The New Zealand MARKETING ASSOCIATION

Similar documents
1.6 This submission is made on behalf of the firm and not on behalf of any client of the firm.

SECURITY SAFEGUARD BREACH GUIDE

Departmental Disclosure Statement

Management of Personal Information Policy (Privacy Policy)

POLICY. Enforcement REGULATORY FUNCTION POLICY

Guide to compliance with the Australian Privacy Principles. APP 1 Open and transparent management of personal information

GUIDELINES FOR THE CONTRACTING OUT OF RESEARCH ACTIVITIES

New Zealand Business Number Act 2016

2018 Australian privacy outlook

Example Authorisation Clauses

Animal Products (Dairy) Conditions for Recognition. June Final

Statutory Liability Policy

Pension Trustees. Final Countdown to the GDPR

WHAT DOES THE GDPR MEAN FOR PENSIONS? HANDY GUIDE

Member Circular March Implementation of the EU General Data Protection Regulation 2016/679 General Guidance to Members

WHAT DOES THE GDPR MEAN FOR PENSIONS?

a) Employers Liability Insurance Policy Wording

Compliance Enforcement Policy

Gallagher Benefit Services Pty Ltd - Privacy Policy

Data Protection Policy. Newbury Academy Trust

Youi s Privacy Policy

Wholesale Supplier Terms and Conditions

Michael R. Cohen CIPP/US, CIPP/E Gray Plant Mooty. Overview of the EU General Data Protection Regulation (GDPR)

Chartered Accountants Australia and New Zealand Application for a Certificate of Public Practice by a New Zealand resident member

TERMS OF BUSINESS AGREEMENT CAUNCE O HARA & COMPANY LTD

National Consumer Credit Protection Bill 2009 and National Consumer Credit Protection (Transitional and Consequential Provisions) Bill 2009

Appropriate Policy Document

Twilio Data Protection Addendum ( DPA ) (GDPR, Binding Corporate Rules, Privacy Shield, and Standard Contractual Clauses) (Revision June 2018)

The Central Bank of The Bahamas

IRIS Group of Companies Customer Data Processing Terms

The EU-US Privacy Shield: A How-To Guide

Privacy Policy. IS Industry Fund Pty Ltd ATF Intrust Super. Revision History. The table below sets out the history of this document.

The Air New Zealand American Express Platinum Card Cardmember Agreement and Financial Services Guide

* Unless otherwise indicated, this policy will still apply beyond the review date.

ERGO Versicherung AG UK Branch Data Privacy Notice

PETROLEUM: Major accident prevention policy and safety case requirements

DATA PROCESSING TERMS DEFINITIONS

Whistleblowers Protection Act 2001 Policy and Procedures ABN

AUGUST ENERGY RETAIL CONTRACTS REVIEW Unfair contract terms

YOUR VEHICLE LOAN SECURED CREDIT AGREEMENT (CLIENT COPY)

Act 724 Insurance Acts, 2006 ARRANGEMENT OF SECTIONS. National Insurance Commission

The contract is important so that both parties understand their responsibilities and liabilities.

BINDING CORPORATE RULES

Appendix 1: Technical Advisor: Code of Conduct

Guide to the Retirement Villages Bill 2015

EQUAL ACCESS FUNDING PTY LTD PRIVACY POLICY

IMPORTANT INFORMATION

Southern Golden Retriever Rescue Data Protection Policy

YMCA SOUTH AUSTRALIA Privacy Policy

Motor Vehicle Claim Form

Serious Illness. Processing Guidelines

EU Data Processing Addendum

Information sharing between Inland Revenue and the

ATMA LIMITATION OF LIABILITY SCHEME INFORMATION SHEET

Inquiry into Privacy Amendment (Enhancing Privacy Protection) Bill 2012

LOAN. Guide to credit scoring

Privacy Commissioner Te Mana Matapono Matatapu

Man and Machine - Data Protection Policy

Data Processing Addendum

PRIORITY SALARY PACKAGING FORM

Anti-Bribery & Corruption Policy. OneMarket Limited ACN (Company)

TERMS OF BUSINESS FOR INTERMEDIARIES

THE UNIVERSITY, CAMBRIDGE IN AMERICA AND THE COLLEGES DATA SHARING PROTOCOL

Electricity Contract. Standard Retail Contract between Aurora Energy and you

Public Service Regulations 1999

Bar Council response to the consultation paper on Tackling offshore tax evasion: A new criminal offence

EU General Data Protection Regulation vs. Swiss Data Protection Act (in the Private Sector 1 )

Standard Form of Agreement

Public Consultation on a Revision of the Market Abuse Directive (MAD)

