New Zealand: Dealing with sensitive personal information under the Privacy Act 2020
Personal data covers a wide range of information relating to living, identifiable human beings, including information being particularly sensitive. On 16 December 2021, the Office of the Privacy Commissioner of New Zealand ('OPC') published its guidance 'Sensitive personal information and the Privacy Act 2020'1 ('the Guidance'). The Guidance provides key points on how the Privacy Act 2020 ('the Privacy Act') applies to sensitive personal information. OneTrust DataGuidance explores definitions, principles, exemptions, codes of practice, oversight, compliance, and enforcement mechanisms, as well as approaches outlined in the Guidance.
Definition of sensitive personal information
In the Guidance, sensitive personal information is defined as 'information about the individual that has some real significance to them, is revealing of them, or generally relates to matters that an individual might with to keep private'. More specifically, the Guidance lists the following information as examples of sensitive personal information, which could result in individuals being treated differently if the information was revealed, divulgated, or used in certain circumstances:
- sexual orientation;
- sex life;
- age; or
- religious, cultural, or political beliefs.
Further to these components of an individual's identity, activities, or memberships, such as in advocacy groups, trade unions, or political parties, also count as sensitive personal information as they can give insight into an individual's personal opinions and choices.
Under the Privacy Act, there are no rigid categories for personal information qualifying as sensitive. Instead, the Privacy Act approaches sensitive personal information within its context, circumstances, and cultural perspectives. This means that any information can be categorised as sensitive, or even highly sensitive. However, the Privacy Act names two groups of personal information that naturally count as sensitive:
- inherently sensitive information, such as health, genetic, biometric, and financial information; and
- children and young individuals' personal information.
Application of the Privacy Act
After a general introduction and definitions, the Guidance focuses on specific principles, exemptions, codes of practice, and oversight, compliance, and enforcement mechanisms. These elements are particularly relevant as they serve as a framework for agencies collecting or holding sensitive information. Although the Privacy Act does not clarify any special procedures on how to deal with sensitive personal information, obligations on agencies are stronger, providing higher standards of protection and accountability.
The Information Privacy Principles2 ('IPPs') establish higher protection standards for sensitive personal information, including:
Purpose for collection
Sensitive personal information should not be collected other than when it is necessary for an agency's lawful purpose.
What to tell an individual
When collecting sensitive personal information, the agency must ensure that reasonable steps have been taken to make the individuals aware of the collection of that information and the purposes for which it is being collected, as well as further elements specified within this IPP.
Manner of collection
When assessing whether the means used for collecting personal information are fair and not unreasonably intrusive, the sensitivity of the information matters, especially in the context of children and young individuals' information.
Storage and security
The degree of sensitivity of the personal information collected plays a crucial role in determining reasonable security safeguards.
The sensitivity of collected personal information is relevant when considering whether steps to check its accuracy are reasonable.
The IPPs aside, the OPC and the Human Rights Review Tribunal ('HRRT') require agencies to meet higher standards of transparency, security, and protection when sensitive personal information is involved.
The Privacy Act allows for some flexibility and leeway with different exemptions. These exemptions might, however, not be applicable when sensitive personal information is involved. The Guidance illustrates this element with the example of mental health details or past sexual abuse history of an individual: its disclosure by another party is unlikely justifiable under the Privacy Act, independent of the personal relationship between the affected individuals or any personal reason for the disclosure.
Codes of practice
Various codes of practice have been established for particular types of sensitive information, including health or credit information. These Codes identify distinct obligations for certain agencies:
- The Credit Reporting Privacy Code 20202 outlines specific rules for the handling of credit information by credit reporters; and
- The Health Information Privacy Code 20203 provides a framework for health agencies when handling health information.
Oversight, compliance, and enforcement mechanisms
The below table summarises the ways in which the Privacy Act intersects with sensitive personal information and oversight, compliance, and enforcement mechanisms to monitor its protection:
Notifiable privacy breaches
The sensitivity of information needs to be taken into account when assessing whether a privacy breach is notifiable to the Privacy Commissioner ('the Commissioner') and affected individuals.
