NZ Engine

Source:

31 Jan 2025, 15:14One of the important changes in the Bill is adding Information Privacy Principle (IPP)3A. We’ll be developing guidance for organisations on the requirements of IPP3A, as well as reviewing OPC’s Codes of Practice to determine whether any amendments are required.Parliament has indicated that IPP3A will come into force on 1 May 2026, and all organisations will need to have their systems in place to meet the new requirements by then. We’re aiming to have the guidance developed and published on our website to allow organisations plenty of time to implement the requirements of the new Act.We’ll be doing targeted engagement on the draft guidance as part of its development. If your agency would like to be on the list for this, please email guidance@privacy.org.nzWe know agencies may have specific questions or concerns that they’ll want the guidance to address. Please send these through for our consideration. We may not be able to include everything, or respond directly to your specific comments, but we will consider them as part of the drafting process.

If you have any particular scenarios you want us to consider in our guidance let us know. You can send these to guidance@privacy.org.nz

Information updated 3 April 2025.

Source:

10 Feb 2025, 09:00

State houses at Arapuni Hydro Works from Archives NZ record number A1124

The guidance below is for tenants, landlords, and others in the rental accommodation sector to clarify what information may be requested at every stage of the rental process.

We have also launched a new monitoring and compliance programme to ensure that rental agencies and landlords stay on the right side of the Privacy Act.

Resources for Landlords

Resources for Tenants

Questions? 

If you have enquiries about the Privacy Act and rentals please email our Compliance Team.

We’ve also included questions for tenants and landlords in our Ask Us database.

Source:

18 Dec 2024, 11:00

The Privacy Commissioner has today announced his intention to issue a Biometrics Code.

 

He is releasing the Biometric Processing Privacy Code for consultation and is calling for submissions on the draft Code from the public and any agencies it would apply to. 

 

“The Code will help agencies implement the technology, while giving people confidence it’s being done safely and fairly”, Privacy Commissioner Michael Webster says.

 

“New Zealand doesn’t currently have special rules for biometrics. The Privacy Act regulates the use of personal information in New Zealand, including biometric information, but biometrics needs special protections especially in specific circumstances.”

 

Biometric processing is the use of technologies, like facial recognition technology, to collect and process people’s biometric information to identify them or learn more about them.

 

A Biometrics Code would modify some of the principles in the Privacy Act and create more specific privacy rules for agencies using biometric technologies to collect and process biometric information.

 

The major additional rules in the Code are: 

1. adding a requirement to do a proportionality test and put in place privacy safeguards
2. stronger notification and transparency obligations
3. limits on some uses of biometric information (e.g. emotion analysis and types of biometric categorisation).

 

Mr Webster said that earlier in 2024, OPC had consulted on an exposure draft version of a Biometrics Code. 

 

“We consulted on these draft rules and that showed we have broad support for these proposals, but also that some changes were needed, which we have made”. 

 

The Code has been simplified to improve understanding of what processes were included and excluded and some rules, like the notice requirements, have been clarified. 

 

The restrictions on using biometrics (fair use limits) are now targeted to the most intrusive and highest risk uses. We’ve also added a new requirement for organisations to tell people where they can find a rundown of their assessment of the pros and cons of using biometrics, where they’ve made this public. 

 

Other changes included increasing the commencement period from 6 months to 9 months for organisations already using biometrics and adding a new provision to allow for a trial for organisations to assess biometric processing.

 

Draft guidance material has been developed to help organisations know what the rules are and explain how to comply with the Code. We are releasing this draft guidance alongside the Code consultation and also want people’s feedback on that. 

 

“The feedback we’ve gained, and our own analysis has helped us to develop a code that will help ensure biometric technologies are used safely and fairly. But it’s important to get this right, so people have the chance to provide feedback through a public consultation to March 2025.

 

The Code is expected to come in force in 2025. 

 

Source:

31 Mar 2025, 17:00

This issue includes a note that the Biometric Code consultation has now closed, and that the final version of the Code will likely be published mid-2025. It also includes policy advice for government agencies, Kordia research and what OPC said about that, the Global Privacy Assembly’s new comparison tables, and the delay of the UK’s adequacy review. We also announce a special guest for Privacy Week 2025.

Read the March 2025 issue.

Source:

13 Mar 2025, 11:00

New research just out from Kordia shows 35% of business leaders said cyber-attacks or data leaks coming through third-party suppliers were their biggest business concern.

Privacy Commissioner Michael Webster says, “The law is very clear that when an agency outsources services to a third-party provider, the agency remains responsible for ensuring the data remains secure and used in a way that is compliant with the Privacy Act.

“At the end of the day, if your third-party provider has a privacy breach, it’s your problem as well,” he said.

Mr Webster says OPC isn’t alone in emphasising that privacy and security considerations need to be at the fore when using third-party providers.

“Kordia’s research backs up what we’ve long said; that businesses need to factor third parties into business continuity and cyber-response plans.

“It’s clear that more consideration needs to be given to these privacy issues and it’s not a case of out of sight out of mind and thinking a third-party provider has everything covered.

“You can’t outsource the responsibility of taking care of personal information.”

Mr Webster, says it’s not just an issue for the private sector, with the recent PSC Inquiry and the Stats NZ report raising privacy issues linked to the use of third parties.

