In 2011, the Law Commission reviewed the Privacy Act 1993 and determined that the 1993 Act was not fit for purpose for the 21st century. Technology has advanced far beyond what was thought possible in 1993, particularly with regards to the ability for technology to gather, store and disseminate information. The Privacy Act 2020 (“the Act”), which repeals and replaces the Privacy Act 1993, addresses the gaps in the 1993 legislation and creates a more rigorous reporting and compliance framework. The Act has been in force since 1 December 2020.
Below we discuss the main changes businesses and organisations should be aware of. As you’ll see, some of the changes and new obligations on businesses and organisations are significant and will require current privacy policies and procedures to be reviewed and likely modified.
Several privacy principles have been updated, and one has been added. Of note, are principles 1, 4, 12 and 13. We’ve simplified the privacy principles into an applicable maxim below.
If your business or organisation has a privacy breach, you must notify the Privacy Commissioner and affected individuals of a privacy breach where you consider the breach is a notifiable breach. The breach will be notifiable if the business or organisation believes that the breach has caused (or is likely to cause) serious harm to the affected individuals.
In determining whether the breach is serious, you must consider:
To notify the Privacy Commissioner, businesses and organisations can use the Privacy Commission’s tool NotifyUs. This tool also has some helpful surveys to help you establish whether or not the breach is a notifiable one. If it is considered that the breach could be a serious one, you should go through the notification process on the Privacy Commissioner’s website.
If a notifiable breach occurs and your business or organisation fails to notify the Privacy Commission, you will be liable to a fine not exceeding $10,000. It will also NOT be a defence to a charge that you have taken steps to address the breach.
To ensure your business or organisation complies with the new reporting requirements, you should:
If your business or organisation refuses or fails to provide access to an individual’s requested personal information without a proper basis and that person has made a complaint, the Commissioner may compel you to grant access.
As we set out in our blog Five Interesting Facts about Privacy Law in Employment in New Zealand, such a request may come from an employee for personal information held by the employer.
The Commission can issue a compliance notice for any breach of the Act. This notice can require the business or organisation to start doing or stop doing some action in order to meet its obligations under the Act.
If the Commissioner is going to issue a compliance notice, they will provide the business or organisation with a written notice that:
A compliance notice can be varied where all or part of the notice has been complied with or where information needs to be added or amended.
If the Commissioner considers it is in the public interest to publish the identity and other details of the notice issued, the Commissioner may do so.
Where a business or organisation fails to comply with a compliance notice, the Commissioner may take enforcement proceedings in the Human Rights Review Tribunal. Where a business or organisation has failed to comply with a compliance notice without reasonable excuse, it may be liable on conviction to a fine not exceeding $10,000.
If a business or organisation disagrees with an access direction or compliance notice, it may appeal the direction or notice to the Human Rights Review Tribunal.
Under section 201, businesses or organisations must appoint a privacy officer (who can either be within or outside the agency). The privacy officer’s responsibilities include:
The new privacy principle 12 contains a set of rules and obligations to safeguard personal information disclosed to a foreign person or entity.
Before disclosing personal information to a foreign person or entity (“receiving organisation”), New Zealand businesses and organisations will need to undertake due diligence to ensure that:
The Privacy Commission has created a model agreement for the purpose of (d). A template of the agreement can be downloaded from here.
Discretion should be exercised carefully in entering into such agreements. If the agreement cannot be enforced in the country or the protections would be undercut by that country’s laws, the agreement should not be entered into and the individual will have to authorise the disclosure.
Importantly, Privacy Commissioner John Edwards has noted that this principle will not apply to offshore cloud providers, so long as the cloud provider is not using the information for any of its own purposes.
The updated Privacy Act will provide greater protection for individuals’ privacy. To do that, all businesses and organisations will be required to brush up on the new obligations and make the necessary changes to protect individuals’ privacy.
This blog is not a substitute for good advice. If you have further concerns or questions regarding changes to the Privacy Act, please don’t hesitate to get in touch with Bell and Co at 04 499 4014, or book a Calendly appointment here.