Skip to main content
You are here: News


The following news feed provides an overview of the current activities and news from APPA members.

The articles on this page are updated regularly from members’ news and media pages. If you have any questions or concerns about the content contained in the articles, please contact the respective member. You can locate members’ details underneath each article or on our Contact us page.


Data breach preparation and response guide released

Office of the Australian Information Commissioner
Source: News - OAIC
19 Feb 2018, 10:58pm AEDT

FTC Approves Final Order Requiring Alimentation Couche-Tard Inc. and Affiliate CrossAmerica Partners LP to Divest 10 Fuel Stations as a Condition of Acquiring Holiday Companies

Following a public comment period, the Federal Trade Commission has approved a final order settling charges that retail fuel station and convenience store operator Alimentation Couche-Tard Inc.’s acquisition of Holiday Companies would violate federal antitrust law. Under the terms of the acquisition, ACT will acquire from Holiday Companies approximately 380 retail fuel outlets with attached convenience stores in 10 states.

Under the terms of the consent agreement, ACT and its affiliate CrossAmerica Partners LP have agreed to divest 10 fuel stations in Minnesota and Wisconsin to address antitrust concerns. According to the complaint, the acquisition would have increased the risk of both unilateral and coordinated anticompetitive effects in all ten of the markets at issue.

ACT agreed to two other packages of divestitures last year in connection with separate mergers, one in June, and one in November.

The Commission vote approving the final order was 2-0. (FTC File No. 1710184; the staff contact is Nicholas Bush, Bureau of Competition, 202-326-2848.)

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about how competition benefits consumers or file an antitrust complaint. Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
16 Feb 2018, 11:00pm AEDT

Privacy Act turns 25

This year we mark a milestone in privacy law in New Zealand. On 5 May 1993, the Privacy Act was passed in Parliament with the complete support of the country’s political parties.

At the time, it was the first national information privacy law outside Europe to apply to both the public and private sectors. It did not, as some had predicted, paralyse business. It did not, as others had predicted, curtail the news media in reporting news.

Five years after its enactment, Assistant Privacy Commissioner Blair Stewart described the new statute in Necessary and Desirable: Privacy Act 1993 Review as a privacy law more comprehensive than any outside Europe and a ground-breaking piece of legislation. It had a set of information privacy principles (based on the privacy framework adopted by the OECD in 1980) and it established a national privacy commissioner.

Within a few short years, the Act notably advanced the privacy rights of individuals in New Zealand.

The new law gave New Zealanders the right to access their own medical records outside the public health system* which, at the time, was not a right individuals had in most part of Australia and North America. It enabled New Zealanders to seek the correction of information held on credit reporting agencies’ files, if it happened to be inaccurate or wrong. Prior to the Privacy Act coming into law, there was no right even to see that information.

New Zealanders were also given the right to access information about them on their employer’s personnel files. While this had been a right public sector employees had since the 1980s, the Privacy Act extended it to include all employees.

The Act gave people a clear avenue for a privacy complaint. The Privacy Commissioner provided a simple mechanism with an ombudsman-like investigation into complaints and a non-adversarial approach.

Now, a quarter of a century later, we might view the Privacy Act with a degree of routine complacency, as a piece of legislation that has been around long enough not to be curious about its origins. But given the Privacy Act’s ‘silver jubilee’ year, we think it is time to mark the important role it plays in human rights protections in New Zealand.


During the 1960s and 1970s, people became increasingly concerned about privacy against a backdrop of the anti-Vietnam war protests, Cold War paranoia, and the perceived threat of larger computer databanks.

The concern continued on into the 1980s where significant efforts were made at international privacy standard setting and legislative developments to provide adequate protection to privacy. The approach of 1984 prompted a surge of interest in George Orwell’s dystopian novel of the same name and prompted many commentators and pundits to reflect on the technological challenges to individual privacy.

As a forerunner to the Privacy Act and as a response by lawmakers to concerns about the centralised collection of citizen data, New Zealand enacted the Wanganui Computer Centre Act 1976. This pioneering law was notable for being both New Zealand’s first data protection law and the nation’s first freedom of information law. Through it, individuals had the right to access to information held about them on the Wanganui computer – a database accessible by the justice sector and law enforcement agencies.

