an introduction to the privacy act privacy act 1993 promotes and protects individual privacy is...
TRANSCRIPT
An Introduction to the Privacy Act
Privacy Act 1993Privacy Act 1993Privacy Act 1993Privacy Act 1993
• Promotes and protects individual privacy
• Is concerned with the privacy of information about people rather than physical intrusions into privacy
• Establishes 12 information privacy principles which regulate the collection, storage, use and disclosure of personal information and give people the right to access and correct their information
• Allows the Privacy Commissioner to issue industry specific codes of practice
• Sets out rules for information matching
• Provides a set of principles regulating how information on public registers can be used
• Sets up a complaints procedure
• Sets out how law enforcement information is to be dealt with
• Provides for the appointment of a Privacy Commissioner and sets out his role and functions
Definition of Personal Definition of Personal InformationInformation
Definition of Personal Definition of Personal InformationInformation
• Information about an identifiable individual
• Does not include information about a corporate body
AgencyAgencyAgencyAgency
• Any person or body of persons
• Corporate or unincorporate
• Public or private sector
• Some exceptions: MPs, courts and tribunals, news media in relation to its news activities
• Sections 3 and 4
Breach of IPPBreach of IPPANDAND
Adverse ConsequenceAdverse ConsequenceResults in Interference With Individual’s Results in Interference With Individual’s
PrivacyPrivacy
Breach of IPPBreach of IPPANDAND
Adverse ConsequenceAdverse ConsequenceResults in Interference With Individual’s Results in Interference With Individual’s
PrivacyPrivacy
Breach InterferenceLoss
Interference With Privacy (Access)
Interference With Privacy (Access)
• Referral
• Failure to respond within 20 working days
• Conditions on use
• Charging
• Refusal to correct
Interference with privacy if there is no proper basis for:
IPP 1 - Purpose of IPP 1 - Purpose of Collection ofCollection of
Personal InformationPersonal Information
IPP 1 - Purpose of IPP 1 - Purpose of Collection ofCollection of
Personal InformationPersonal Information
• Information is collected for a lawful purpose connected with the function / activity of the agency
• Collection necessary for that purpose
Not to be collected by an agency unless:
ISSUESISSUES
Lawful purpose?
Is it purpose connected with a function / activity of the agency?
Is collection necessary for that purpose?
IPP 2 - Source of Personal IPP 2 - Source of Personal InformationInformation
IPP 2 - Source of Personal IPP 2 - Source of Personal InformationInformation
Where an agency collects personal information, the agency shall collect the information directly from the individual concerned.
No compliance permissible where the agency believes, on reasonable grounds, that:
• Individual has authorised collection of the information from someone else
• Compliance would prejudice the purpose of that collection
• Compliance not reasonably practicable in the circumstances
(Non-compliance permissible oncertain other grounds)
IPP 3 - Collection of IPP 3 - Collection of Personal InformationPersonal Information
From Subject (A)From Subject (A)
IPP 3 - Collection of IPP 3 - Collection of Personal InformationPersonal Information
From Subject (A)From Subject (A)
Where personal information collected directly from individual concerned, agency required to take reasonable steps to ensure individual is aware of:• Fact information is being collected
• Purpose for which information is collected
• Intended recipients of information
• Contact details for agencies collecting and holding information
• Whether supply of information is mandatory / voluntary (Where law authorises / requires collection)
• Consequences if information not supplied
• Rights of access and correction
Provide these details beforecollection if practicable
IPP 3 - Collection of IPP 3 - Collection of Personal InformationPersonal Information
From Subject (B)From Subject (B)
IPP 3 - Collection of IPP 3 - Collection of Personal InformationPersonal Information
From Subject (B)From Subject (B)
• It is authorised by the individual
• It would not prejudice the individual’s interests
• Compliance would prejudice purposes of collection
Also certain other grounds IPP 3(4)
Repeat explanation not necessary
If given recently
Non-compliance permissible where agency believes, on reasonable grounds, that:
IPP 4 - Manner of Collection IPP 4 - Manner of Collection of Personal Informationof Personal Information
IPP 4 - Manner of Collection IPP 4 - Manner of Collection of Personal Informationof Personal Information
• Unlawful means
• Means that, in the circumstances are,
- Unfair
- Unreasonably intrude upon the Individual’s personal affairs
Personal information must not be collectedby:
KEY CONCEPTSKEY CONCEPTSPURPOSE AND OPENNESSPURPOSE AND OPENNESS
KEY CONCEPTSKEY CONCEPTSPURPOSE AND OPENNESSPURPOSE AND OPENNESS
Develop information handling policies
Convey policies when collecting information
IPP 5 - Storage and Security IPP 5 - Storage and Security of Informationof Information
IPP 5 - Storage and Security IPP 5 - Storage and Security of Informationof Information
• Loss
• Unauthorised access, use, modification or disclosure
• Other misuse
Agency holding personal information must take reasonable security safeguards to protect against:
ISSUESISSUES
Physical security?
Operational security?
Security of transmission?
Disposal or destruction?
