A Guide to the Privacy Act 1993
Human Rights in New Zealand
Consumers around the world are demanding that Government, commerce and service providers recognise their rights of individual privacy.
New Zealand has become a world leader in privacy legislation and we can expect to see many other countries using our laws as a model for their own regulation.
Who's affected?
The Privacy Act 1993 deals with the collection, storage and use of personal information about identifiable individuals. It does not cover companies or other organisations and therefore principally affects consumer marketing.
Too much legalese
We're still suffering from "over interpretation" of the Act. As with all legislation, it‘¦s important to understand the motives of the select committee who introduced the bill, and the Ministry responsible. On the day the Act became law the Minister of Justice said on radio 'The Act is not meant to inhibit normal commercial communication'. That philosophy has been the underlying principle of the Privacy Commissioner and the Commission staff from day one.
Commonsense and good business practice will be your most effective guide as you seek to comply with the 12 Privacy Principles which are at the heart of the legislation.
The Role of the Privacy Commissioner
July 1993 - July 1996
The Privacy Commissioner was appointed by Government as the public watchdog to control and publicise all aspects of individual privacy. The Commissioner is responsible for investigating complaints and determining what further action (if any) should be taken.
During the years 1993-1996 the Commissioner's role was largely an advisory one, responsible for assisting public bodies, industries and commercial organisations to set up satisfactory codes of practice. The legislation is specifically designed to encourage self-regulation with the Privacy Commissioner's office providing guidance.
As a member of the Marketing Association, you are currently abiding by the Code of Practice for Direct Marketing, which includes compliance with The Privacy Act, among others.
July 1996 onwards
Since July 1996 the Privacy Commissioner's Office has become the initial complaints authority and endeavours to settle any complaint before referring it to the (Human Rights) Complaints Review Tribunal.
The Complaints Review Tribunal has the power to award damages for the interference of privacy of an individual up to a maximum of $50,000.
The 12 Privacy Principles
Principle 1 : Purpose of collection of personal information
This principle ensures that personal information can only be collected for a lawful purpose relevant to the organisation and must be necessary for the required purpose.
To comply you must ensure that any information collected is relevant for your business purpose (assuming your business is lawful!).
Principle 2 : Source of personal information
Information must be collected directly from the individual concerned except where
(a) the information is publicly available (such as telephone directory or business directory)
(b) you are authorised by the individual (to collect it)
To comply with this Principle you should endeavour to collect information directly from the individuals concerned. Otherwise be sure that the information is publicly available or that the individual has authorised collection.
Direct marketers can buy, rent or exchange personal information, but it must be with the authority of the individual - refer Principle 11 : Disclosure. Activities such as lead generation, member-get-member campaigns and personal referral campaigns are still possible as long as you practice full disclosure.
Principle 3 : Collection of information directly from the individual concerned
Reasonable steps must be taken to make the individual aware of the following :
(a) that the information is being collected
(b) the purpose for which the information is being collected
(c) who is going to receive the information
(d) name and address of organisation collecting and holding the information, and
(e) the individual's right to access and correct any information
To comply, make sure that when collecting information you make clear why, who is collecting it, who is going to use it, who will hold or store it, and how it can be accessed or corrected by the individual concerned.
A simple privacy information box on every piece of information collection stationery (order forms, competitions, coupons etc) is the easiest method. Here's an example of one used by the Marketing Association :
Your Privacy : The Marketing Association collects your details to keep you informed about marketing matters including training, education and current issues. Your details are stored securely at our National Office and can only be accessed by members of the Marketing Association. You are welcome to contact us at any time to access and update your personal information or to opt-out of receiving further communications from us P O Box 47681, Ponsonby, Auckland, freephone 0800 347 328 or email marketing@marketing.org.nz
Principle 4 : Manner of collection of personal information
Information shall not be collected by unlawful or unfair means and shall not intrude to an unreasonable extent upon the personal affairs of the individual.
To comply, ensure that only lawful and fair means are used to collect information. Avoid practices that may be interpreted as misleading or deceptive.
Principle 5 : Storage and security of personal information
Information must be protected against loss, unauthorised access, misuse and modification.
