The swift advancements in the information technology space in the last couple of decades have rendered the Privacy Act 1993 outdated and not fit to effectively regulate the current ways in which we gather, store and use information. To address this, New Zealand has a new Privacy Act on the way.
What are the key changes?
New privacy principle: Disclosure of personal information outside New Zealand. In effect, a business or organisation may only send or store personal information overseas if:
- The receiving agency is subject to safeguards which are comparable to those in the Privacy Act 2020; or
- Where comparable safeguards may not be in place, the individual concerned gives informed consent to their personal information being sent or stored overseas.
Access directions: The Privacy Commissioner may direct a business or organisation to provide individuals with their personal information. Access directions may be enforced in the Human Rights Review Tribunal.
Class actions: Class actions may be brought by a representative on behalf of aggrieved individuals (rather than just the Director of Human Rights Proceedings).
Notifiable privacy breaches: Businesses and organisations will have an obligation to notify the Privacy Commissioner and any affected individuals of privacy breaches which are likely to cause (or have caused) serious harm. If it is impractical to notify the affected individuals, the business or organisation will have to issue a public notice.
Compliance notices: The Privacy Commissioner will have the ability to issue compliance notices requiring businesses and organisations to take certain steps to comply with the Privacy Act 2020. Compliance notices may be enforced in the Human Rights Review Tribunal.
New offences: It will be an offence to –
- Mislead a business or organisation by impersonating an individual for the purpose of accessing that individual’s personal information or having it used, altered or destroyed; and/or
- Destroy a document containing personal information knowing that a request has been made in respect of that information (e.g. an access request).
The penalty for these offences is a fine up to $10,000.
The Privacy Act 2020 comes into force on 1 December 2020. This means you should review the items on the checklist below as soon as possible.
What you must do to ensure you comply with the Privacy Act 2020:
- Ensure your business has at least one ‘Privacy Officer’ who understands the new Act and can assist in ensuring you are compliant;
- Check how your business stores information – Is it secure? Do you use cloud software? If so, is the host an overseas organisation and are they subject to equivalent safeguards required in the Privacy Act 2020?
- Review your policies and processes for collecting, handling and storing personal information –
- Is all the personal information you are collecting necessary for you to carry out your business activities? If not, cease collecting it;
- Do you still need the personal information you are storing? If not, securely dispose of it;
- Ensure you inform any individuals concerned that you are collecting their personal information, and the purpose for collection, who the information will be shared with and their right to access their personal information;
- Ensure you are only using personal information for the stated purpose for which you collected it;
- Is access to the personal information you hold restricted only to those who need access?
If you have questions we have not covered, our privacy team can help. Contact us to find out more.