This research is yet more evidence that agencies need to pay more attention to privacy and cyber security risks when using third party providers and to make sure there’s a plan in place should that provider suffer a privacy or cyber breach.

The Office of the Privacy Commissioner has recently issued guidance to help agencies working with third-party providers understand their responsibilities in this area. It takes businesses through all the considerations they should make before engaging a third-party provider.

Source:

28 Feb 2025, 13:00

The February 2025 issue of Privacy News includes a reminder about giving feedback on the Biometrics Code, a piece about the Public Services Commission and Stats NZ reports, how to apply to speak in Privacy Week 2025, and new guidance for tenants and landlords on our website. You can also read about the EU Guidelines and task force on AI, and a note about privacy.org.nz being updated.

Read the February 2025 issue.

Source:

18 Feb 2025, 15:15

Today’s release of two reports into the protection of personal information show agencies must be better at privacy, says Privacy Commissioner Michael Webster.

The Inquiry into how government agencies protected personal information for the 2023 Census and COVID-19 vaccination programme (the PSC Inquiry) and the Independent investigation and assurance review of allegations of misuse of 2023 Census information (the Stats NZ report), show the protection of personal information needs to be treated as a priority.

Several matters have now been referred to the Office of the Privacy Commissioner (these are detailed below).

Privacy Commissioner Michael Webster said he is carefully reviewing the referrals raised in the two reports. That work will be done in the context of the Privacy Act and the need to ensure individuals’ rights to privacy is protected and respected.

“New Zealanders need to be confident that when they do activities, like filling in their Census form, or giving over information for medical services, that their information is collected, used, and shared as the law outlines it should be,” says Mr Webster.

“The Privacy Act is very clear that agencies collecting personal information need to keep it safe and treat it with care. This responsibility extends to the use of third-party service providers. 

Agencies need to be confident that personal information is protected wherever and whatever organisation is handling it.”

The Office of the Privacy Commissioner has recently issued guidance to help agencies working with third-party providers understand their responsibilities.

Mr Webster said he was encouraged to see that work on a new information sharing standard is underway, supporting the information stewardship framework at the core of the Privacy Act.

“Its important people can trust that their information is treated with care. In our 2024 Privacy Survey the percentage of people who said they are “more concerned” about privacy issues over the last few years has increased to 55%, a 14% increase from two years ago. New Zealanders were clear in their response to these concerns:

• 80% want more control and choice over the collection and use of their personal information.
• 63% said protecting their personal information is a major concern in their lives.
• around two-thirds of New Zealanders are concerned about businesses or government organisations sharing their personal information without telling them.

“Good privacy is an essential part of providing services and doing business in a digital economy. Today’s findings should be a reminder to government organisations that good privacy practices aren’t an optional extra but are fundamental to the work they do,” says the Commissioner.

A number of questions have now been referred to the Privacy Commissioner by the PSC Inquiry:

• Whether systems and controls were appropriate for personal data following its transmission by Te Whatu Ora, the Ministry of Health and Stats NZ to service providers
• Whether there were appropriate means in place for these public agencies to be confident that their service providers were meeting their contractual privacy requirements
• Whether personal information was collected or used by Manurewa Marae for unauthorised purposes
• Whether separation of personal data from Census data was maintained at Manurewa Marae, and whether privacy statements were adequate to inform people about the use of their information.

A further matter has been referred to the Privacy Commissioner by the Stats NZ report about the collection and management of personal information and confidential census data.

While the review of the referrals takes place, the Office will not be making any further comment.

Source:

12 Feb 2025, 10:00

The hunt to land a flat over summer shouldn’t come at the expense of people’s privacy rights, warns Privacy Commissioner Michael Webster.

“There’s often a lot of pressure on people, especially students, to find a flat quickly, which risks privacy shortcuts being taken and that can put both tenants and landlords at risk.

Tenants should be aware they have privacy rights when applying for a flat and that landlords have obligations under the Privacy Act, Mr Webster says.

“Tenants are often desperate to find a flat, so they might disclose a whole lot of personal information that isn’t legally required. Essentially, they’re giving others power over their own details and that isn’t a great strategy.”

The desire to get a tenant quickly could also lead some landlords to take privacy shortcuts, which puts people at risk.

“The majority of landlords care about their tenants’ privacy, but there can be a lot of factors to weigh up when considering applications and it can be tempting to over collect personal information and to get details that aren’t legally allowed. It can also mean they can end up with a large amount of information with no way to manage or store it safely.

“Landlords need to know what information they can legally collect, and when. They also need to make sure personal information collected during the rental application process is kept secure and is not disclosed without authorisation.”

“Personal information has value and is protected under the Privacy Act at all stages of the rental process. It’s important shortcuts aren’t taken to fill a flat and that only the necessary personal information is supplied and only when its needed.”

Personal characteristics, including relationship status, age, gender identity and employment status are protected under the Human Rights Act. Things like spending habits, experience of family violence, employment history and social media URLS are protected under other Acts.

To help educate landlords and tenants OPC had updated its guidance for the rental sector to help make sure that privacy is respected throughout the application process.

Read our updated privacy guidance for tenants and landlords.