New Zealand

New Zealand Image
LEG-01:

Legislation enacted specifically for data privacy?
– Privacy Act 1993

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– Unsolicited Electronic Messages Act 2007
– Search and Surveillance Act 2012
– Telecommunications (Interception Capability and Security) Act 2013 (TICSA)
– Government Communications Security Bureau Act 2003 (GCSB)
– New Zealand Security Intelligence Service Act 1969 (SIS)
– Telecommunications Act 2001

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data
– APEC Cross-border Privacy Enforcement Arrangement (CPEA)
– APEC Privacy Framework
– United Kingdom – United States of America Agreement (UKUSA)

LEG-04:

Local government has any Bills going through the legislative process.
– Privacy Act 1993 Reform

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Requirements for Cloud Computing (RCC)
– Cloud Computing Guidelines (CCC)
– New Zealand Cloud Code

LEG-06:

Has other state laws related to privacy.Note: these will not be identified as too extensive.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.

PRI-02:

There is a requirement to establish a privacy commissioner.
-Privacy Act 1993 Section 12(Notes:This establishes the Privacy Commissioner)

PRI-03:

The functions of the authority clearly set out.
-Privacy Act 1993 Section 13

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
– Privacy Act 1993 Section 23(Notes: At least one officer needs to be elected)

PRI-05:

Contact details of the privacy officer are made available.
Notes: This is an expected practice

PRI-06:

Each company to have an internal privacy policy proposed and displayed.

PRI-07:

An internal audit process is outlined for each company.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
-Privacy Act 1993 Section 2
-OECD Guidelines for Privacy, Part I, 1 (b)

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline.

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– Privacy Act 1993 Shedule 5A

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– Privacy Act 1993 Section 6 Principle 1 (a), Principle 3 (2)

PRO-01:

Individual has the ability to access their data by request.
– Privacy Act 1993 Section 6 Principle 6

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– Privacy Act 1993 Section 6 Principle 7

PRO-03:

Data can be sent to a third party for processing.
– Privacy Act 1993 Section 3 (4) c, Section 10 (Notes:Principle agency remains liable)

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
Note: Not including general exceptions that may apply, EG where safety or national security is involved.

– Privacy Act 1993 Section 6 Principle 10

PRO-05:

Encryption used for processing of data to ensure anonymity
– Privacy Act 1993 Section 6 Principle 5(Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.
Privacy Commissioner required all government agencies to use encryption when transferring data.)

PRO-06:

Unique identifiers can be used .
– Privacy Act 1993 Section 6 principle 12(Notes: Some limitations apply)

PRO-07:

Information may not be disclosed, sold or interfered with.
Note: Not including general exceptions that may apply, EG where safety or national security is involved.

– Privacy Act 1993 Section 6 Principle 11

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
Notes: Claims can be made to Human Rights Review Tribunal for breaches under the Privacy Act 1993

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– Privacy Act 1993 Section 67

STO-01:

All data is stored with at least a “reasonable” level of security.
– Privacy Act 1993 Section 6 Principle 5

STO-02:

Encryption techniques used to store data.
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method

STO-03:

Data can be transferred to third-parties to use.
-Privacy Act 1993 Section 6 Principle 3, 10(Notes: Principle agency remains liable)

STO-04:

Data can be stored off shore in different Country.
-Privacy Act 1993 Section 6 Principle 3, 10 (Notes: Although storage locations are not specified, this may be seen as a reasonable protection method. Principle agency remains liable.)

STO-05:

Data can be stored off site but in same Country.
– Privacy Act 1993 Section 6 Principle 3, 5, 10

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– Privacy Act 1993 Section 6 Principle 9

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.

STO-09:

Notification has to be given to individuals in case of a data breach.
Notes: This is considered best practice suggested in the Data Safety Toolkit

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.
– Unsolicited Electronic Messages Act 2007 Section 11

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– Unsolicited Electronic Messages Act 2007 Section 10

SPM-03:

Subject line to be clear and not misleading.

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.
– Unsolicited Electronic Messages Act 2007 Section 13

SPM-05:

A form of a “Do Not Call” register is in place.
Notes: Managed by The NZ Marketing Association, which is a self regulating authority

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
-Unsolicited Electronic Messages Act 2007 Section 9

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.
– Unsolicited Electronic Messages Act 2007 Section 9 (Notes: The definition in Section 4 of a “New Zealand Link” may be needed for further explanation )

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.
– GCSB Section 15E

INT-02:

A data collection agency can refuse to turn over personal information.
– TICSA Section 55(Notes: Failure to comply)

INT-03:

A warrant is needed to have the ability to intercept personal data.
– TICSA Section 5 and 6
– GCSB Section 15B
Notes:Section 16 of GCSB is titled “Certain interceptions permitted without interception warrant or access authorisation”

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.
– TICSA Section 9 (Notes: Further requirements are set out in Section 10 – 12)

INT-05:

External countries have the ability to intercept data with permission from the host country.

New Zealand

New Zealand Image