The Privacy Commissioner, John Edwards, has told businesses that it's "time to raise your game" and improve the transparency of their privacy practices.
In a recent online blog post, the Commissioner sends a clear message that he expects businesses to do more to make sure customers are aware of how their information is being collected and used, especially when the Privacy Bill 2018 becomes law.
- It tells people what personal information you are collecting, why, and what you will do with it. This is because the Privacy Act says that agencies need to take "reasonable" steps to ensure people are aware of these things
In both situations, you need to do what is "reasonable" in the circumstances. You need to take "reasonable" steps to ensure the person is aware of your privacy practices, and you need reasonable grounds to believe someone has authorised you to use or disclose their personal information for something other than the original purpose of collection.
Similarly, if you're a global household brand, they might expect you to share their details with other entities in your group, but they probably don't expect you to be sharing it with other people.
Although the Commissioner's blog post presents this as a change, we don't think that it is really a shift in the law, or how it is interpreted. The obligations to be reasonable are already in the current Privacy Act, and it's already difficult to enforce unexpected or onerous clauses in standard terms under New Zealand law, especially for consumer products and services.
However, we do think this means that the Commissioner will be paying closer attention to these issues, and intends to use his expanded powers under the Privacy Bill to improve transparency around privacy practices. For example, under the Bill, the Commissioner will be able to issue compliance notices, to require agencies to make changes where their privacy practices are not up to scratch.
We think now is a good time for all organisations to review their privacy policies and consider:
Are they clear and easy to understand?
Are they presented in a way that encourages people to read them?
Is there anything unexpected in there that should be brought to people's attention more prominently (e.g. via a separate tick box)?
Can we increase customer control over their personal information in some other way (eg by letting them change their own privacy settings, or using other features of "privacy by design")?
Answering these questions will go a long way towards meeting the "reasonable" criteria, and help businesses get ready for when the Bill becomes law in early 2020.
Allan Yeoman is a partner and Keri Johansson is a senior associate at Buddle Findlay.
Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Send news tips and comments to firstname.lastname@example.org @divinap
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.