Gehan Gunasekara: MP's bill step in the right direction

Leaks this year include those from ACC, Winz, IRD and EQC. Photo / Supplied

Gehan Gunasekara argues that much time and effort spent on reviewing privacy law is being squandered.

At the Privacy Forum held in Wellington last year, Justice Minister Judith Collins promised that a new Privacy Bill would be introduced in May this year to replace the now 20-year-old Privacy Act 1993. There is as yet no sign of its introduction. The promise was made following the completion, in 2011, of an exhaustive review of privacy law undertaken by the Law Commission spanning several years.

Opposition MP Sue Moroney's Privacy Amendment Bill, drawn from the member's ballot at Parliament last week, is therefore bound to set the cat among the pigeons. The bill would enact many of the Law Commission's recommendations by strengthening the powers of the Privacy Commissioner by empowering her office to issue compliance notices and conduct privacy audits of public and private sector agencies where this is warranted.

The current complaints-driven process has been criticised as it fails to address systemic privacy breaches not exposed by individual complaints while other breaches escape detection and investigation altogether. The risks to individuals of inappropriate use and disclosure of their personal information and of identity theft are compounded as a consequence.

There have been privacy breaches galore in the past year. These have included leaks by ACC, Winz, IRD and the EQC (the latter exacerbated by ongoing complaints from Christchurch residents regarding the withholding of information relating to their claims by EQC). Each has generally resulted in inquiries and loss of confidence by the public in the integrity of public service organisations' information handling procedures.

Although many of the breaches are undoubtedly a byproduct of the proliferation of information technologies there is nevertheless evidence that some of the problems are systemic in nature, thereby highlighting the need for systemic and co-ordinated scrutiny as recommended by the Law Commission, as opposed to ad-hoc inquiry.

Recent privacy lapses have all occurred within government agencies. However, business cannot afford to be complacent. Opinion polls conducted by the Office of the Privacy Commissioner have consistently indicated a large majority of New Zealanders are concerned about how their personal information is managed by business.

A research study conducted over the summer at the University of Auckland surveyed the degree to which listed companies in New Zealand acknowledged compliance with privacy norms in their governance documents. The results found, somewhat disturbingly, that Australian companies listed here significantly outperformed New Zealand ones in this respect. This is likely to pay off in a competitive advantage for them where customers are concerned.

The 1993 act was world-leading when it was enacted. However, its much-vaunted technological neutrality did not anticipate the development of the internet, web 2.0 and modern phenomena such as use of the Cloud.

The Law Commission's report addresses several current mischiefs, such as cyber-bullying and application of the news media exemption from the Privacy Act to blogs. Especially pertinent is abuse, by individuals, of the so-called "personal use" exemption which has allowed the posting online of much objectionable material about individuals. These matters are in urgent need of attention.

Thus far the only significant amendment to the Privacy Act is adoption of the information-sharing bill through adoption of a new part 9A in the act. This facilitates information sharing between government agencies and the private sector. It arguably weakens individuals' privacy as compensating safeguards recommended by the Law Commission, such as the power to audit agencies' privacy practices, have been omitted. The Law Commission's recommendations ought to be seen as part of a coherent package.

Sue Moroney's bill puts balance back into privacy law. It is to be hoped the Government will embark on more comprehensive reform of its own. Our privacy is just too important to be used as a political football.

Gehan Gunasekara is an associate professor in commercial law at the University of Auckland and advised the Law Commission in its review of the Privacy Act.