You must take reasonable precautions to safeguard information. Access should be available only to people who need to use the information.
NB : The Act requires every organisation holding personal information to appoint a Privacy Officer who will be responsible for compliance with the Privacy Principles within the organisation. If you have a customer database you need a Privacy Officer.
Principle 6 : Access to personal information
Individuals are entitled to obtain from organisations confirmation of whether or not personal information is held and to access the information about themselves.
You should establish, document and implement procedures to handle enquiries from individuals, and to provide information requested. Incorporate checks to ensure that information requests are bona fide.
Principle 7 : Correction of personal information
Individuals have the right to request correction of their personal information.
Take care to ensure that accurate information is held and that corrections are made promptly. (Sounds remarkably like a golden rule for database marketing!).
Principle 8 : Accuracy of personal information
The agency holding personal information must not use that information without taking steps to ensure it is accurate, up-to-date, complete, relevant and not misleading.
Your database management procedures should include constant checks on information collection systems and updating methods. (Another golden rule!).
Principle 9 : Retention of information
Personal information shall not be kept for longer than required for its lawful use.
You will need to develop a system to identify and carefully dispose of out-of-date information.
Principle 10 : Limits on use of personal information
Personal information shall not be used for any purpose unrelated to that for which it was obtained unless the source of the information is a publicly available publication or the use of the information for another purpose was authorised by the individual concerned.
Be clear and up-front about the purpose(s) for which information is being collected. Obtain appropriate authorisation from individuals where it is intended to make extended use of personal information. Think and plan ahead for possible future extended uses of information and build these into your initial authorisation process. Try to ensure that your information systems enable you to separate individuals with different levels of authorisation.
Principle 11 : Disclosure
Personal information shall not be disclosed unless the disclosure is directly related to the reason for which the information was originally collected, or the source of the information is a publicly available document, or the disclosure is authorised by the individual concerned.
Ensure that any disclosure of personal information is directly related to the reason for which the information was originally collected, or that the disclosure was/is authorised by the individual(s) concerned. If you intend to rent, sell or lend your list, you must tell people up-front.
Principle 12 : Unique identifiers
You should not assign a unique identifier to an individual unless it is necessary to carry out the lawful functions of your business.
A unique identifier, such as a customer number, is acceptable where there is a large customer base. However, the same unique identifier cannot be applied to an individual by more than one organisation.
What Happens if you Transgress?
Years of experience with the Act has shown us that it is not difficult to live with. Complaints about Direct Marketers have been few and far between. Those which have been upheld have usually been settled by an apology or small monetary compensation.
Remember that for a complaint against you to be upheld there should be evidence that the breach has caused the individual "loss, detriment, damage or injury", or has caused "humiliation, loss of dignity or injured feelings".
If you or your company are members of the Marketing Association, you can obtain advice on legislation affecting marketing communications simply by calling 0800 347 328 or emailing keith@marketing.org.nz. If you're not a member, call anyway and discuss membership!
What is Principle 3?
Principle 3 of the Privacy Act 1993 deals with the collection of information directly from the individual concerned, and says that reasonable steps must be taken to make known:
- that the information is being collected
- the purpose for which it is being collected
- who is going to receive, store and use the information, and
- the rights of access and correction to that information by the individual concerned
"This doesn't concern me", you may be thinking. "We haven't collected any new names recently." Maybe not
. but have you gained any new customers? If so, you cannot assume simply because you sold a Widget MkI to Mr A Buyer that you can save the information collected on that order form, unless you have complied with the steps above.
The same applies to competitions and promotions where you collect names and addresses etc.
So how do Direct Marketers handle this?
We suggest you make sure that all your order forms/competitions etc. clearly indicate what you will do with the information you collect.
Here are some examples:
YOUR PERSONAL PRIVACY
Thank you for your order. In order to keep you informed we will retain your name and address on file and send you further catalogues. We are also able to forward occasional offers from other companies. If you do not wish to receive either or both of these, please advise us. The Privacy Act of 1993 gives you the right to see or correct your personal information held by (company name).
