This December 1, New Zealand’s 27-year-old privacy laws change under the new Privacy Act 2020. But what does it mean for business?
As recommended by the Law Commission’s 2011 review, the new Privacy Act 2020 repeals the Act of 1993. The new Act provides stronger powers for the Privacy Commissioner, introduces new mandatory reporting rules for privacy breaches, creates new offences, and increases existing fines.
The changes to the Act are sweeping and businesses should start preparing now for the Act’s implementation, currently scheduled for December 1st 2020.
So what’s different?
Simply put, the new Act strengthens privacy protections for customers, promotes early intervention and risk management by agencies, and beefs up the role of the Privacy Commissioner.
The key changes and what you should do about them
There are new requirements to report privacy breaches
New requirements pull New Zealand into line with global standards around data breach notifications, as well as Australia’s Privacy Act.
The new Act makes it clear that liability for privacy breach notifications sits with the business or organisation and not individual employees.
If an agency has a privacy breach that causes “serious harm” or is “likely” to do so, it must notify the people affected – and the Commissioner. Under the Act, it is an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach.
What should you do to prepare?
Now’s the time to talk with staff about what needs to be done in the event of a serious data breach. Work through the various scenarios together so everyone is aware of the steps they should take. Put in writing the various steps for handling a serious data breach and make sure that all of your commercial partners (including service providers, contractors, etc) understand their obligations of notification when a breach has occurred.
New compliance notice powers
The Privacy Commissioner will be able to issue compliance notices to businesses or organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act. Compliance notices will describe the steps that the Commissioner considers are required to remedy non-compliance with the Act and will specify a date by which the organisation or business must make the necessary changes.
The Privacy Commissioner will also be able to direct agencies to provide individuals access to their personal information.
What should you do?
Every business should have a privacy officer, according to the Privacy Act, so appoint one now. A privacy officer can be someone who has a good understanding of the Act and can deal with privacy issues when they arise. Make it their responsibility to create an internal policy for managing privacy, regularly reviewing it, and updating it when necessary.
Disclosing information overseas
There are new rules around sending information overseas. From December, an organisation may only disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in New Zealand’s Privacy Act.
If a jurisdiction does not offer similar protections, the individual concerned must be fully informed that their information may not be adequately protected and they must expressly authorise the disclosure.
What should you do?
Non-compliance has costs attached: The Privacy Commissioner is at liberty to publicly identify companies that do not conform with the new Act. Fines of up to $10,000 can now be levied against a business that fails to meet the conditions of the Act and class actions for privacy breaches (with potential damages of up to NZD$350,000 awarded to each member of a class-action lawsuit) are now permitted.
The Privacy Commissioner will be releasing further guidance on all the key changes in the Privacy Act ahead of its commencement on 1 December 2020.