Office of the Australian Information Commissioner - Australian Privacy Principles (APP) Guidelines Chapters 6-11

TAX RISK INSURANCE CLASSIC POLICY WORDING

UNTANGLING THE EMPLOYER CONTRIBUTION PROVISIONS OF THE PENSION FUNDS ACT

Employers Liability Policy

Please print clearly 1 Please complete your name, address and contact details below. Title Surname Full given name(s)

2 WORKPLACE AND CO-WORKERS Mutual Respect, Honesty and Integrity Conflicts of Interest Data Protection 4

DATA PROCESSING ADDENDUM

REVIEW OF STATUTORY AUTHORITIES FOR INFORMATION MATCHING

IN THE EMPLOYMENT RELATIONS AUTHORITY AUCKLAND [2012] NZERA Auckland

All Sorts UK Limited Data Protection Policy 17 th May 2018

EXCEL FEDERAL CREDIT UNION S Online Banking External Transfer Authorization and Service Agreement

These conditions apply to all supplies of goods and services supplied by us to you, unless otherwise clearly agreed in writing signed by us and you.

Data Transfer Policy Version 1.1 Last amended: 18 September 2014 Policy Owner: Governance Team

PHO Services Agreement

Key Person Payment Protection

The EU Competition Law Fining System: A Reassessment

Moxtra, Inc. DATA PROCESSING ADDENDUM

CUA Credit Cards. Conditions of Use and Credit Guide

MACHINERY BREAKDOWN. ABN Machinery Breakdown / Fusion Claim Form

UNCLASSIFIED. Framework Agreement

Table of Contents. A RZB Group Code of Conduct

TERMS AND CONDITIONS FOR THE PURCHASE OF GOODS

SCCCI Personal Data Protection Policy

Charities and Benevolent Fundraising (Scotland) Regulations 2009 What this guide covers

RTI ACT Information to be published under the Act

AML / CFT Anti-money laundering and countering financing of terrorism. Designated Business Group Scope Guideline Updated in December 2017

CUA Credit Cards Conditions of Use and Credit Guide

PROCESS FOR RESPONDING TO PREVENT / EXTREMISM Freedom of Information Act REQUESTS

Financial Services Guide

Data protection and transfer

Supplement No. 2 published with Extraordinary Gazette No. 100 dated 16 th December, THE MUTUAL FUNDS LAW (2015 REVISION)

Transcription:

The New Zealand MARKETING ASSOCIATION SUBMISSION on THE PRIVACY BILL 2018 DRAFT To the Justice Select Committee 24 May 2018 This submission is made by: TONY MITCHELL, CHIEF EXECUTIVE New Zealand Marketing Association (Inc) PO Box 137266 Parnell, Auckland 1151

2 ABOUT THE MARKETING ASSOCIATION The Marketing Association (MA) was formed in 1974. It represents 560 New Zealand organisations and over 6,600 individual marketing professionals. Members include banks, insurance companies, supermarkets, major retailers, telecommunication companies, utilities and Government ministries. The MA has a strong record in supporting effective legislation. We have been involved in advising Government on privacy (before the passing of the 1993 Privacy Bill), the evolution of The Unsolicited Electronic Communications Act and on Consumer Law reform prior to the upgrade of the Fair- Trading Act. We Also assisted the Law Commission in their 2011 review of Privacy Law A major part of the activities of the MA involves establishing and promoting codes of practice and best practice guidelines for all forms of marketing communication, including advertising and sponsorship. Many of these codes require an even more stringent observance of fair and responsible data management than the current Privacy Act. We are a member organisation of the Advertising Standards Authority (ASA). We are strong advocates of fair and transparent business practise. This submission is made on behalf of the members of the Marketing Association. We wish to reserve the right to make a personal submission to the Select Committee.

3 INTRODUCTION The MA supports the Privacy Bill 2018 in its present form. The 1993 Privacy Act has successfully protected the personal information of individual New Zealand residents for 25 years and this Bill incorporates the same basic principles. The Bill maintains the 12 Privacy Principles which are the cornerstone of protecting both the collection and use of New Zealand residents personal information. There have been very few commercial breaches of the Act in 25 years and in our view, the commercial sector has handled personal data in a responsible and transparent manner. EXECUTIVE SUMMARY The Marketing Association has reviewed the Privacy Bill 2018 and: 1. The Marketing Association agrees with the requirement to report all notifiable data breaches. We recommend this is expanded to include all breaches. 2. We support the prohibiting transfers of personal data to countries with inadequate Privacy laws. 3. We believe the maximum fine of $10 000 for failing to notify a data breach or failing to comply with a formal compliance notice is too low. We recommend increasing the maximum fines in clauses 122 and 133. 4. We are in support of the $10 000 fine under clauses 211 and 212. 5. On page 6 of this submission, we compare self-regulation in New Zealand against the requirements of more stringent international legislation and highlight how advanced selfregulatory privacy practices already exceed the requirements of The Privacy Bill 2018.

