The Privacy Act 2020 ("new Act") came into force in 2020, replacing the Privacy Act 1993. The purpose of the new Act was to overhaul New Zealand's existing privacy of personal information regulatory framework and bring it into line with internationally recognised privacy obligations and standards. Section 22 of the new Act sets out 13 information privacy principles ("Privacy Principles"). In this article, we focus on new developments in relation to Privacy Principle 1 ("PP1"), which addresses the purpose of collection of personal information.
Privacy Principle One
PP1 sets out the following restrictions in respect of the purpose for an agency collecting personal information:
"(1) Personal information must not be collected by an agency unless —
(a) the information is collected for a lawful purpose connected with a function or an activity of the agency; and
(b) the collection of the information is necessary for that purpose.
(2) If the lawful purpose for which personal information about an individual is collected does not require the
collection of an individual's identifying information, the agency may not require the individual's identifying information."
In short, if your business collects personal information, it is required by law that you only collect information where it is necessary for a lawful purpose connected with the function or activity of your business. If your business purpose does not necessarily require a person's identifying information, it may not be acceptable under PP1 to collect it. Where the action of the company collecting the information breaches one or more of the information Privacy Principles in the new Act, a complaint can be made to the Privacy Commissioner, who has various options.
Possible consequences of a breach include warning letters, access directions, compliance notices, referral to the Human Rights Review Tribunal, public interest inquiry, public naming of agency. The penalty for failure to comply with a compliance notice is a fine of up to $10,000.00. Among other consequences, the Human Rights Review Tribunal has the ability to award damages, including damages for humiliation, loss of dignity and injury to the feelings of the aggrieved individual (refer Section 103 of the new Act).
Compliance Monitoring Programme for Rental Accommodation
The New Zealand Privacy Commissioner has given a recent clear example on how to view the purpose for which personal information is collected, with a specific application to the rental accommodation sector.
In November 2021, the Privacy Commissioner announced the introduction of a new privacy compliance monitoring programme for the rental sector. The objective is to ensure that landlords, property managers and third party service providers are compliant with the provisions of PP1 of the new Act.
These measures came into effect in response to concerns that landlords have been collecting more information than is necessary from prospective tenants such as (for example) asking about relationship or family status, whether the applicant is unemployed, sexual orientation or gender identity or ethnicity.
A two-stage approach to collecting the minimal amount of personal information is advocated, with stage one for deciding whether applicants are likely to be suitable tenants and to narrow down who may be a preferred applicant and stage two for confirming the preferred applicants are likely to be suitable (such as obtaining credit checks, criminal record checks, evidence of ability to pay rent).
However, the scope of minimal information to be collected can be seen in the example given where the Privacy Commissioner considered requesting bank statements showing the applicant's transaction history is considered excess personal information, whereas requesting a credit report is not. It is also not acceptable to request information on personal characteristics protected under the Human Rights Act 1993 (such as sex, relationship or family status, religious or ethical belief, colour, race or ethnic or national origins, physical or mental disability or illness, age, political opinion, employment status, sexual orientation or gender identity).
Measures adopted by the Privacy Commissioner include introducing an anonymous tip line for tenants to report non-compliance.
On releasing its official guidance, the Privacy Commissioner's comment is quoted in the Privacy Commission 10 November 2021 media release; "As we move into this compliance phase, rental sector agencies must be aware of their obligations and responsibilities. There are now no excuses for over-collection and unauthorised use of personal information and there will be consequences for non-compliance".
In our view, this comment should be a warning to all industries. The new Act and Privacy Principles will continue to evolve and mature in a fast-moving data-driven economy. The message is clear – the Privacy Commissioner is seeking to flex its enforcement powers under the new Act. This means it is important for businesses to constantly review their policy on collecting personal information from individuals, revising whether existing information being collected is necessary for its lawful purpose and considering whether it is actually necessary to collect it.
PP1 is one of the 13 information Privacy Principles in the Privacy Act 2020, all of which require specific attention by businesses collecting personal information. At McVeagh Fleming, we are well-versed in the provisions of the Privacy Act 2020 and Information Privacy Principles, and are ready to assist your business with on both advisory and compliance. If you have any questions relating to Privacy Principle One (or any other of the Privacy Principles) or the Privacy Act 2020, and how they relate to your business, please direct any enquiries to:
See our Expertise pages
© McVeagh Fleming 2021
This article is published for general information purposes only. Legal content in this article is necessarily of a general nature and should not be relied upon as legal advice. If you require specific legal advice in respect of any legal issue, you should always engage a lawyer to provide that advice.