IPP 6 - Access to Personal IPP 6 - Access to Personal Information Information
IPP 6 - Access to Personal IPP 6 - Access to Personal Information Information
Where an agency holds personal information in a way that it can readily be retrieved, individuals are entitled to have access to information relating to them
IPP 6 - Access to Personal IPP 6 - Access to Personal Information Information
IPP 6 - Access to Personal IPP 6 - Access to Personal Information Information
Obligations of agencies to• Provide assistance• Transfer access requests• Respond within time limits• Make information available in form
requested
Precautions by appropriate procedures:• Satisfactory identification of individual• Authority of agent
Charges:• No charge by public sector agency• Reasonable charges by others
Withholding Grounds - Principle 6
• 27(1)(c) - prejudice maintenance of law
• 27(1)(d) - endanger safety
• 29(1)(a) - unwarranted disclosure
• 29(1)(c) - prejudice physical / mental health
• 29(2) - not readily retrievable / cannot be found / does not exist
IPP 7 - Correction of IPP 7 - Correction of Personal InformationPersonal InformationIPP 7 - Correction of IPP 7 - Correction of Personal InformationPersonal Information
An individual is entitled to request the correction of information
Agency must either:
Agency must notify known recipients of the information about this correction
Make correction
OROR
Attach statement by individual of correction sought
IPP 8 - Accuracy of Personal IPP 8 - Accuracy of Personal Information to Be Checked Information to Be Checked
Before UseBefore Use
IPP 8 - Accuracy of Personal IPP 8 - Accuracy of Personal Information to Be Checked Information to Be Checked
Before UseBefore Use
Agencies must take reasonable steps to ensure personal information is accurate before using it
Accurate
Up to date
Complete
Not misleading Relevant
IPP 9 - Agency Not to Keep IPP 9 - Agency Not to Keep Personal Information or Personal Information or Longer Than NecessaryLonger Than Necessary
IPP 9 - Agency Not to Keep IPP 9 - Agency Not to Keep Personal Information or Personal Information or Longer Than NecessaryLonger Than Necessary
Agency holding personal information shall not keep it for longer than required for the purposes for which it may lawfully be used.
ISSUESISSUES
Should it be retained at all?
If so, for how long?
Note legal obligations to retain,
eg. tax, medical records
Consider return, destruction, transfer
IPP 10 - Limits on Use of IPP 10 - Limits on Use of Personal InformationPersonal Information
IPP 10 - Limits on Use of IPP 10 - Limits on Use of Personal InformationPersonal Information
Personal information collected for one purpose cannot be used for another purpose unless agency believes, on reasonable grounds, that:
(Non-compliance permissible onCertain other grounds)
• Use for other purpose authorised by individual concerned
• Information sourced from publicly available publication
• Use for other purpose necessary to prevent or lessen a serious and imminent threat to- public health / safety- life / health of someone
• Purpose is directly related to the purpose for which it was collected
IPP 11 - Limits of Disclosure IPP 11 - Limits of Disclosure ofof
Personal InformationPersonal Information
IPP 11 - Limits of Disclosure IPP 11 - Limits of Disclosure ofof
Personal InformationPersonal Information
An agency shall not disclose personal information unless it believes, on reasonable grounds, that disclosure:
(Non compliance permissible onCertain other grounds)
• Is to the individual concerned
• Is authorised by the individual
• Is one of the purposes in connection with which the information was obtained or is a directly related purpose
• Is in a form in which the individual is not identified
Information Privacy Information Privacy Principle 11Principle 11
Information Privacy Information Privacy Principle 11Principle 11
Authorised by Privacy Commissioner
Research (No ID)
Purpose of Collection
Publicly Available
Maintenance of the Law
To the Person
Public Health or Safety
Needed to sell Business
DISCLOSUREDISCLOSURE
Don’t do it unlessDon’t do it unless
IPP 12 - Unique IdentifiersIPP 12 - Unique IdentifiersIPP 12 - Unique IdentifiersIPP 12 - Unique Identifiers
• Agencies not to assign unique identifiers unless necessary to enable them to carry out their functions efficiently
• Agencies not to assign unique identifier that has been assigned by another agency
• Clearly identify the individual before assigning unique identifier
• Agencies not to require people to disclose a unique identifier assigned by another agency unless disclosure is for the purposes for which that unique identifier was assigned
Notification
Complaints Review Tribunal
Complaints ProcessComplaints ProcessComplaints ProcessComplaints Process
Commissioner assistsparties with settlement
Investigation
Final opinion
Provisional Opinion- with right of response
Referred by Privacy Commissioner
Referred byComplainant
Privacy Act and Official Privacy Act and Official Information Act Information Act
InterfaceInterface
Privacy Act and Official Privacy Act and Official Information Act Information Act
InterfaceInterface
Requester X asks forinformation about
himself Privacy Act
• IPP 6• Part IV Privacy Act• Sections 27-29 - withholding grounds apply
Requester X asks forinformation about Y
Official InformationAct
Section 5Presumption of availability
Unless good reason forwithholding information
Section 9(2)(a) protectprivacy of natural persons
Action authorisedby other
Legislation
Privacy Act
Does not Derogate
Other LegislationOther LegislationOther LegislationOther Legislation
Telephone: 04-474 7590Enquiries hotline: 0800 803 909Or: 09-302 8655Email: [email protected]
Internet address: http://www.privacy.org.nz
Postal address: Privacy CommissionerPO Box 10-094Wellington
Don’t blame the Privacy ActDon’t blame the Privacy ActDon’t blame the Privacy ActDon’t blame the Privacy Act