MA's response to possible Privacy Act changes

Observations on the possible changes to notification rules under the Privacy Act 2020

These observations are made from a business standpoint and relate more specifically to the effect the proposed changes would have on the collection and management of personal information for marketing purposes.

The document presented by the Justice department https://www.justice.govt.nz/justice-sector-policy/key-initiatives/broadening-the-privacy-acts-notification-rules/ asks for feedback on 7 questions:

Q1. What factors do you think are most important when considering changes to indirect collection of personal information

The most important factor must surely be the benefit derived by the individuals concerned. Where is the evidence that the New Zealand public are seeking such notifications? In the absence of any qualitative research, we could be drawn to the conclusion that the proposed changes are designed to meet International adequacy standards rather than benefit individual New Zealanders. The discussion document itself identifies the possibility that any perceived benefit may be offset by individuals becoming overwhelmed through ‘information overload’.

Other factors to be considered include the additional technology and communication costs which will be incurred by organisations transmitting or receiving personal information data. These costs will inevitably be passed on through increased prices for goods and services.

Q2. What are the advantages or benefits of broadening the notification requirements for both individuals and agencies? What might the disadvantages be?

Clearly individuals would be more informed about who holds their personal information and NZ’s Privacy legislation would move towards international ‘adequacy’ standards, particularly those of the EU.

The major disadvantage would be the increased cost of both staff and technology to manage notifications systems. We know from organisations which have had to adapt to GDPR requirements that complex data management systems are required and that even large organisations have found it difficult and expensive to comply. Smaller organisations (and NZ is a nation of small businesses) will be particularly affected.

Q3. What form do you think the proposed changes to notification rules under the Privacy Act should take?

There is certainly a case for organisations holding, or receiving, personal information about overseas individuals being required to notify those people. Many of these organisations may already be equipped to do so because of the requirements of GDPR.

If notification of collection is also mandated for New Zealand residents, then it makes sense to amend PP2, PP3 and PP11 of the Privacy Act.

However, there is a logical case for information which is publicly available to be excluded from notification. This is especially appropriate for areas like property ownership the details of which are publicly available from LINZ and local bodies.

Similarly, if contact details are publicly available (e.g. on a website) there is already legislation consenting electronic or digital contact if the message is relevant to the recipient. (Unsolicited Electronic Messages Act 2007)

The discussion document states that the use of codes of practice has been explored. We are interested to know how it has been explored and what are the reasons for rejecting this method? There are already Codes of Practice operating successfully under the jurisdiction of the Privacy Commission.

Q4. If you are a New Zealand business or agency, are there any practical implementation issues you can identify in complying with the proposed changes?

In order to comment on this question, it is important to think about the number of different ways in which personal information may be collected or shared.

• When looking at the example of collection of contact details entered by an individual on a website or response form. We note the discussion document suggests that these details may be indirectly collected by an advertising agency. This is only possible if the individual has been informed of this via a privacy statement on the website or response form. Therefore, it is not an indirect collection. In any event Advertising Agents do not normally collect personal information, we believe the discussion document is confusing advertising agents with Data Service agencies or Marketing agencies who are voluntarily governed by codes and best practise guidelines.
• Data Service agencies and List Brokers collect personal information to rent to businesses and charities for use in outbound marketing and fundraising. Their collection methods are already governed by the Privacy Act 2020. This means that the individuals have already been made aware that their contact details may be shared with marketing organisations. Lists of this type may contain the contact details of hundreds of thousands of individuals. We should consider whether the business sending and receiving this information must notify all the individuals on the list every time the information is shared. This is especially the case when the receiving organisation is only renting the information for one campaign and is not permanently storing the details.
• When we consider personal information, such as property ownership, which is publicly available through LINZ or local authorities, is it useful for every real estate agent, valuer, banker, lender, builder, electrician etc. etc. to notify the property owner every time they access the information?
• Many New Zealand businesses do not manage their own data. There are a number of specialist agencies who provide data management services for customer and client information. These agencies simply hold data on behalf of the data owner. Would the proposed changes require them to notify individuals of information transfer?

Q5. Are there any other risks or mitigations to the proposed changes you can identify that are not mentioned in this document?

In our response to Q4, we referred to Data Service agencies and List brokers who rent or sell data collected from various (legal) sources.

The suggested amendment to IPP11 would require those organisations to notify the individuals on those data lists every time their information was disclosed to another agency. Such disclosures could amount to several notifications a week which would surely create notification fatigue for the individuals.

A particular example of this would be the personal information of individuals who have registered for the Name Suppression Service on the NZ Marketing Association website https://marketing.org.nz/do-not-call-do-not-mail. This service is designed to prevent unsolicited marketing to individuals who do not wish to receive such communications via Mail or ‘phone. Nearly 200,000 individuals have registered for this service, their details are accessed by subscribing agencies to remove them from outbound marketing campaigns. Notification to these individuals would defeat the objective of this valuable consumer service.

Referring to the mitigation examples in the Justice department document, we are unsure about what circumstances could be in place for an agency to believe they might only be required to take ’any steps that are, in the circumstances, reasonable to notify individuals about the collection of information’.

We agree that notification is unnecessary when the organisation already holds personal information on an individual and the person concerned is aware of that fact. There is also a strong case for notification to be exempted where the individual has been informed at the point of collection that their details will/may be shared with other organisations.

Q6. Should the proposed changes only apply to personal information collected indirectly from individuals overseas?

(We assume this should read ‘about individuals’ rather than ‘from individuals’.)

There is a logical case for notification of third party collection or transfer of personal data about overseas individuals, particularly if they are resident in countries which already require notification in their own legislation.

However, the most compelling case for notification for New Zealand citizens appears to be to align the Privacy Act with international regulations, particularly GDPR. Businesses would certainly want to see strong evidence that notification is required for organisations operating exclusively in the domestic market.

Q7. Is there any other feedback you would like to provide?

In order to avoid unintended consequences, we recommend further interaction with the data service sector to more clearly understand how they operate.

Keith Norris, 
Compliance Consultant
New Zealand Marketing Association
69 St Georges Bay Rd, Parnell, Auckland 1052
PO Box 137266, Parnell, Auckland 1151
Mob: 0274 977818
14 September, 2022