The 1990s arrived and we saw technological advances undreamed of by Orwell with the worldwide linking of computers, the electronic tracking of consumers and citizens through to global surveillance from orbiting satellites.

It was in this advanced technological age New Zealand’s Privacy Act was enacted. The Privacy Commissioner is an independent official. The information privacy principles apply to all agencies in the public and private sectors and govern the collection, holding, use and disclosure of personal information. Individuals have certain rights under the Act, including a way to seek redress for an interference with privacy.

Present and future

Up to now, the Privacy Act has provided a workable framework for addressing a range of privacy issues. But technology will not stand still. Nor will the demands and expectations of New Zealanders. Internationally, the European Union’s General Data Protection Regulation (GDPR) takes effect in May 2018 and this will have widespread implications on the rules that govern global data flows.

The government in New Zealand has moved to update New Zealand’s 25 year old Privacy Act. These changes can be traced back to the Law Commission’s review of the Privacy Act in 2011.

The Ministry of Justice, which is responsible for the proposed legislation, has indicated that a Bill amending the current Act is currently being drafted. The Ministry says reforms to the Act will better protect people’s personal information and help ensure businesses and organisations that hold such data safeguard and handle it appropriately. The proposals include stronger powers for the Privacy Commissioner, mandatory reporting of privacy breaches, new offences and increased fines. In particular, the reforms aim to encourage private and public sector agencies to identify risks and prevent incidents that could cause harm.

The law reform process is the culmination of many years of preparatory work by the Law Commission and the Office of the Privacy Commissioner.

In the meantime, it’s a cause for celebration that our privacy law, in its current form, has helped thousands of New Zealanders get access to their information, resolve their privacy issues and raised privacy bar among hundreds of businesses and organisations.

*The right to access records held by public hospitals had been in place since 1987.


Office of the Privacy Commissioner, New Zealand
Source: Blog
16 Feb 2018, 2:04pm AEDT

FTC Returns Money to Consumers Harmed in Alleged Payday Loan Scheme

The Federal Trade Commission is mailing 72,836 checks totaling more than $2.9 million to people who lost money to an alleged scheme that trapped them into payday loans they never authorized or whose terms were deceptive.

According to the FTC, CWB Services, LLC and related defendants used consumer information from online lead generators and data brokers to create fake payday loan agreements. After depositing money into people’s accounts without their permission, they withdrew recurring “finance” charges every two weeks without applying any of the payments to the supposed loan. In some instances, consumers applied for payday loans, but the defendants charged them more than they said they would. Under settlements with the FTC, the defendants are banned from the consumer lending business.

The average refund amount is $40.61. Recipients should deposit or cash checks within 60 days. The FTC never requires people to pay money or provide account information to cash a refund check. If recipients have questions about the case, they should contact the FTC’s refund administrator, Epiq Systems, Inc., at 888-521-5208.

FTC law enforcement actions led to more than $6.4 billion in refunds for consumers in a one-year period between July 2016 and June 2017. To learn more about the FTC’s refund program, visit

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
15 Feb 2018, 11:00pm AEDT

Next week — government agencies and businesses must notify you of serious data breaches

In one week, the Notifiable Data Breaches (NDB) scheme comes into force. The scheme mandates that Australian Government agencies and businesses with obligations under the Privacy Act 1988 (Privacy Act) must notify you if you are likely to be at risk of serious harm because of a data breach.

Office of the Australian Information Commissioner
Source: News - OAIC
15 Feb 2018, 3:33am AEDT

FTC Announces Regulatory Review Schedule

As part of the Federal Trade Commission’s systematic review of all current FTC rules and guides, the agency is announcing a revised regulatory review schedule for 2018.

To ensure that its rules and industry guides stay relevant and are not overly burdensome, the FTC reviews them on a 10-year schedule. The review schedule is published each year, with adjustments in response to public input, changes in the marketplace, and resource demands. For 2018, the Commission intends to initiate reviews of, and solicit public comments on, the following:

  • Guides for the Nursery Industry, 16 CFR Part 18;
  • Test Procedures and Labeling Standards for Recycled Oil, 16 CFR Part 311;
  • Disclosure Requirements and Prohibitions Concerning Franchising, 16 CFR Part 436; and
  • Identity Theft [Red Flag] Rules, 16 CFR Part 681.

