The new Privacy Bill has passed and The Privacy Act 2020 will come into effect on 1 December 2020, replacing The Privacy Act 1993 here in New Zealand.
So what will this new legislation mean for New Zealand agencies? (And by agency I mean "any person or body of persons, whether corporate or unincorporate, and whether in the public sector or the private sector.")
Firstly, the principle-based approach of the current act will remain. We will still be required to have a Privacy Officer and we will still need to have a Privacy Statement. But there are a number of key additions to The Privacy Act 2020.
These additions include:
Mandatory Privacy Breach Notifications
There will be a new obligation for agencies to report privacy breaches that can cause serious harm e.g. if you drop a USB stick on the bus which has all your customers' personal details, you will need to tell both the individuals concerned and also the office of the Privacy Commissioner.
To determine whether the breach could cause “serious harm” you’ll need to consider factors such as how sensitive is the information is, how many people now have access to it, how secure was the information e.g. was the USB stick encrypted.
There will be a decision-making tool available on the Privacy Commissioner's website to help you decide whether a breach can be classified as causing “serious harm”.
The Privacy Commissioner will be able to issue compliance notices instead of just waiting for complaints to be reported. This means that the Commissioner will be able to actively check if you are operating in compliance with the Act, and if not, issue you a notice to improve your processes. And if you don't comply, you can receive a fine of NZ$10,000.
New Criminal Offences
It will become a criminal offence if you pretend to be someone else to obtain personal information (I thought this already was a criminal offence!) And it will also be a criminal offence if someone asks you to provide the information that you are holding about them, and instead, you destroy the information. These will both be punishable by fines of up to NZ$10,000.
If you’re sharing information with overseas-based service providers, you will need to consider if they offer comparable privacy protections to New Zealand based agencies.
For example, if you’re a New Zealand based tourism provider sending personal information to a business in Papua New Guinea, you will need to take measures to ensure the business will keep the information secure, have a clause in your contract with them to that effect and/or get permission from the individuals to share their personal information.
The Privacy Commissioner has contracted a law firm to write contract clauses which will be available to download from the website to use in your contracts.
It's important to note that this excludes when data is processed on your behalf. For example, it doesn't apply if you're using MailChimp or Shopify to store your data in servers outside of New Zealand. But you will still be responsible to do your due diligence to make sure the services you are using have adequate security.
On a similar note - our New Zealand privacy laws will now apply to overseas agencies that are conducting business here in New Zealand.
What should you do to prepare for the new Privacy Act?
- Make sure you have a Privacy Officer. This is a current, not new, requirement but often overlooked.
- Make sure you have a Privacy Statement. Again, this is a current requirement but I still work with New Zealand businesses who don't have an adequate privacy statement in place. You can use the free Privacy Statement Generator, the Priv-o-matic, if you don't have one!
- If you have specific questions, head to the Privacy Commissioner's website and use the AskUs tool - this is a massive knowledge database
- Brush up on your privacy-related knowledge using the eLearning site of the Office of the Privacy Commissioner. There is a tonne of online training to help you improve your knowledge.