A new Privacy Act
A new privacy act means you need to act on 1 December 2020, New Zealand’s updated Privacy Act comes into force. Here’s what you need to know to prepare for […]
A new privacy act means you need to act on 1 December 2020, New Zealand’s updated Privacy Act comes into force. Here’s what you need to know to prepare for the changes.
The world in 2020 is almost unrecognisable when compared to 1993 when the first Privacy Act was
passed.
The Privacy Act 2020 significantly modernises New Zealand’s privacy law and recognises the enormous technological advances of the past 27 years. The new Act, like its predecessor, is based on information privacy principles that set broad standards around how organisations can collect, use, store and share people’s personal information. There are new criminal offences and new fines. Some behaviour which has been optional will now become mandatory. The updated Act gives the Privacy Commissioner additional powers including:
- The ability to issue compliance notices to compel organisations to do something – or stop doing something.
- The power to direct organisations to give individuals access to their personal information.
New Zealand’s many small and medium business owners need to get up to speed with the changes.
WHAT YOU NEED TO KNOW
If a business is issued with a compliance notice, it will have the opportunity to respond before it is finalised. Once finalised, the
business can still appeal to the Human Rights Review Tribunal. If the business loses its appeal and does not comply, or does not comply and does not appeal, it can be fined up to $10,000.
Because the new Act now incorporates criminal offences – with potential fines of up to $10,000 – businesses will take on more
financial risk when dealing with personal information. The following behaviours are offences under the new Act:
• Failing to comply with a compliance order from the Privacy
Commissioner.
• Misleading an agency to get someone else’s personal information.
• Destroying someone’s personal information when they ask for it.
• Failing to alert the Privacy Commissioner about a serious privacy
breach.
USE THE NOTIFYUS TOOL
For businesses, one of the key changes to the Privacy Act is mandatory privacy breach notification.
This means businesses must notify the Privacy Commissioner, and affected individuals, if there’s a privacy breach that has caused serious harm – or could cause serious harm.
But how is “serious” defined? How does a business know if a privacy breach if serious enough to report?
The Office of the Privacy Commissioner has developed a new tool on its website called NotifyUs, that businesses can use to report privacy breaches. The NotifyUs tool assists businesses to assess whether their breaches are notifiable or not. Organisations or businesses that fail to notify privacy breaches can be fined up to $10,000.
HERE’S WHAT TO DO NOW
It’s not too late to prepare for the changes to the Act. Here’s what you can do today:
• Review the personal information your business holds and your information
management practices. For example, could you provide someone with
their personal information in a timely manner if requested?
• Develop a privacy breach response plan – who needs to be aware and
involved?
• Consider any process changes you might need to make to incorporate
the changes to the Privacy Act, such as mandatory breach notification.
Assign someone in your business the role of privacy officer.
Visit www.privacy.org.nz to access guidance and resources and to sign up for the Privacy Commissioner’s fortnightly newsletter.
You can find additional information about the new Privacy Act here: privacy.org.nz/privacy-act-2020/resources To complete the “Privacy Act 2020” 30-minute online training module go to: elearning.privacy.org.nz