The Commission vote to publish the proposed Federal Register notice regarding its regulatory review program was 2-0.

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357). Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

Federal Trade Commission, United States
Source: Press Release Feed
14 Feb 2018, 11:00pm AEDT

Advice for doctors when there’s a complaint

If you work in a small practice or medical centre, there’s every chance you may not have received many requests for personal information from patients. The starting point is to know that the Privacy Act gives people the right to make a request for information that is about them.

Under the Privacy Act, your practice is legally obligated to respond to that request within 20 working days and to provide the information requested, although the law does allow reasons for withholding the information.

Giving access to information can take several forms. It can mean giving a copy of a document; giving a reasonable opportunity to look at a document, or listen to or view a recording; giving a summary of the information; providing a transcript; or giving the information orally – depending on the requester’s preference.

Pointers for responding to a complaint

But here’s the thing. Failing to respond to a request for personal information can result in a complaint from the requester to the Privacy Commissioner. We hope this never happens to you but in case it does, here are some pointers on how best to engage with us.

  1. The first thing to do is talk to us and to tell us what you know about the complaint and the information that’s requested. Our aim is to try and resolve the matter to the satisfaction of both parties – the complainant and the respondent (your practice). Be nice to us because we’re only doing our jobs. We are not advocates for the complainant.
  2. The second thing to observe is timeliness. Respond as promptly as you can to our requests for information. No one wins in a protracted complaints dispute. If a complaint drags on, it can become stressful, tiring and expensive for your practice and the complainant. There are many benefits in resolving a complaint to prevent it becoming a case before the Human Rights Review Tribunal. This can be an even longer and more costly process and, in the end, the Tribunal could well decide in favour of the complainant and against your practice.
  3. The third point is to remember that our goal is to resolve, not to punish. We’re here to mediate and we do this in a number of ways. One of the techniques we use is to call conferences between both parties, but we’d rather keep things less formal  and resolve them quickly, without a situation escalating.

Tell us in confidence

  1. In order for us to review your decision to withhold information from a requester, we will almost always need to see the information.
  2. When you send us the information, what we are doing is reviewing it to see if we agree with your reasons for not handing it over to the requester.
  3. We are not allowed to disclose the information that is being reviewed and we do not disclose the information.

However, when you give us information to review, it will help us if you can tell us clearly what information is being withheld and the reasons why your practice wants to withhold it.

One example is whether to disclose information about a child to a non-custodial parent. While section 22 of the Health Act permits parents and guardians to request their child’s health information, a health agency, such as a GP, can withhold health information where:

  • the child does not want the information to be disclosed;
  • it would not be in the child's best interests to disclose the information; or
  • one of the other withholding grounds in the Privacy Act applies.

Looking ahead

We have many resources to help medical practices comply with the Privacy Act. Our website has tools such as AskUs – our online privacy FAQs, the Priv-o-matic privacy statement generator, as well as our free online privacy training modules. We have a range of health brochures (in English and Te Reo). All of these are designed to be used to help make privacy easy.

A starting point is to familiarise yourself with our Quick Tour of the Privacy Principles. It may also be a good idea to display it in the administrative area of your practice to help colleagues and employees understand the obligations and responsibilities that come with holding personal information. This way, when you have an encounter with a privacy issue, you’ll know where to start. And if you need to know more, ask us.

Originally published in NZ Doctor (31 January 2018)

Image credit: Blue and silver stethoscope via Pexels


Office of the Privacy Commissioner, New Zealand
Source: Blog
13 Feb 2018, 7:23am AEDT

Use of video surveillance by local governments

In recent weeks many local governments have reported plans to implement video surveillance in public spaces, on a scale that would be unprecedented in BC. Richmond plans to spend over $2 million to deploy video surveillance throughout the city and Terrace plans to install surveillance in its public parks. The City of Kelowna – which already has CCTV in place – plans to hire employees to monitor their surveillance cameras continuously, in real time.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
8 Feb 2018, 7:00am AEDT

Do you really need that information?

