This post is of relevance for New Zealand clients only (or those operating within NZ). New Zealand’s current privacy act was created in 1993. It's been updated and the new replacement and updated act, comes into force on 1st December 2020.
By way of context, arguably, the current law has fallen behind how technology has advanced, and also with how we now collect and use personal information. In some ways, it could be said, it also catches up with developments in other counties; most notably the GDPR (General Data Protection Regulation) that came into force for the European Union in 2018.
In terms of New Zealand Privacy Act's applicability. In short, any organisation that gathers customer or personal details - for any reason - within New Zealand is subject to this legislation. The new act, requires ‘agencies’ i.e. businesses or organisations, to more actively manage their privacy obligations. It also provides the Privacy Commissioner with increased powers to address privacy law breaches.
So, what has changed?
1. Privacy breaches now have a mandatory notification requirement
This may be the biggest obvious change. If your business has a ‘notifiable privacy breach’ then you are now required to notify the 'Privacy Commissioner' as well as any affected individuals, as soon as is practicable after you become aware of the breach. A 'notifiable privacy breach’ is where it is reasonable to believe that a breach has caused, or is likely to cause, an affected individual 'serious harm'.
When determining 'serious harm', you should consider the following factors:
- What action have you taken to reduce the risk of harm following the privacy breach?
- Is the personal information subject to the breach of a sensitive nature?
- What sort of harm might be caused to those affected?
- Do you know, who has obtained, or might reasonably obtain, the personal information that is the subject of the breach?
- Is this personal information is protected by any security measures?
Failure to notify may result in a fine of up to $10,000. The Privacy Commissioner also now has the power to publish the identity of those subject to the breach (if it believes it is in the public interest to do so).
2. The Privacy Commissioner can both issue and publish compliance notices
The Privacy Commissioner can now issue a compliance notice to a business requiring them to either; take action, or to stop taking an action in order to comply with the regulations.
3. Disclosing personal information outside New Zealand
There is now a new provision concerning the disclosure of personal information outside of New Zealand. For example, a business may disclose personal information to an overseas person or entity - only if that person or entity is subject to comparable privacy laws with similar safeguards to those contained in the new act. As we understand it, this would include the likes of organisations operating and compliant within the GDPR. However, it does put more legal limits on sharing data overseas and there are also particular additional safeguards that must be complied with.
4.You should not collect personal identifying information unless you can show it is reasonably required
Central to the new act is the principal that businesses should not obtain more personal identifying information from any individual than is reasonably necessary for the purpose to which it has been collected. In practical terms, we think this will have a significant impact on business, as it will require businesses/organisations to very carefully consider what information they are collecting from individuals. They will need to ensure that it can be justified as to why it is required, or necessary. Businesses will also need to consider what personal information they currently have, why it is held and how long it should be retained.
Lastly, it should be noted that New Zealand has a good record internationally. As an example, at the time of writing, the EU has certified New Zealand as providing adequate protection of privacy with respect to the GDPR and the transfer of personal data between countries. In our view, this new Privacy Act follows the GDPR framework in forcing organisations to recognise the value of their data (and its loss) and be more aware of the growing legal thresholds they need to comply with. We note also, that if you are already working according to the GDPR provisions you will already be in very good shape and this new act will mean little change. But if not, you would be well advised to consider your data requirements as well as data security.
Please note we are not legal specialists and this post is not meant to provide legal advice. You should consult your legal advisors before relying on any content mentioned in this enclosed article.