Privacy Act Changes Explained
New Zealand privacy laws changed on 1 December 2020 with the new Privacy Act 2020. The aim of the Privacy Act is to strengthen data protection by promoting early intervention and risk management by organisations or people that handle personal information. New Zealand’s privacy laws have not been updated since the founding of the Privacy Act in 1993. In a time where the data landscape is changing quickly and cybersecurity and data protection are now key issues, we need more robust and dynamic practices to align with the digital information era.
The Privacy Act 2020 requires new reporting obligations and notification requirements for privacy breaches, as well as several significant changes to NZ’s privacy law, so Kiwi businesses now need to ensure they have the correct privacy systems in place. We have outlined the key points of the new Privacy Act 2020 below, as well as what your business can do to prepare for this.
The New Privacy Act 2020 – What do you need to know?
The Privacy Act 2020 means businesses need to ensure they are protecting customers information and taking privacy obligations seriously, and for individuals and customers, the Act enables the enforcement of their rights. In a nutshell, the key changes to the Privacy Act are:
- Mandatory data breach reporting
If an agency has a privacy breach that causes serious harm or is likely to do so, it must notify the people affected and the Commissioner as soon as possible. Under the Act, it is an offence to fail to inform the Privacy Commissioner. - Compliance notices
The Commissioner will be able to issue compliance notices to require an agency to do something, or stop doing something. - Decisions on access requests
The Commissioner will make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal. - Strengthening cross-border protections
New Zealand agencies will have to take reasonable steps to ensure that personal information sent overseas is protected by comparable privacy standards. The Act also clarifies that when a New Zealand agency engages an overseas service provider, it will have to comply with New Zealand privacy laws. - New criminal offences
It will be an offence to mislead an agency in a way that affects someone else’s information, and to destroy documents containing personal information if a request has been made for it. The penalty will be a fine of up to $10,000. - Strengthening the Privacy Commissioner’s information gathering power
The Commissioner will be able to shorten the timeframe in which an agency must comply with investigations and the penalty for non-compliance will be increased from $2,000 to 10,000.
How can NZ businesses prepare for the new Privacy Act?
Organisations and businesses have until 1 December 2020 to ensure they are ready for the Privacy Act and its new reporting obligations. Your preparation may include the following:
- Update your Privacy Policies
Update your company’s privacy policies to make sure they align with the new law and ensure your clients and customers understand how you will use their information (how you collect it, use it and disclose it). - Data Control
Don’t make the crucial mistake of failing to control who has access to sensitive and personal data. Make sure you hold and use personal information in a safe and secure way and dispose of it securely when you have finished with it – whether you use a company server or a cloud system, ensure it has the proper security controls applied. Regularly check who has access to this data and update as needed. - Third Party Arrangements and Contracts
Review your contractual arrangements with any other party that stores or processes personal information supplied by your business. If you use an overseas-based service provider, consult with them to see how they’re meeting NZ privacy laws. This may include web host providers, email providers or cloud providers. - Procedure Updates
Develop or update your company’s procedures for data breaches, including how they will be detected, reported and investigated. You will be unable to respond effectively to a breach if you don’t know what happened, so it’s important to monitor your network and do regular audits of data and how it’s used and set up processes to report any data loss or breaches. You will need to meet your reporting requirements if a significant data breach happens. - Staff
Every business should have a person (or privacy officer) who has a good understanding of the Privacy Act and can deal with privacy issues. You should also let staff know who they can approach to discuss any privacy concerns – having a central point in an organisation who is trained up on the new laws, policies and processes is key to improving data security.
Further Information
Here are some key links we recommend reading to help your understanding of the Privacy Act and tools you may find helpful:
- View the full Privacy Act 2020 in full here
- NotifyUs – the Privacy Commissioner’s online tool to help you work out if a breach is notifiable and report it
- E-learning modules that explain key changes and why the law was revised
- The Privacy Commissioner’s Data Safety Toolkit
- Priv-o-matic – the Privacy Commissioner’s Privacy Statement generator
Ensuring personal information is protected throughout its entire lifecycle of collection, storage, use and disclosure is not only a legal requirement; it is a business-critical one to have your customer’s trust and confidence. For many organisations, there will be significant system and process changes that need to happen to ensure compliance, so don’t leave it too late. At Strategus we employ best practices to ensure we provide secure services and continually review our systems to ensure compliance. Please contact us if you would like additional guidance or support surrounding the Privacy Act and what your business needs to do.