request form. Alternatively:

    Email: media@worksafe.govt.nz