Knowledge is power – a cliché, sure, but for a reason. As an agency, the more you know about your clients, the more effective your service can be. It makes sense to gather as much information as possible about the people you interact with. So why wouldn’t you?

Well, the Privacy Act restricts what personal information you can collect and how you can collect it. The Act also obliges you to keep information safe from misuse or unnecessary disclosure, and make sure it’s accurate.

A quick tour of the privacy principles

Personal information is both a valuable asset and a risk, so it’s worth thinking about whether you really need the information you want to collect.

Reasons for collecting personal information

Do I have a legal reason for collecting personal information? Is that reason connected to my agency’s work? You should ask yourself these questions before collecting personal information.

It might be obvious why you need the information at first, but you may find you only need some of it, or you don’t need it at all.

Deciding what to collect

You should only collect the smallest amount of personal information you need to complete a task. Let’s take landlords collecting information from potential tenants as an example. There’s some information you need, such as:

  • basic personal details
  • credit check information
  • details to check references.

But some collection is harder to justify. People have complained to us about landlords asking for:

  • their weekly income information
  • how much they currently pay in rent
  • the value of their belongings
  • their marital status
  • the make, model, and registration number of their vehicles.

It’s not clear how this information would help you decide if someone would be a suitable tenant, and collecting it seems excessive.

Storing information safely

Principle five of the Act requires you to take reasonable steps to secure the personal information you hold from loss, misuse, and disclosure.

What counts as reasonable depends in part on how much information you hold and how sensitive it is. Holding excessive personal information makes data breaches and accidental disclosures more likely and more serious.

Storage and security of personal information (principle five)

Letting people access their information

Principle six entitles people to access the information you hold about them. If you have lots of information, you’re going to get more requests and you’ll need more sophisticated record keeping so you can answer them.

Access to personal information (principle six)

Responding to requests from law enforcement

Sometimes Police or other government agencies ask for information about someone to help them maintain the law. Principle 11 lets you disclose personal information to these agencies if you decide it’s necessary to maintain the law.

Maintenance of the law

This can be a difficult decision, but collecting less information will make it simpler.

Tools to help you

Our website has a lot of information to help you with collecting information and other obligations you have under the Act.

Get started with our Privacy Impact Assessment Toolkit

Your obligations under the Privacy Act

Image credit: Morepork by Duncan Watson via New Zealand Birds Online

Office of the Privacy Commissioner, New Zealand
Source: Blog
7 Feb 2018, 1:49pm AEDT

Which small businesses have mandatory data breach reporting obligations?

From 22 February 2018, the Notifiable Data Breaches scheme (NDB scheme) will require a wide range of organisations to report data breaches that are ‘likely to result in serious harm’ to the individuals whose personal information is affected by the breach. They will also be required to notify the OAIC.

Office of the Australian Information Commissioner
Source: News - OAIC
6 Feb 2018, 6:18am AEDT

Through the looking glass: Views from the OIPC

Good morning and thank you Alan for your introduction. I’d also like to thank Laurel Wale for the invitation to spend some time on your beautiful campus. It’s great to be here at Thompson Rivers University as part of your conference for Data Privacy Day.

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
1 Feb 2018, 7:00am AEDT

Statement from Acting Information and Privacy Commissioner on Data Privacy Day

Drew McArthur, Acting Information and Privacy Commissioner for British Columbia, released the following statement on Data Privacy Day

Office of the Information and Privacy Commissioner, British Columbia
Source: OIPC News and Events
30 Jan 2018, 7:00am AEDT

PCPD Joins Hands with Members of the Asia Pacific Privacy Authorities to Promote Privacy Awareness

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
29 Apr 2016, 10:00am AEST

A Community Service Order was imposed on an Insurance Agent for Using Personal Data in Direct Marketing without Consent

Office of the Privacy Commissioner for Personal Data, Hong Kong
Source: Office of the Privacy Commissioner for Personal Data
25 Apr 2016, 10:00am AEST