YOUR PERSONAL PRIVACY
Thank you for your order. So that we can tell you about exciting new products from time to time, we will keep your details on file. These records are kept on our own computer and are totally secure. You have the right at any time to update or correct the information we hold. If you do not wish to receive future information about our comprehensive range of goods or services, all you have to do is tick the box below, sign and return this form to us at (address).
I do not with to receive further information about your range of goods and services.
Signed:
Date:
..
This should comply with the requirements of Principle 3, and at the same time offer your customer the opportunity of 'opting out' from receiving further information from you. Obviously, you'll need to tailor the wording to suit your own business.
If you would like the wording of your Privacy Clause checked to make sure it complies with the requirements of Principle 3, fax the Marketing Association - 0800 329 347 or email it through to us.
PRIVACY OFFICERS
What is a Privacy Officer?
A privacy officer is a person within an agency whose job it is to :
- encourage compliance with the Information Privacy Principles (see Fact Sheet 3 to 3.5) and with other provisions of the Privacy Act
- deal with requests for personal information and issues concerning personal information generally
- work with the Privacy Commissioner when he is investigating complaints of "interference with privacy" where an individual has claimed that one has been caused by the agency (see below and also Fact Sheet 6)
An "agency" is any person or company or Government department. There are some exceptions (See Fact Sheet 1).
An interference with the privacy of an individual initially involves a breach of an Information Privacy Principle (or of the procedures relating to requests for access to or correction of information - see Fact Sheet 3 to 3.5), a breach of a Code of Practice, or a breach of the provisions relating to information matching (see Fact Sheet 5).
Why have a Privacy Officer?
The Privacy Act says that each agency is responsible for ensuring that there are, within the agency, one or more privacy officers. The agency should ensure that the person has enough resources to carry out his or her responsibilities properly.
The name of the privacy officer should be publicised within the agency and staff should be encouraged to discuss issues with that person. If the privacy officer is unable to assist, the Office of the Privacy Commissioner can provide guidance, including written information such as the Fact Sheet series. (However, it is not the role of the Commissioner to provide legal advice or guidance on a hypothetical situation. In such cases the agency should consult a solicitor).
Will one privacy officer be enough?
This depends on a number of factors such as:
- the size of the agency
- the structure of the agency (is it in one place only, or does it have a number of offices or branches?)
- the amount of personal information it holds, and the type of activity it is engaged in
A large organisation with a number of branch offices might find it desirable to designate a privacy officer in each location. However, a company (either big or small) that holds very little personal information might find that one privacy officer in the head office (or the only office) is enough.
Does this mean that agencies need to hire extra staff?
In most cases, no. It should be possible for an existing staff member to take on the duties of a privacy officer. However, where the main business or activity of the agency is connected with the collection and use of personal information, these duties may take up more time.
Who else should know about the Information Privacy Principles and Privacy Act?
Everyone in the agency who handles personal information should have an understanding of the Information Privacy Principles and the objectives of the Privacy Act generally. Where a more detailed knowledge of the agency's rights and responsibilities is required, the privacy officer should be able to provide assistance. If not, he or she can contact the Office of the Privacy Commissioner for help.
What is the privacy officer's role if a complaint is made to the Privacy Commissioner?
If a person complains to the Privacy Commissioner that an agency has caused an interference with his or her privacy, the Privacy Commissioner or one of his staff may contact the privacy officer in that agency to discuss the complaint, and to see whether there is any means of settling the matter. The privacy officer should provide whatever assistance is necessary.
The privacy officer may be asked to provide background information or identify the people in the agency who can do so.
Do privacy officers need any special training?
Privacy officers need to be familiar with the Information Privacy Principles. However, no special training is required. Educational material will be available from the Office of the Privacy Commissioner which explains what the agency needs to know in order to comply with the Privacy Act. In addition, the Privacy Commissioner will, from time to time, arrange seminars for privacy officers.
Fact Sheets are available from The Office of the Privacy Commissioner, P O Box 466, Auckland.
Auckland: Tel 0-9-302 2160, Fax 0-9-302 2305
Wellington:Tel 0-4-472 2059, Fax 0-4-472 7516
Send this page to a friend