This project involved four stages, with publications at each stage.
Stage 1: Policy Overview was a high-level analysis to assess privacy values, changes in technology, international trends, and their implications for New Zealand law. It was completed in 2008 with the publication of a study paper.
Stage 2: Public Registers was a consideration of the law relating to Public Registers and whether it requires systematic alteration as a result of privacy considerations and emerging technology. The Commission recommended a review of all public registers against a template set out in the report, with the resulting legislative changes to be introduced by way of a single omnibus Bill. The report was published in 2008, but the recommendations were not considered by Government until the Commission completed its review of the Privacy Act 1993 in 2011.
Stage 3: Invasions of Privacy considered the adequacy of New Zealand's civil and criminal law to deal with invasions of privacy. The Commission's final report (R113) was tabled and released in late February 2010. The Commission recommended a new Surveillance Devices Act to fill gaps in the regulation of the most objectionable forms of surveillance. On the question of the common law privacy tort (publication of private facts), the Commission recommended that this area be left to the courts to develop over time, rather than introducing a statutory cause of action.
Stage 4: Review of the Privacy Act 1993 was a general review of the statute with a view to updating it.
Terms of reference
This project will proceed in stages, with reports made at each stage.
- In stage 1 of the project, the Law Commission will undertake a high level policy overview to assess privacy values, changes in technology, international trends, and their implications for New Zealand civil, criminal and statute law. The Law Commission will conduct a survey of these trends in conjunction with the Australian Law Reform Commission. A report on this overview will be published.
- In stage 2 of the project, the Law Commission will consider whether the law relating to public registers requires systematic alteration as a result of privacy considerations and emerging technology.
- In stage 3 of the project, the Commission will consider and report on:
(a) The adequacy of New Zealand’s civil law remedies for invasions of privacy, including tortious and equitable remedies; and
(b) The adequacy of New Zealand’s criminal law to deal with invasions of privacy.
- In stage 4 of the project, the Commission will review the Privacy Act 1993 with a view to updating it, taking into account any changes in the legislation that have been made by the time this stage of the project is reached.
Protecting Personal Information From Disclosure (NZLC PP49, 2002)
The Commission's Preliminary Paper, Protecting Personal Information From Disclosure (NZLC PP49, 2002).
Public Registers - Review of the Law of Privacy: Stage 2 (NZLC IP3, 2007)
The Commission's Issues Paper, Public Registers - Review of the Law of Privacy: Stage 2 (NZLC IP3, 2007) is the consultation part of Stage 2 of the Law Commission’s review of privacy.
Invasion of Privacy: Penalties and Remedies (NZLC IP14, 2009)
The Commission's Issues Paper, Invasion of Privacy: Penalties and Remedies (NZLC IP14, 2009) looks at a range of issues in relation to the Privacy Act 1993, including the scope and approach of the Act; the role of the Privacy Commissioner; complaints and enforcement processes; sharing of personal information between government agencies; the implications of technological developments; and direct marketing.
Review of the Privacy Act 1993 (NZLC IP17, 2010)
The Commission's Issues Paper, Review of the Privacy Act 1993 (IP17, 2010) looks at a range of issues in relation to the Privacy Act 1993, including the scope and approach of the Act; the role of the Privacy Commissioner; complaints and enforcement processes; sharing of personal information between government agencies; the implications of technological developments; and direct marketing. The issues paper makes some proposals for reform on which it seeks submissions, and also asks some open-ended questions.
A Conceptual Approach to Privacy (NZLC MP19, 2007)
A Conceptual Approach to Privacy (NZLC MP19, 2007) attempts to develop a possible approach to conceptualising privacy with a view to assisting Stage 1 of the Law Commission's review of privacy. The aim of the Paper is to establish a conceptual framework for starting to think theoretically about privacy and for practically assessing the present legal regime relating to privacy. As a framework for legal analysis, it will represent the starting point to the Commission's approach in Stage 1 of its privacy review and a basis for putting some assumptions on the table so that constructive discussion can emerge as the Commission's review proceeds through all of its four stages.
Privacy Concepts and Issues (NZLC SP19, 2008)
The Commission's Study Paper, Privacy Concepts and Issues (NZLC SP19, 2008) is the outcome of stage 1 of the Law Commission’s Review of Privacy, and provides background for the later stages. It establishes a conceptual framework for the Review; examines social attitudes, technological developments, and international trends relating to privacy; and looks at some particular issues that will be discussed in more detail in the later stages of the Review. It does not include recommendations.
Information Sharing: Review of Privacy (NZLC MB2, 2011)
The Commission is conducting a review of the Privacy Act 1993. In the course of this review it has studied the subject of information sharing by government agencies. It has been asked by the Minister to present its findings on this subject ahead of the report on the Privacy Act.
