The New Zealand MARKETING ASSOCIATION SUBMISSION on THE PRIVACY BILL 2018 DRAFT To the Justice Select Committee 24 May 2018 This submission is made by: TONY MITCHELL, CHIEF EXECUTIVE New Zealand Marketing Association (Inc) PO Box 137266 Parnell, Auckland 1151
2 ABOUT THE MARKETING ASSOCIATION The Marketing Association (MA) was formed in 1974. It represents 560 New Zealand organisations and over 6,600 individual marketing professionals. Members include banks, insurance companies, supermarkets, major retailers, telecommunication companies, utilities and Government ministries. The MA has a strong record in supporting effective legislation. We have been involved in advising Government on privacy (before the passing of the 1993 Privacy Bill), the evolution of The Unsolicited Electronic Communications Act and on Consumer Law reform prior to the upgrade of the Fair- Trading Act. We Also assisted the Law Commission in their 2011 review of Privacy Law A major part of the activities of the MA involves establishing and promoting codes of practice and best practice guidelines for all forms of marketing communication, including advertising and sponsorship. Many of these codes require an even more stringent observance of fair and responsible data management than the current Privacy Act. We are a member organisation of the Advertising Standards Authority (ASA). We are strong advocates of fair and transparent business practise. This submission is made on behalf of the members of the Marketing Association. We wish to reserve the right to make a personal submission to the Select Committee.
3 INTRODUCTION The MA supports the Privacy Bill 2018 in its present form. The 1993 Privacy Act has successfully protected the personal information of individual New Zealand residents for 25 years and this Bill incorporates the same basic principles. The Bill maintains the 12 Privacy Principles which are the cornerstone of protecting both the collection and use of New Zealand residents personal information. There have been very few commercial breaches of the Act in 25 years and in our view, the commercial sector has handled personal data in a responsible and transparent manner. EXECUTIVE SUMMARY The Marketing Association has reviewed the Privacy Bill 2018 and: 1. The Marketing Association agrees with the requirement to report all notifiable data breaches. We recommend this is expanded to include all breaches. 2. We support the prohibiting transfers of personal data to countries with inadequate Privacy laws. 3. We believe the maximum fine of $10 000 for failing to notify a data breach or failing to comply with a formal compliance notice is too low. We recommend increasing the maximum fines in clauses 122 and 133. 4. We are in support of the $10 000 fine under clauses 211 and 212. 5. On page 6 of this submission, we compare self-regulation in New Zealand against the requirements of more stringent international legislation and highlight how advanced selfregulatory privacy practices already exceed the requirements of The Privacy Bill 2018.
4 SUBMISSION 1. PART 3. CLAUSE 19 Information Privacy Principles (a) IPP.4 now requires that agencies collecting personal information are sensitive to the age of the individual. We support the principle of this addition but would prefer that this requirement was more prescriptive. Very few organisations will be aware of the age of the individual before the information is collected, so it will be extremely difficult to comply. (b) IPP.11 Requires that agencies transferring personal data overseas may only do so to a recipient in a prescribed country or State which is specified in regulations as having privacy laws comparable to those of New Zealand. We are in support of this requirement. New Zealand s Privacy Laws are currently considered Adequate by members of the EU. This means that data transfer between NZ and EU countries is legally acceptable. With the introduction of GDPR, this may not always be the case and a further review of the Privacy Act may be necessary. 2. Part 4 (Clauses 44-63) Deals with the conditions of individuals obtaining access to information held about them by an agency and Part 5. (Clause 92) Gives the Commissioner power to direct the agency to comply with such requests, it also authorises the Commissioner to impose a time limit on the agency to provide access. The Marketing Association supports both Part 4 and Part 5. 3. Part 6 (Clauses 117-119) These clauses require an agency to notify the Commissioner of any notifiable privacy breach. We agree with this in principle, however there are 2 aspects of the fine detail which we believe need greater clarification. Clause 117 defines a notable breach as one which has caused harm as listed in 75(2)(b) where the action
5 (i)has caused, or may cause, loss, detriment, damage, or injury to the individual; or(ii)has adversely affected, or may adversely affect, the rights, benefits, privileges, obligations, or interests of the individual; or(iii)has resulted in, or may result in, significant humiliation, significant loss of dignity, or significant injury to the feelings of the individual. We question whether an agency suffering a breach would, in all circumstances, be aware of the possible harm it may cause and could therefore claim it had not notified the Commissioner and was not in breach of the Act. The most sensible course would surely be to require all breaches to be notifiable. Clause 118-119 states that an agency must notify the Commissioner and the affected individual as soon as possible after becoming aware that a notifiable breach has occurred. This wording could lead to unacceptable delays in notification. We believe that a prescriptive time frame (e.g. 10 days) would be more effective, if the Commissioner were also given the right to extend the period. CLAUSE 122 states that An agency that, without reasonable excuse, fails to notify the Commissioner of a notifiable privacy breach under section 118 commits an offence and is liable on conviction to a fine not exceeding $10,000. We suggest that the maximum fine is insufficient to deter an irresponsible agency from seeking to avoid detection and recommend a significant increase. COMPLIANCE CLAUSE 133 The maximum fine for failing to comply with a formal compliance notice is $10,000. Again, we suggest that this is not significant enough to be a deterrent and should be raised significantly. 4. PART 9 (MISCELLANEOUS). CLAUSES 211-212 Authorise fines of up to $10,000 for individual persons found guilty of obstruction, failure to comply, falsehood or impersonation. A similar fine may be imposed for the deliberate destruction of documents containing personal information which have been requested under PART4 (Access to personal information). We believe this level of fine is appropriate for these offences.
6 5. GENERAL COMMENT. EFFECTIVE SELF- REGULATION The Marketing Association is aware that Privacy Advocates (including the Commissioner) may be in favour of more stringent legislation similar to the General Data Protection Regulation (GDPR) implement in the EU. The Marketing Association does not support this view as Commercial Self-Regulation within the Marketing sector is already ahead of legislation. For instance: The GDPR requires that individuals are granted the right to be forgotten. In New Zealand self-regulation, the right to opt out has been implemented for over 20 years. Additionally, The Marketing Association s Name Suppression Services assists over 168 000 consumers in curbing unwanted mail and telesales marketing. This register grows by 558 new consumers every month. An excellent example of encouraging responsible collection and storage of personal data is the Marketing Associations Data Warranty Register. The DWR is granted to organisations that can demonstrate exemplary personal data Management: https://www.marketing.org.nz/services/data_warranty_register. Organisations who are listed on the Marketing Association Data Warranty Register have demonstrated that they: Collect personal information in a professional and responsible manner. Abide by the Privacy Act and follow Industry Best Practise. Have a designated Privacy Officer to care for customer data. Ensure that only authorised personnel can access personal data. Maintain all personal records in a password- protected system. Regularly train staff on Privacy procedures. Only transfer data via strict security links. Operate only under the terms of formal written contracts. Are required to undergo industry compliance checks We highlight these initiatives to illustrate the commercial sectors already supports responsible data management. We therefore believe that The Privacy Bill 2018 is satisfactory without major change.