Office of the Privacy Commissioner | Prosecution policy
1. The Privacy Commissioner, an independent Crown entity, is New Zealand’s privacy and data protection regulator under the Privacy Act 2020.
2. The functions of the Privacy Commissioner under the Privacy Act 2020 include the investigation and conciliation of privacy complaints, inquiries into matters affecting the privacy of the individual, and functions incidental or conducive to the performance of these functions. The ability of the Privacy Commissioner to carry out the statutory functions conferred under the Privacy Act efficiently and effectively is central to the statutory purpose of the Privacy Act to promote and protect individual privacy.
3. The Privacy Commissioner’s statutory powers include the power to summon persons, (1) and the power to require the provision of information that may be relevant to an investigation. (2)
4. The Privacy Commissioner has statutory powers to make an access direction (3) and the power to issue and enforce a compliance notice. (4) The Human Rights Review Tribunal is empowered to issue orders upholding or varying an access direction (5) or compliance notice issued by the Privacy Commissioner. (6) The Human Rights Review Tribunal is also empowered to grant remedies in respect of an interference with privacy including the making of orders. (7)
5. Failure to comply with an order of the Human Rights Review Tribunal in its Privacy Act jurisdiction is an offence. (8) This includes failure to comply with an access order (9) or a compliance order. (10)
6. The Privacy Act creates offences under:
a) section 118 in relation to an agency failing to notify the Privacy Commissioner of a notifiable privacy breach
b) section 197 in relation to transfer prohibition notices
c) section 212 in relation to actions that interfere with the Privacy Commissioner’s statutory functions, or that interfere with an individual’s personal information.
7. The purpose of this policy is to set out guidelines for the Privacy Commissioner when considering bringing a prosecution under the Privacy Act. Each case will be considered on its own merits, in light of all the relevant circumstances and with regard to the Solicitor-General’s Prosecution Guidelines.
8. The Privacy Commissioner is responsible for the decision, on legal advice, to commence or continue a prosecution under the Privacy Act and the appropriate charge or charges to be laid and will document any such decisions and the reasons for them.
9. Under section 96 of the Privacy Act, the Privacy Commissioner may refer evidence of any significant breach of duty or misconduct to an appropriate authority.
10. Where it is suspected that another more serious offence has been committed, (for example an offence against personal privacy under the Crimes Act), (11) this should be referred to the Police for investigation and prosecution.
11. The Privacy Commissioner is not the exclusive prosecuting authority under the Privacy Act and the New Zealand Police may initiate a prosecution independently of the Privacy Commissioner. This policy covers the offences under the Privacy Act where it is likely the Privacy Commissioner may consider bringing a prosecution under the Act.
Offence under Part 6(1) of the Privacy Act
12. Failure to notify the Privacy Commissioner of a notifiable privacy breach under section 118 of the Privacy Act, is an offence, liable on conviction to a fine not exceeding $10,000. (12)
13. A prosecution may be brought against any agency under section 118(1) in circumstances where the agency, without reasonable excuse, fails to notify the Privacy Commissioner of a notifiable privacy breach. (13)
14. It is not a defence to a charge under section 118 that the agency has taken steps to address the privacy breach; (14) however it is a defence that the agency did not consider the privacy breach to be a notifiable privacy breach, if it was reasonable for the agency to do so. (15)
15. Prosecution will be considered where the effectiveness or integrity of the Privacy Commissioner’s functions are compromised by an agency’s non-compliance with its obligation to notify a privacy breach that constitutes an offence under section 118(1).
16. The Privacy Commissioner’s primary objectives in bringing any prosecution under this part are to uphold the integrity and effectiveness of the Privacy Commissioner’s functions under the Privacy Act, to deter noncompliance with an agency’s obligations under the Act, and to hold to account persons who do not comply with those obligations.