The Commission's Ministerial Briefing, Information Sharing: Review of Privacy (NZLC MB2, 2011) favours facilitation of information sharing between agencies, but only if there are proper checks and balances, and if risks to individual privacy are minimised. It proposes a regime whereby sharing programmes would go through a process of approval by Order in Council, after consultation with appropriate bodies, including the Privacy Commissioner. Approved programmes would be listed in a schedule to the Privacy Act. The Act would lay down the criteria for approving the programmes, and contain requirements of transparency and accountability.
Public Registers: Review of the Law of Privacy stage 2 (NZLC R101, 2008)
The Commission's Report, Public Registers: Review of the Law of Privacy stage 2 (NZLC R101, 2008) identifies well over one hundred public registers in New Zealand, including rates databases and dog registers, land registers transport registers, the electoral rolls, births, deaths and marriages registers. Regulating the balance between open access to the registers and protection of personal information varies greatly. The Commission recommends that a dedicated team should review all public registers against a template set out in the report. Recommendations for resulting legislative changes should then be introduced by way of a single Omnibus Bill. However, the Commission’s recommendation for a public register review will not be considered by the Government until the Commission’s reference on the Privacy Act 1993 is completed.
Invasion of Privacy: Penalties and Remedies: Review of the Law of Privacy: Stage 3 (NZLC R113, 2010)
The Commission's Report, Invasion of Privacy: Penalties and Remedies: Review of the Law of Privacy: Stage 3 (NZLC R113, 2010) recommends the enactment of a new Surveillance Devices Act which would provide for criminal offences and a right of civil action in relation to the use of visual surveillance, interception and tracking devices. The report also recommends some changes to the Harassment Act 1997 so that it applies more clearly to instances in which surveillance is used for the purpose of harassment; some new offences targeting voyeurism; and some changes to the law governing surveillance by private investigators. The report recommends that the tort of invasion of privacy should be left to develop at common law.
Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 (NZLC R123, 2011)
The Commission's Report, Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 (NZLC R123, 2011), which calls for new powers for the Privacy Commissioner, is the fourth in the Commission’s four-stage review of New Zealand’s privacy laws.
The report focuses on the Privacy Act 1993. Overall, the Commission believes the main principles of the Act remain sound. Rather than setting strict rules, the Act is based on privacy principles that can be applied flexibly to suit an agency’s particular circumstances. The Commission supports this principles-based approach, which also allows the Act to remain relevant as technology changes.
The Commission thinks the Act could be improved in a number of areas. Among the key recommendations of the report are that:
- the Privacy Commissioner’s powers should be augmented by a new power to issue compliance notices, and, where there is a good reason for it, to require an audit of an agency’s information-handling practices;
- the complaints process under the Act should be streamlined in a number of respects, including giving the Privacy Commissioner the power to make binding decisions on complaints about people’s right to access their own personal information;
- agencies should be required to notify people when personal information held by an agency is lost or otherwise compromised (for example, through computer hacking), if the breach is sufficiently serious;
- there should be a new framework in the Act to allow the sharing of personal information between government agencies where it is in the public interest to do so, but with appropriate safeguards; and
- some exceptions to the privacy principles should be modified; for example, to clarify that people can pass on information to an appropriate person where someone’s health is seriously at risk, or report suspected offending to the police.
Government responses to our review of privacy law
The Government did not issue a formal response to our report Public Registers: Review of the Law of Privacy: Stage 2 (R101, 2008) specifically. There was no requirement for the Government to present a formal response to Commission reports before April 2009. (See Official Government response process | Department of the Prime Minister and Cabinet (DPMC).)
However, in its responses to subsequent reports in the wider review of privacy law (reports R113 and R123), the Government announced that it would consider and respond to the Law Commission’s report on public registers after policy decisions on the Act were made. In Part B of a further supplementary response to R123 in 2014, it noted that consideration of Recommendation 7, relating to public registers, would be deferred to enable all recommendations relating to public registers to be considered as a package and as part of a comprehensive review.
The Government did issue a formal response to our subsequent reports Invasion of Privacy: Penalties and Remedies: Review of the Law of Privacy: Stage 3 (R113, 2010) and Review of the Privacy Act 1993: Review of the Law of Privacy Stage 4 (R123, 2011).
It also issued a supplementary response to the review generally.
As recommended by the Commission, a new Privacy Act was enacted. The Privacy Act 2020 incorporated many of the Commission’s recommendations. The purpose section of the Act is broadly consistent with the recommendations except that there is no express purpose to provide remedies for interference with privacy of personal information. One of the Commission’s most significant recommendations, the Privacy Commission’s ability to issue compliance notices is now contained in the new Act. Additionally, the Privacy Commissioner now has powers to direct an agency to provide an individual with their private information (previously this had to be negotiated or determined by the Tribunal). Other key recommendations adopted include the enhanced powers for sharing information with overseas privacy enforcement agencies, the introduction of two new offences relating to impersonation and evading requests for information by destroying documents.
However, several other significant recommendations were not included, particularly around enforcement and remedies.