Privacy Act update

In 2011, the Law Commission reviewed the Privacy Act 1993 and determined that the 1993 Act was not fit for purpose for the 21st century. Technology has advanced far beyond what was thought possible in 1993, particularly with regards to the ability for technology to gather, store and disseminate information. The Privacy Act 2020 (“the Act”), which repeals and replaces the Privacy Act 1993, addresses the gaps in the 1993 legislation and creates a more rigorous reporting and compliance framework. The Act has been in force since 1 December 2020.

Below we discuss the main changes businesses and organisations should be aware of. As you’ll see, some of the changes and new obligations on businesses and organisations are significant and will require current privacy policies and procedures to be reviewed and likely modified. 

Updated privacy principles

Several privacy principles have been updated, and one has been added. Of note, are principles 1, 4, 12 and 13. We’ve simplified the privacy principles into an applicable maxim below. 

• Principle 1: Only collect identifying information that is necessary to meet your business’s or organisation’s objectives. 
• Principle 4: Only collect information from children in a manner that is fair in the circumstances. 
• Principle 12: Cross-border disclosure (discussed below).
• Principle 13: Protect unique identifiers from being misused. 

Notifiable privacy breaches 

If your business or organisation has a privacy breach, you must notify the Privacy Commissioner and affected individuals of a privacy breach where you consider the breach is a notifiable breach. The breach will be notifiable if the business or organisation believes that the breach has caused (or is likely to cause) serious harm to the affected individuals. 

In determining whether the breach is serious, you must consider:

• any action taken by your business or organisation to reduce the risk following the breach
• whether the personal information is sensitive in nature – examples of sensitive information include information pertaining to mental health, medical or disciplinary records 
• the nature of the harm that may be caused to affected individuals – think about whether there’s a risk of identity theft or fraud, physical harm, humiliation, loss of dignity or damage to the person’s reputation or relationships
• the person or body that has obtained or may obtain personal information as a result of the breach (if known)
• whether the personal information is protected by a security measure
• any other relevant matters.

To notify the Privacy Commissioner, businesses and organisations can use the Privacy Commission’s tool NotifyUs. This tool also has some helpful surveys to help you establish whether or not the breach is a notifiable one. If it is considered that the breach could be a serious one, you should go through the notification process on the Privacy Commissioner’s website.

If a notifiable breach occurs and your business or organisation fails to notify the Privacy Commission, you will be liable to a fine not exceeding $10,000. It will also NOT be a defence to a charge that you have taken steps to address the breach.

To ensure your business or organisation complies with the new reporting requirements, you should:

• take stock of what personal information you have and where it is stored
• establish or evaluate systems to identify and report privacy breaches 
• provide training to ensure staff know how to respond to privacy breaches. 

Enforcement powers

Access directions

If your business or organisation refuses or fails to provide access to an individual’s requested personal information without a proper basis and that person has made a complaint, the Commissioner  may compel you to grant access.

As we set out in our blog Five Interesting Facts about Privacy Law in Employment in New Zealand, such a request may come from an employee for personal information held by the employer.

Compliance notices

The Commission can issue a compliance notice for any breach of the Act. This notice can require the business or organisation to start doing or stop doing some action in order to meet its obligations under the Act.

If the Commissioner is going to issue a compliance notice, they will provide the business or organisation with a written notice that:

• describes the breach, citing the relevant statutory provision or provisions
• summarises the conclusions reached
• sets out the steps the Commissioner sees need to occur in order to remedy the breach
• states dates the breach needs to be remedied by (if any).

A compliance notice can be varied where all or part of the notice has been complied with or where information needs to be added or amended. 

If the Commissioner considers it is in the public interest to publish the identity and other details of the notice issued, the Commissioner may do so.

Where a business or organisation fails to comply with a compliance notice, the Commissioner may take enforcement proceedings in the Human Rights Review Tribunal. Where a business or organisation has failed to comply with a compliance notice without reasonable excuse, it may be liable on conviction to a fine not exceeding $10,000.

If a business or organisation disagrees with an access direction or compliance notice, it may appeal the direction or notice to the Human Rights Review Tribunal. 

Privacy officers

Under section 201, businesses or organisations must appoint a privacy officer (who can either be within or outside the agency). The privacy officer’s responsibilities include:

• encouraging the business or organisation to comply with the privacy principles
• dealing with requests made to the business or organisation under the Privacy Act
• working with the Commissioner in relation to investigations
• ensuring the business or organisation complies with the provisions of the Privacy Act. 

Cross-border disclosure

The new privacy principle 12 contains a set of rules and obligations to safeguard personal information disclosed to a foreign person or entity. 

Before disclosing personal information to a foreign person or entity (“receiving organisation”), New Zealand businesses and organisations will need to undertake due diligence to ensure that:

1. the receiving organisation conducts business in New Zealand and is subject to the Privacy Act 2020; or
2. the receiving organisation is subject to comparable privacy laws; or
3. the receiving organisation is subject to the privacy laws of a “prescribed country”; or
4. the receiving organisation is required to protect the information in a way that provides comparable safeguards to the Privacy Act, through for example an agreement between the parties that ensure the privacy principles are applied; or
5. the individual concerned has consented to the disclosure after being fully informed that the receiving organisation may not protect their information in a comparable way to the Privacy Act. 

The Privacy Commission has created a model agreement for the purpose of (d). A template of the agreement can be downloaded from here.

Discretion should be exercised carefully in entering into such agreements. If the agreement cannot be enforced in the country or the protections would be undercut by that country’s laws, the agreement should not be entered into and the individual will have to authorise the disclosure. 

Importantly, Privacy Commissioner John Edwards has noted that this principle will not apply to offshore cloud providers, so long as the cloud provider is not using the information for any of its own purposes.

The updated Privacy Act will provide greater protection for individuals’ privacy. To do that, all businesses and organisations will be required to brush up on the new obligations and make the necessary changes to protect individuals’ privacy.

This blog is not a substitute for good advice. If you have further concerns or questions regarding changes to the Privacy Act, please don’t hesitate to get in touch with Bell and Co at 04 499 4014, or book a Calendly appointment here.