New Privacy Act is here

With the passing of the Privacy Act 2020, New Zealand’s 27-year-old privacy laws have changed, introducing new rules around mandatory notifications and electronic breaches.

Pulling New Zealand into line with global standards around data breach notifications, the bill’s key purpose is to promote New Zealanders’ confidence that their personal information is secure and will be treated properly, especially in regards to digital providers.

Mandatory notifications

The Privacy Act controls how agencies collect, use, disclose, store and give access to personal information. The Privacy Act applies to almost every person, business or organisation in New Zealand.

Under the new Act, if your organisation or business has a privacy breach that is “likely to cause anyone serious harm”, you must notify the Privacy Commissioner and any affected people as soon as you are practically able.

“Privacy breaches are a reality for organisations that hold people’s personal information,” says the Privacy Commission.

“Businesses and organisations can lose personal information through complacency, inadequate security, poor procedures or by accident. If a privacy breach happens in your agency, it’s important to know how to manage it.”

The Privacy Commission has advice on responding to potential breaches here.

“It’s vital for your organisation’s reputation and its relationship with the customers/clients whose information you hold, that you do everything you can to prevent a privacy breach from happening.”

Principle 12

A significant change in the new rules is Principle 12, a privacy principle containing a series of controls on the disclosure of personal information to foreign agencies or persons. This is an important update because of the reliance that many businesses have upon cloud-based service providers, and the importance of free-flowing data globally.

The broad intent of these new controls is to ensure that personal information being sent out of the country will be subject to privacy safeguards that are comparable to New Zealand’s. Agencies will now be accountable for the international disclosure of personal information and will need to demonstrate that they have carried out the necessary due diligence checks required under the new privacy principle.

The Privacy Commission suggests that a practical way for businesses and organisations to comply with the new principle is to adopt contractual safeguards. Model contract clauses tailored to the requirements of the Privacy Act 2020 are available from the Commission.

Noncompliance

Fines of up to $10,000 can now be levied against a business that fails to meet the conditions of the Act and class actions for privacy breaches (with potential damages of up to NZD$350,000 awarded to each member of a class-action lawsuit) are now permitted.

What should you do to prepare?

Now’s the time to talk with staff about what needs to be done in the event of a serious data breach. Work through the various scenarios together so everyone is aware of the steps they should take. Put in writing the various steps for handling a serious data breach and make sure that all of your commercial partners (including service providers, contractors, etc) understand their obligations of notification when a breach has occurred.

Review and update your privacy policy to reflect the changes and ensure that your customers are fully informed of what data is being exchanged and why.

Report It Now helps businesses prioritise conversations about speaking up, providing the tools, resources and training required to operate an open, honest, and transparent business. To find out more, contact Report It Now for a free, confidential consultation.