Section 113(b) of the Privacy Act
When assessing whether to issue a compliance notice or not, the Commissioner must keep in mind a number of factors, including the seriousness of the breach, which can also depend on the sensitivity of the involved personal information.
Approved information sharing agreements
Under Part 9(a) of the Privacy Act, information sharing agreements require the specification of the safeguards in place to protect the privacy of individuals and to ensure that any interference and adverse effects are minimised. The sensitivity of the personal information, inter alia, determines the robustness of these safeguards.
Interference with privacy and damages
The sensitivity of personal information is a determining factor in the enforcement of the IPPs and penalisation of individuals or agencies.
Where the HRRT issues damages awards, the more sensitive the personal information at issue, the greater the effect on the individual, and the higher the damages award may be.
Further to the above, the Commissioner is required to take into account cultural perspectives on privacy, including tikanga Māori. Thereby, the categorisation of personal information as sensitive hinges upon the Commissioner's obligation to consider particular circumstances and cultural perspectives of involved individuals. The Guidance then provides the example of biometric information5, such as the results of DNA analysis, qualifying as particularly sensitive information, as these are directly related to whakapapa (genealogy), which, in turn, connects individuals to their ancestors and to whanau, hapū, and iwi. In this regard, the OPC previously published a position paper on biometrics6, in which it discusses how dealing with personal information raises peculiar issues on, for instance, the relationship between individual and collective privacy. These issues have practical implications that need navigating. Through, for example, the cooperation of both state and private sector agencies with Māori representatives, understanding different perspectives on the matter is crucial to carve out how the Privacy Act can support the Crown's Tiriti obligations and tikanga Māori with regards to appropriate treatment and protection of sensitive personal information.
Case-by-case approach to sensitive personal information
In its final part, the Guidance lays out that the categorisation of personal information as sensitive requires a case-by-case approach. In the context of agencies handling personal information, Privacy Impact Assessments can help identify scenarios where the treatment of sensitive personal information might call for particular care.
Reasonable expectation of privacy
One tool stemming from other areas of privacy law to assess the sensitivity of information and subsequent level of protection is the legal test of 'reasonable expectation of privacy'. This test provides that if personal information includes details for which individuals would have a reasonable expectation of privacy (i.e. biographical information revealing intimate details of the individuals' lifestyle and personal choices, such as banking information or telecommunications), the information is highly likely sensitive and requires protection under the Privacy Act. Taking this case-by-case approach and categorisation allows to embed personal information within its context and to avoid a rigid one-size-fits-all-framework.
Prohibited grounds of discrimination
One further tool listed in the OPC's Guidance to determine whether personal information counts as sensitive or not, is the list of prohibited grounds of discrimination featured in Section 21 of the Human Rights Act 19937, including:
- sex (including pregnancy and childbirth)
- marital status;
- religious and ethical beliefs;
- ethnic or national origins;
- political opinion;
- employment status;
- family status; and
- sexual orientation.
In this regard, the Guidance clarifies how potential discriminatory effects resulting from the collection, disclosure, or use of personal information relating to the abovementioned grounds might have an impact on whether to qualify certain information as sensitive and treat it with particular care.
Marianna Patat Editor
1. Available at: https://privacy.org.nz/publications/Guidance-resources/working-with-sensitive-information/
2. Available at: https://www.privacy.org.nz/privacy-act-2020/privacy-principles/
3. Available at: https://www.privacy.org.nz/privacy-act-2020/codes-of-practice/crpc2020/
4. Available at: https://www.privacy.org.nz/privacy-act-2020/codes-of-practice/hipc2020/
5. Access the Insight on biometrics under the Privacy Act here: https://www.dataguidance.com/opinion/new-zealand-biometrics-under-privacy-act-2020-what
6. Available at: https://privacy.org.nz/blog/taking-the-measure-of-biometrics
7. Available at: https://www.legislation.govt.nz/act/public/1993/0082/latest/DLM304212.html