Email this page

Send this page to a friend.

This page is printer friendly.

EDS Information Privacy Code 1997

CLAUSES

1. Title
2. Commencement
3. Interpretation
4. Application of code
5. Incorporation and modification of privacy principle

I, Bruce Houlton Slane, Privacy Commissioner, having given notice in accordance with subsection 48(1) of the Privacy Act 1993 of my intention to issue a code of practice and having satisfied the other requirements of the subsection, now issue under section 46 of that Act the EDS Information Privacy Code 1997.
Issued by me at Auckland on 20 May 1997. THE SEAL of the Privacy Commissioner was affixed to this code of practice by the Privacy Commissioner.
B H SLANE Privacy Commissioner


Introduction
In 1994 the government privatised the government computing service company known as GCS Ltd. GCS supplied computer processing services to a number of important public bodies. The privatisation raised a number of issues concerning the sensitivity of the information being processed which included, for example, criminal history information on the "Wanganui Computer" and taxation information.

As a response to the privatisation, and public concern as to the privacy sensitivities, the Privacy Commissioner issued the GCS Information Privacy Code 1994 ("the GCS Code"). The code's two prime purposes were to ensure:

that remedies for breaches of the information privacy principles (which were not otherwise available pending the completion of a transitional period) became available in the circumstances to which the code applied, (refer Privacy Act 1993, s.79); and
 that GCS was prohibited from transferring out of New Zealand any "identified information" except with the written authorisation of the relevant "designated agency", following written notice to the Privacy Commissioner specifying the destination of the transfer and the safeguards proposed to apply to the information.

The Privacy Act's transitional period expired on 1 July 1996 and therefore the first of these purposes is no longer relevant. However, it was never expected that the code would expire at that point and it was scheduled to continue for a further year and to expire on 30 June 1997. The Commissioner has taken the view that a new code should be issued to continue the existing regime with respect to the transferring of identified information out of New Zealand for processing.

GCS is now owned by EDS (NZ) Ltd. This code is designed to apply to EDS in the same way that the GCS Code has applied to that company since the purchase of GCS.

Title

1. This code of practice may be referred to as the EDS Information Privacy Code 1997.

Commencement and expiry

2. This code comes into force on 1 July 1997 and expires on 30 June 2000.

Commencement: The code comes into force immediately upon expiry of the GCS Code which it replaces.

Interpretation

3.(1) In this code, unless the context requires otherwise:

designated agency means an agency listed in the Schedule;

Designated agency: The schedule lists public sector agencies which were clients of GCS at the time it was privatised and to whom EDS provides an existing service.

existing service means any service provided by EDS to a designated agency that was being provided by GCS Limited at 1 October 1994 notwithstanding that it may be provided after that date under a new or replacement contract;

EDS means EDS (New Zealand) Limited and is to be taken to include any related company of EDS (New Zealand) Limited and any successor entity of EDS (New Zealand) Limited or of any such related company and includes any liquidator, receiver, statutory manager, mortgagee in possession and also any legal person acquiring in whole or part the business, or an interest in the business, of EDS (New Zealand) Limited;

identified information means information received by EDS in connection with an existing service that is deemed by virtue of subsection 3(4) of the Act to be held by a designated agency;

related company has the same meaning as in the Companies Act 1993;

the Act means the Privacy Act 1993.

(2) Terms and expressions used in this code and defined in the Privacy Act 1993 have the same meanings respectively as in the Act.

(3) In the case of inconsistency between subclause 5(2) of this code and a provision of any other code issued under the Privacy Act, subclause 5(2) prevails.

Application of code

4.(1) This code applies in relation to identified information.

(2) This code applies in relation to EDS and, as specified in subclause (3), in relation to designated agencies.

(3) Principle 5 of the information privacy principles as modified by subclause 5(2) is to be applied in relation to designated agencies in respect of identified information received by EDS and deemed by subsection 3(4) of the Act to be held by any such designated agency.

Incorporation and modification of information privacy principles

5.(1) The information privacy principles, other than information privacy principle 5, are applied in accordance with the Act in relation to EDS without modification.

(2) Principle 5 of the information privacy principles is modified in accordance with the Act to apply for the purposes of this code as follows:

Storage and security of personal information

(1) An agency that holds identified information must ensure:

(a) that the information is protected, by such security safeguards as it is reasonable in the circumstances to take, against:
(i) loss;
(ii) access, use, modification, or disclosure, except with the authority of the agency that holds the information; and
(iii) other misuse; and (b) that if it is necessary for the information to be given to a person in connection with the provision of a service to any such agency, everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information.

(2) Identified information must not be transferred out of New Zealand unless:

(a) the relevant designated agency authorises the transfer in writing; and
(b) before the authorisation takes effect, the designated agency produces the authorisation to the Privacy Commissioner together with a statement in writing specifying:
(i) the country in which the information is to be processed; and
(ii) the safeguards proposed to ensure the security of the information in transit and in the course of processing.

SCHEDULE DESIGNATED AGENCIES

Auckland Healthcare Services Limited
Department for Courts
Department of Corrections
Department of Social Welfare
Health Support Services Limited
Inland Revenue Department
Land Information New Zealand
Land Transport Safety Authority
Ministry of Education
Ministry of Justice
New Zealand Police
New Zealand Qualifications Authority
Serious Fraud Office
South Auckland Health Limited
The Treasury
Waitemata Health Limited