Source: New Zealand Privacy Commissioner – Blog
The Privacy Act 2020 comes into force on 1 December 2020, replacing the Privacy Act 1993. However, the Privacy Act 1993 will still be relevant to privacy complaints about actions that happened before 1 December.
So, which Act applies and when? Schedule 1 of the Privacy Act 2020 sets out the rules for working out the answer to this question.
The two Privacy Acts are not very different, however there is a new information privacy principle 12 and some changes to other principles. There are also some new refusal grounds under the Privacy Act 2020 that will be available to agencies responding to principle 6 access requests after 1 December 2020.
In addition, there are some new grounds on which OPC can decline to investigate a complaint or can discontinue a complaint investigation, and some new regulatory powers available to OPC such as access determinations and directions, and compliance notices.
Given these changes, it will therefore be important to apply the right provisions during the transitional period, as set out in Schedule 1.
Access and correction requests
From 1 December, agencies should deal with pending access (principle 6) and correction requests (principle 7) under Part 4 of the Privacy Act 2020. Clause 4 of Schedule 1 makes clear that any access or correction request that has not been dealt with by 1 December, should be processed under the Privacy Act 2020.
This is a clear bright-line that means an agency should deal with these under the Privacy Act 1993 up to and including 30 November, and then switch to the Privacy Act 2020 from 1 December. This will allow agencies to apply the new refusal grounds that have now been included in Part 4, regardless of when the IPP 6 request was received.
What does it mean to have “dealt with” a request? Dealing with a request means receiving it and providing a response to the requester. If an agency hasn’t responded to an individual by 1 December, then the response should be given under the Privacy Act 2020.
For example, if an agency has received a request and extended the time period for response past 1 December 2020, then that response should be provided to the requester under the Privacy Act 2020.
If an agency has received a request and transferred it to another agency, then the receiving agency will need to respond under the Privacy Act 2020 if it has not dealt with the request by 1 December.
For some time, OPC will receive complaints about matters that occurred before the commencement date, but after the Privacy Act 2020 has started operating. Any complaint that has not been resolved or otherwise dealt with by OPC by 1 December will be dealt with under the procedures of the Privacy Act 2020 (see Schedule 1, clause 7). This means that any steps by to lodge a complaint, resolve a complaint or refer a complaint to another body, will be under the Privacy Act 2020 (Part 5(1)).
Investigations and inquiries
There will be a period where OPC is investigating complaints that arose under the Privacy Act 1993. OPC will conduct investigations with reference to the Act in force at the time of the action under investigation (e.g. the time a decision was made about an access or correction request, or the time of collection, use or disclosure of personal information).
OPC will not expect agencies to meet the new obligations under the Privacy Act 2020 where the action complained about happened before the commencement date. OPC will therefore be assessing the timing of the action complained of and applying the legal test for a breach of a privacy principle and for an interference with privacy under the relevant Act.
If the action occurred before 1 December, then whether this is an interference with privacy will depend on the Privacy Act 1993. For example, the privacy principles or code of practice in place at the time the action occurred will remain relevant, as well as the definition of an “interference with privacy”.
However, from 1 December, OPC will adopt the powers and procedures under the Privacy Act 2020 (Part 5(2)), even if the action being investigated occurred prior to 1 December. This means that investigation steps, such as declining to investigate, endeavours to resolve a complaint or discontinuing an investigation will be under the Privacy Act 2020. From 1 December, OPC will also have recourse to new regulatory powers such as access determinations and directions and compliance notices.
Any pending proceedings in the Human Rights Review Tribunal as at 1 December will be continued and completed under the Privacy Act 2020 (Part 5(3)). This includes:
- sections 97-98 that clarify when an individual, the representative of a class of individuals, or the director can bring or appear in proceedings;
- section 100 that specifies that an apology by an agency for an interference is not admissible as evidence against the agency, however the agency can present it to assist the Tribunal in assessing remedies to be awarded against them;
- section 103 that clarifies the circumstances in which damages can be awarded; and
- section 104 that sets out procedures for enforcing or appealing an access direction.
Note also that a complainant who wishes to bring proceedings in the Tribunal now must do so within 6 months of the relevant notification from OPC or the Director of Human Rights Proceedings under the Privacy Act 2020 (section 98).
Notifiable privacy breaches
The notifiable breach regime in Part 6(1) of the Privacy Act 2020 does not apply to a notifiable privacy breach that occurred before 1 December 2020 even the breach continues after that date.
Tools and references
There is a compare tool that can help you navigate between the Privacy Act 1993 and the Privacy Act 2020.
Schedule 1 to Privacy Act 2020.