The Privacy Commissioner has added his voice to the chorus of those warning the Government about a funding shortfall in anticipation of new privacy laws.
John Edwards said his current budget would not be enough to implement changes and carry out the commission’s obligations under the updated Privacy Act.
OECD figures showed New Zealand’s Privacy Commission was one of only two comparable bodies to have a funding decrease between 2017 and 2018.
An overhaul of New Zealand’s 25-year-old privacy legislation is currently progressing through Parliament, at a time when the world is reconsidering data protection standards, in the age of social media and information harvesting firms like Cambridge Analytica.
But regulatory bodies including the Privacy Commission and the Human Rights Review Tribunal fear they will not be able to carry out their obligations under the proposed laws, due to a lack of resources.
In September, Human Rights Tribunal chair Rodger Haines voiced his concerns to the Justice Select Committee.
The tribunal’s troubles are well known. Even after being allowed to take on additional staff, it still only employs 1.6 full-time equivalent case managers.
Haines said even if the tribunal employed six staff, it would take five years to clear the backlog of current cases, while staying on top of the 70 or so new cases landing each year.
The new bill, when it becomes law, will ask the tribunal to enforce the ability of people to access their private information as well as compliance orders given by the Privacy Commissioner.
During his appearance before the Justice Select Committee on Wednesday, Edwards made similar comments.
He said it was the first time in almost five years he had asked for more money but there was no way he could take on the extra work expected, without extra resources and funding.
Edwards said he did not yet know the exact figure he was seeking but the commission was analysing the information so it could make a considered budget bid.
When pressed he said the commission would need more than “a few hundred thousand”.
Edwards said the commission managed to meet its current legislative obligations, but would not be able to do so under the new laws, without further funding.
The lack of funding also made it difficult for the commission to retain staff.
Edwards said the organisation was constantly in recruitment mode, which was not productive.
He described the commission as a “nursery’, where people were recruited, trained for 12 to 18 months, then gave six to 12 months of productive work before leaving.
Demand for staff in the privacy space was “growing exponentially”, and the commission could not compete with market rates, especially considering the high cost of housing and living.
The commission had also tried to improve culture and reporting channels in order to improve retention rates, but Edwards said most of the turnover issues came down to money.
Bringing a 25 year-old law into the digital age
New Zealand’s Privacy Act is 25 years old. When it was passed into law, the World Wide Web was just four years old.
Updating the legislation has been a long and bruising process. The current legislation is based on a 2011 review undertaken by the Law Commission, which was drawn up as legislation in 2013, but never introduced to Parliament.
Justice Minister Andrew Little introduced the legislation, which had its first reading in April and is currently before the Justice Select Committee.
Major changes to the current regime would see the mandatory reporting of privacy breaches that “pose a risk of harm to people”, and give the Privacy Commissioner the ability to issue compliance notices.