The Statutes Amendment Bill has proposed a range of minor and technical amendments to the Privacy Act 2020 (Privacy Act), including a useful clarification that knowledge of a notifiable privacy breach by an agent or service provider will be treated as being known by the principal agency. The proposed amendments to sections 120 and 121 of the Privacy Act seek to clarify a principal agency’s liability under the Privacy Act for the acts and omissions of its agents by replicating the terminology used in section 11 of the Privacy Act - which establishes the “agency” model.
The agency model is set out in section 11 of the Privacy Act and specifies that where an organisation holds or processes personal information for or on behalf of another agency (i.e. the principal agency) as its representative or agent, the personal information is treated as being held by the principal agency, not the agent. This position applies to the extent the agent does not use or disclose the information for its own purposes. The effect of this model means the primary compliance obligations (and liability) under the Privacy Act in relation to the processing of the personal information sit with the principal agency, and not the agent.
While the practical effect of section 11 largely aligns with the more generally accepted concept of “controllers” and “processors” under comparable foreign privacy laws, the way the New Zealand framework is drafted can often be misinterpreted by principal agencies and service providers, particularly in relation to understanding each party’s statutory responsibilities and liabilities under the Privacy Act.
Although these newly proposed amendments do not change the existing understanding and effect of the “agency model” under the Privacy Act, it does serve as a useful reminder to principal agencies that they remain responsible and liable for notifying the Privacy Commissioner and affected individuals of any notifiable privacy breach – including where a breach is known and/or caused by a third party service provider.
With this in mind, principal agencies should carefully consider the terms of their service agreements that relate to the reporting of privacy breaches to ensure that the service provider:
- has appropriate systems and technological measures in place to monitor and promptly identify privacy breaches; and
- notifies the principal agency of any privacy breach as soon as practicable.
In our experience, one of the key privacy related matters that is often the subject of contractual negotiation between principal agencies and service providers is the specific timeframe in which service providers are required to notify the principal agency of a privacy breach affecting the personal information being processed and/or held by the service provider. The need to ensure prompt notification of any privacy breach by a service provider is crucial for the principal agency to ensure it has sufficient time to:
- properly assess whether the breach meets the ‘serious harm’ threshold under the Privacy Act; and
- if required, make the necessary notification to the Privacy Commissioner within the expected timeframe.
Given the Privacy Commissioner’s expectation is that it is notified within 72 hours of an agency becoming aware of a notifiable privacy breach, this proposed clarification to the Privacy Act confirms that the ‘clock’ effectively starts ticking when the service provider becomes aware of the breach. Accordingly, principal agencies should ideally be pushing for notification of any privacy breach as soon as possible and no later than 24 - 48 hours from when the service provider becomes aware of the breach, so that the principal agency can meet its statutory reporting obligations under the Privacy Act.
If you would like more information about the application of the ‘agency model’ under the Privacy Act and how this may impact your contractual arrangements with service providers engaged to process personal information on your behalf, please get in touch with one of our subject matter experts.
