Oct 13, 2022 2:28:51 PM
These observations are made from a business standpoint and relate more specifically to the effect the proposed changes would have on the collection and management of personal information for marketing purposes.
The document presented by the Justice department https://www.justice.govt.nz/justice-sector-policy/key-initiatives/broadening-the-privacy-acts-notification-rules/ asks for feedback on 7 questions:
The most important factor must surely be the benefit derived by the individuals concerned. Where is the evidence that the New Zealand public are seeking such notifications? In the absence of any qualitative research, we could be drawn to the conclusion that the proposed changes are designed to meet International adequacy standards rather than benefit individual New Zealanders. The discussion document itself identifies the possibility that any perceived benefit may be offset by individuals becoming overwhelmed through ‘information overload’.
Other factors to be considered include the additional technology and communication costs which will be incurred by organisations transmitting or receiving personal information data. These costs will inevitably be passed on through increased prices for goods and services.
Clearly individuals would be more informed about who holds their personal information and NZ’s Privacy legislation would move towards international ‘adequacy’ standards, particularly those of the EU.
The major disadvantage would be the increased cost of both staff and technology to manage notifications systems. We know from organisations which have had to adapt to GDPR requirements that complex data management systems are required and that even large organisations have found it difficult and expensive to comply. Smaller organisations (and NZ is a nation of small businesses) will be particularly affected.
There is certainly a case for organisations holding, or receiving, personal information about overseas individuals being required to notify those people. Many of these organisations may already be equipped to do so because of the requirements of GDPR.
If notification of collection is also mandated for New Zealand residents, then it makes sense to amend PP2, PP3 and PP11 of the Privacy Act.
However, there is a logical case for information which is publicly available to be excluded from notification. This is especially appropriate for areas like property ownership the details of which are publicly available from LINZ and local bodies.
Similarly, if contact details are publicly available (e.g. on a website) there is already legislation consenting electronic or digital contact if the message is relevant to the recipient. (Unsolicited Electronic Messages Act 2007)
The discussion document states that the use of codes of practice has been explored. We are interested to know how it has been explored and what are the reasons for rejecting this method? There are already Codes of Practice operating successfully under the jurisdiction of the Privacy Commission.
In order to comment on this question, it is important to think about the number of different ways in which personal information may be collected or shared.
In our response to Q4, we referred to Data Service agencies and List brokers who rent or sell data collected from various (legal) sources.
The suggested amendment to IPP11 would require those organisations to notify the individuals on those data lists every time their information was disclosed to another agency. Such disclosures could amount to several notifications a week which would surely create notification fatigue for the individuals.
A particular example of this would be the personal information of individuals who have registered for the Name Suppression Service on the NZ Marketing Association website https://marketing.org.nz/do-not-call-do-not-mail. This service is designed to prevent unsolicited marketing to individuals who do not wish to receive such communications via Mail or ‘phone. Nearly 200,000 individuals have registered for this service, their details are accessed by subscribing agencies to remove them from outbound marketing campaigns. Notification to these individuals would defeat the objective of this valuable consumer service.
Referring to the mitigation examples in the Justice department document, we are unsure about what circumstances could be in place for an agency to believe they might only be required to take ’any steps that are, in the circumstances, reasonable to notify individuals about the collection of information’.
We agree that notification is unnecessary when the organisation already holds personal information on an individual and the person concerned is aware of that fact. There is also a strong case for notification to be exempted where the individual has been informed at the point of collection that their details will/may be shared with other organisations.
(We assume this should read ‘about individuals’ rather than ‘from individuals’.)
There is a logical case for notification of third party collection or transfer of personal data about overseas individuals, particularly if they are resident in countries which already require notification in their own legislation.
However, the most compelling case for notification for New Zealand citizens appears to be to align the Privacy Act with international regulations, particularly GDPR. Businesses would certainly want to see strong evidence that notification is required for organisations operating exclusively in the domestic market.
In order to avoid unintended consequences, we recommend further interaction with the data service sector to more clearly understand how they operate.
New Zealand Marketing Association
69 St Georges Bay Rd, Parnell, Auckland 1052
PO Box 137266, Parnell, Auckland 1151
Mob: 0274 977818
14 September, 2022
Sign up to receive updates on events, training and more from the MA.