Law Commission president Sir Geoffrey Palmer, SC, has flagged proposed changes to privacy rules which could mean more sharing of private information between government agencies.
In a speech to the Privacy Forum in Wellington today, Sir Geoffrey spoke about the commission's privacy project, a review of the Privacy Act 1993, and the pressures expanding technology can place on privacy.
It was complex subject, and he offered a chocolate fish to anyone who could define privacy.
Sir Geoffrey criticised how some agencies interpreted the Act. Its legal provisions did not do what many people said they did.
"Seldom in the history of New Zealand statute law had so much baseless misunderstanding been perpetuated by so many," he said.
"Some of it seems to have been deliberate. The Privacy Act has afforded many public and private agencies a false excuse for not carrying out their obligations."
That meant it had a bad reputation in some quarters that it did not deserve.
However, the commission still preferred the existing open-textured approach and do not see a rules-based system as a practical or desirable alternative.
Sir Geoffrey said information sharing had major privacy implications, especially between government agencies.
The Act did not fit with the changed public sector environment, in which whole-of-government approaches and integrated service delivery were increasingly important, he said.
"We have reached the tentative conclusion that the Act needs to be changed to better facilitate appropriate information-sharing amongst Government agencies."
It could mean treating the public sector as a single entity so that there was "a rebuttable presumption that personal information held by one public sector agency can be shared with other public sector agencies if such sharing is for the benefit of the individual concerned".
Sir Geoffrey also said both public and private sector agencies were currently under no legal obligation to notify individuals or the Privacy Commissioner when an individual's personal information is compromised -- for example lost or obtained by computer hackers.
There were questions about whether organisations should be required to notify individuals their personal information has been compromised and if the Privacy Commissioner should have power to compel an organisation to notify affected individuals.
Sir Geoffrey said there were also emerging issues and questions about regulations around direct marketing, such as mail, telephone calls, emails, spam, door-to-door marketing, automated dialling machines and more recently automated text messages.
The Marketing Association had a code of practice that requires telemarketers to remove a person's name from marketing telephone lists on request, he said.
However, that was a voluntary scheme confined to marketers who are association members, and it lacked enforcement mechanisms, he said.
Sir Geoffrey said the Privacy Commissioner system appeared to be generally sound and working well but the commission "tentatively believed" there were elements of it that were cumbersome and it could be made more streamlined and efficient.
"Essentially we propose a reformed complaints process together with some new enforcement tools," he said.
The commission believed the harm threshold for complaints should be removed and proposed that the commissioner should be given the power to determine complaints concerning rights of access by people to their own personal information.
The commission will publish its final report on the Privacy Act around the end of this year.
