The Privacy Act 2020

It’s only a few days until the privacy laws in New Zealand will change.

On 1 December 2020 the new Privacy Act 2020 comes into force, which repeals and replaces the existing Privacy Act 1993.

The Act contains important changes to our privacy law, including new reporting obligations and notification requirements for privacy breaches. Overall the aim is to align the law more with the modern idea of privacy in the digital age.

The Act applies to all types of entities, including public and private companies, government agencies, charities, organisations, and individuals like sole traders and contractors.

It’s also helpful to remember that the Act covers any sort of personal information (as opposed to corporate data).

Here is a summary of the three key changes and what they mean for you and your business:

1. Mandatory reporting of serious data breaches

If there is a privacy breach committed by your company (or anyone that you engage for the collection, storage, use or disclosure of personal information) and that breach causes or is likely to cause serious harm, you must notify both:

  • the Privacy Commissioner and
  • the affected individual

as soon as practical after you become aware of the breach.

This includes things such as leaked personal information which gets published online, or identity theft.

What should we do now?

Put in place processes which mean you can report any privacy breaches as soon as possible:

  • A privacy breach handling process will help your staff manage any privacy breaches quickly by containing the breach, deciding whether to notify the Privacy Commissioner and affected individuals, and ensuring that your reporting obligations are fulfilled.
  • Make sure all your contractors, agents and partners that deal with data are required to immediately notify you of a privacy breach so you can make sure that the breach is contained and work out quickly whether it needs to be notified.

2. Mandatory compliance with Privacy Commissioner’s directions

If a business commits a serious or repeated breach of the Privacy Act 2020, the Privacy Commissioner can insist that the business comply with the Act, including directing them to provide an individual with access to his or her personal information.

What should we do now?

Appoint a Privacy Officer

  • Appoint a privacy officer who will be responsible for looking after privacy within your business. This can be you or one of your employees.

Put some privacy management processes in place

  • Put in place some systems and procedures noting how your business will collect, store, use and disclose personal information. Review and update it regularly. Look at what information your company collects on customers and employees, and make sure that only those people who need to have access to that data do indeed have access.
  • Implement an internal data access process so any privacy requests can be actioned within 20 working days. And ensure this is the same as the data access arrangements you have with your data service provider, especially if they are an overseas provider.

3. Greater controls on the sharing of personal information overseas

Many businesses rely on cloud-based data storage providers to handle private data on their behalf. The new Act introduces sets out some controls on the how personal information can be disclosed to foreign agencies.

If you need to share any private data with overseas companies, you can only do so if:

  • your customer agrees that the foreign entity might not need to protect the information in the same way as under the Privacy Act; OR
  • the overseas company agrees that they will protect the data in a similar way to the new Act.

What should we do now?

  • Look at and update your privacy policy so that your customers know that their personal information will be transferred overseas, and the reasons for that (e.g. data storage, provision of services, etc).

Ask how your customers’ personal information will be protected

  • Look at the overseas company that you wish to share your customers’ personal information with:
    • Do they operate in countries like the EU or Australia with similar privacy laws to NZ?
    • Do they have a reputation for taking privacy seriously, or have they suffered privacy breaches in the past?
  • Update your contracts so that any overseas entity that handles your data is required to comply with NZ privacy standards (or similar).

What if it all goes wrong?

  • Reputational risk: Your business could be publicly identified by the Privacy Commissioner if you breach the Privacy Act 2020. Customers could lose confidence in your business.
  • Criminal liability: There are various consequences for breaching the Privacy Act, including criminal liability for both a company and its directors, with fines of up to NZD$10,000.
  • Class action: Privacy breach class actions will be allowed via the Humans Rights Review Tribunal. If successful, each member of the class action may be awarded up to NZD$350,000.

In Summary

Review and update your privacy policy and data protection practices, and make sure that your business is not behind the curve when 1 December rolls around. Speak to us today if you want to check that your systems and processes are fit for purpose under the new Act.