Then you should be aware of a recent report from the Privacy Commissioner to the Minister of Justice.

Although the current legislation only came into force in December the Commissioner is already proposing further significant changes. These changes would give consumers a great deal more power in how their personal details are managed by marketers. They will also mean the way you collect and use personal data will have to change significantly.

You might as well start preparing for these changes now, because it’s 'odds-on' the Minister will listen to these proposals and instruct the law drafters to start working on new Privacy legislation.

Here is the extract from the Privacy Commissioners report to the Minister:

"Further privacy law reform proposals

The replacement of the previous Privacy Act was largely a response to a major review of privacy law by the Law Commission, completed in 2011. The Privacy Act 2020 modernises New Zealand privacy law and addresses some significant gaps in the previous legislation. The Commissioner will use the new powers in the Act to actively address non-compliance and promote good privacy practice.

However, technological, social and other developments affecting privacy have continued apace since the policy work for the Privacy Act 2020 was undertaken. Further changes are desirable to respond to these developments. In some respects, New Zealand's privacy law has also not kept pace with comparable legislation in our major trading partners and other countries with which we commonly compare ourselves. The Privacy Commissioner therefore considers there is a need for further privacy law reform. Due to the rapid pace of change, further reforms are best considered and implemented as issues come to light, rather than following another wholesale review of the Privacy Act.

The Commissioner made the case for further changes to the Privacy Act in his 2017 report on the Act to the Minister of Justice and in his 2018 submission on the Privacy Bill. Some key reforms recommended by the Commissioner that have not yet been implemented are:

  • Data portability

    The right of individuals to access their personal information should be strengthened by introducing a right of personal information portability. OPC is contributing to the current consideration of a consumer data right by the Ministry of Business, Innovation and Employment.
  • Right to be forgotten.

    A 'right to be forgotten' (for example, to have personal information delinked from search engine results) should be introduced. This right would protect individuals from the public availability of personal information that is offensive or otherwise harmful. It would support the existing privacy right of individuals to correct their personal information and the requirement that agencies only use information if they have checked its accuracy.
  • Re-identification.

    Safeguards should be introduced to protect individuals against the risk of being identified from information that has purportedly been de-identified.
  • Algorithms.

    New provisions in the Act should limit harm from automated decision-making and provide greater transparency about the use of algorithms in making decisions about individuals.
  • Civil penalties.

    There should be a power for a court to impose a civil penalty of up to $100,000 for serious or ongoing breaches of the Privacy Act.
  • Compliance reporting.

    The Privacy Commissioner should have a power to require agencies to report on the steps they are taking to comply with the Act.

The Commissioner would be happy to brief you on these proposed reforms."


Written by Keith Norris, Independent Compliance Consultant, Marketing Association

The Marketing Association will have a panel to discuss these and other data issues at its annual SMARTER DATA EVENT on March 24

Book your ticket to Smarter Data now!