Kia ora koutou.
This week, I wanted to focus on a recent major compliance initiative by the Office of the Privacy Commissioner that received little coverage overseas. While high-profile privacy regulator actions against global technology platforms might grab the headlines and certainly can positively impact millions of people, they do not always relate to actions that cause tangible harm at the individual level. By contrast, the commissioner’s compliance initiative targeted the rental property sector in New Zealand focuses at the local level, on data practices that significantly impact a disempowered and often vulnerable sector of the community.
In March 2021, amid a deepening housing crisis in New Zealand, the commissioner commenced a broad inquiry into the privacy practices of landlords and property managers. The inquiry was prompted by reports that increasingly desperate rental applicants were subjected to overly intrusive data collections by landlords, who were delving into applicants’ personal lives in ways that were unlikely to be justified, and sharing information with others in so-called “blacklists.”
A lengthy engagement with the rental sector — including tenants, landlords and property managers — informed a review of the collection, use and disclosure of personal information in the sector, and of any Privacy Act compliance issues. This engagement phase led to the November 2021 launch of a compliance monitoring program to ensure that landlords and property managers were acting in accordance with the law. This program will include regular checks of rental agencies, an annual survey to audit rental application forms, contracts, and privacy policies, and the establishment of an anonymous tipline to enable people to report concerns about privacy in the sector.
In a refreshingly clear message to the sector, the commissioner signaled that the inquiry was moving into a “compliance phase,” clearing the way for the exercise of new compliance notice powers against rental agencies which refused to comply. The commissioner also took a uniquely strong stand against “blacklists” or online “bad tenants” groups, working with site administrators to close these down. In a bid to ensure that rental agencies could not claim ignorance of their obligations, the commissioner released guidance and resources for both landlords and tenants.
This compliance initiative is interesting for two reasons. First, it signals a firm intention by the commissioner to use the new powers established in the new Privacy Act to take action against systematic privacy non-compliance. Second, it shows a strong willingness by the commissioner’s office to exercise these powers in a transparent and fair way, in accordance with its Compliance and Regulatory Action Framework. Strong signals toward compliance actions were preceded by a lengthy and open engagement with all stakeholders in the rental sector, and the commissioner has gone to great effort to ensure that rental agencies understand the law and their obligations before considering compliance action.
Finally, in IAPP news, the call for speaking proposals for the IAPP ANZ Summit 2022 in November is now open, closing 20 March. I’d like to join my ANZ colleague Stephen Bolinger in encouraging you to submit proposals on current topics of interest. This is your opportunity to lead the debate and, with any luck, do so on a stage in front of real people. Closer to home, our Wellington and Auckland KnowledgeNet chapters will host our first virtual NZ KnowledgeNet 3 March, on the very current topic of COVID-19 and workplace privacy issues. I hope you can join us.
Enjoy the digest, stay safe and be kind.
Ngā mihi