4 SUBMISSION 1. PART 3. CLAUSE 19 Information Privacy Principles (a) IPP.4 now requires that agencies collecting personal information are sensitive to the age of the individual. We support the principle of this addition but would prefer that this requirement was more prescriptive. Very few organisations will be aware of the age of the individual before the information is collected, so it will be extremely difficult to comply. (b) IPP.11 Requires that agencies transferring personal data overseas may only do so to a recipient in a prescribed country or State which is specified in regulations as having privacy laws comparable to those of New Zealand. We are in support of this requirement. New Zealand s Privacy Laws are currently considered Adequate by members of the EU. This means that data transfer between NZ and EU countries is legally acceptable. With the introduction of GDPR, this may not always be the case and a further review of the Privacy Act may be necessary. 2. Part 4 (Clauses 44-63) Deals with the conditions of individuals obtaining access to information held about them by an agency and Part 5. (Clause 92) Gives the Commissioner power to direct the agency to comply with such requests, it also authorises the Commissioner to impose a time limit on the agency to provide access. The Marketing Association supports both Part 4 and Part 5. 3. Part 6 (Clauses 117-119) These clauses require an agency to notify the Commissioner of any notifiable privacy breach. We agree with this in principle, however there are 2 aspects of the fine detail which we believe need greater clarification. Clause 117 defines a notable breach as one which has caused harm as listed in 75(2)(b) where the action

5 (i)has caused, or may cause, loss, detriment, damage, or injury to the individual; or(ii)has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations, or interests of the individual; or(iii)has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual. We question whether an agency suffering a breach would, in all circumstances, be aware of the possible harm it may cause and could therefore claim it had not notified the Commissioner and was not in breach of the Act. The most sensible course would surely be to require all breaches to be notifiable. Clause 118-119 states that an agency must notify the Commissioner and the affected individual as soon as possible after becoming aware that a notifiable breach has occurred. This wording could lead to unacceptable delays in notification. We believe that a prescriptive time frame (e.g. 10 days) would be more effective, if the Commissioner were also given the right to extend the period. CLAUSE 122 states that An agency that, without reasonable excuse, fails to notify the Commissioner of a notifiable privacy breach under section 118 commits an offence and is liable on conviction to a fine not exceeding $10,000. We suggest that the maximum fine is insufficient to deter an irresponsible agency from seeking to avoid detection and recommend a significant increase. COMPLIANCE CLAUSE 133 The maximum fine for failing to comply with a formal compliance notice is $10,000. Again, we suggest that this is not significant enough to be a deterrent and should be raised significantly. 4. PART 9 (MISCELLANEOUS). CLAUSES 211-212 Authorise fines of up to $10,000 for individual persons found guilty of obstruction, failure to comply, falsehood or impersonation. A similar fine may be imposed for the deliberate destruction of documents containing personal information which have been requested under PART4 (Access to personal information). We believe this level of fine is appropriate for these offences.

6 5. GENERAL COMMENT. EFFECTIVE SELF- REGULATION The Marketing Association is aware that Privacy Advocates (including the Commissioner) may be in favour of more stringent legislation similar to the General Data Protection Regulation (GDPR) implement in the EU. The Marketing Association does not support this view as Commercial Self-Regulation within the Marketing sector is already ahead of legislation. For instance: The GDPR requires that individuals are granted the right to be forgotten. In New Zealand self-regulation, the right to opt out has been implemented for over 20 years. Additionally, The Marketing Association s Name Suppression Services assists over 168 000 consumers in curbing unwanted mail and telesales marketing. This register grows by 558 new consumers every month. An excellent example of encouraging responsible collection and storage of personal data is the Marketing Associations Data Warranty Register. The DWR is granted to organisations that can demonstrate exemplary personal data Management: https://www.marketing.org.nz/services/data_warranty_register. Organisations who are listed on the Marketing Association Data Warranty Register have demonstrated that they: Collect personal information in a professional and responsible manner. Abide by the Privacy Act and follow Industry Best Practise. Have a designated Privacy Officer to care for customer data. Ensure that only authorised personnel can access personal data. Maintain all personal records in a password- protected system. Regularly train staff on Privacy procedures. Only transfer data via strict security links. Operate only under the terms of formal written contracts. Are required to undergo industry compliance checks We highlight these initiatives to illustrate the commercial sectors already supports responsible data management. We therefore believe that The Privacy Bill 2018 is satisfactory without major change.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback