Privacy Bill comes into force on 1 December 2020

July 2020

The Privacy Bill passed its third and final reading last week and will come into force on 1 December 2020.

The Bill repeals and replaces the 27 year old Privacy Act 1993. It aims to modernise the regime to reflect new technologies, the way data is stored and how agencies use information.

Key Changes

Mandatory reporting of privacy breaches

The most significant change will be the introduction of a mandatory notification of privacy breaches. If a business or organisation has a privacy breach that it believes has caused (or is likely to cause) serious harm, it will need to notify the Office of the Privacy Commissioner and affected individuals as soon as possible.

It will be an offence to fail to inform the Privacy Commissioner when there has been a notifiable privacy breach and the penalty is a fine of up to $10,000. The Bill clarifies that liability for breach notifications sits with the business or organisation and not the individual employees.

However, not all privacy breaches will need to be reported. The threshold for a notifiable breach is ‘serious harm’. ‘Serious harm’ is not defined, but there are a number of factors which need to be considered. For example, the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, and any other relevant matters.

The Office of the Privacy Commissioner will be launching an online privacy breach notification tool and updated guidance ahead of the new obligations taking effect to help businesses and organisations with this new requirement.

Compliance notices

The Privacy Commissioner will be able to issue (and publish) compliance notices to businesses or organisations to require them to do something, or stop doing something, in order to comply with the Privacy Act.

Enforceable access directions

The Privacy Commissioner will also be able to direct agencies to provide individuals access to their personal information. Access directions will be enforceable in the Human Rights Review Tribunal.

Disclosing information overseas

A new privacy principle 12 will be added controlling the disclosure of personal information to foreign agencies.  Under principle 12, an organisation or business will only be able to disclose personal information to an agency outside of New Zealand if the receiving agency is subject to similar safeguards to those in the Privacy Act. If a jurisdiction does not offer similar protections, the individual concerned must be fully informed that their information may not be adequately protected and they must expressly authorise the disclosure.

Extraterritorial effect

The new Privacy Act  will clearly state that it has extraterritorial effect. This means that an overseas business or organisation that is ‘carrying on business’ in New Zealand will be subject to the Act’s privacy obligations, even if it does not have a physical presence here. This will affect businesses located offshore, such as Google and Facebook.

New criminal offences

The Privacy Act 2020 introduces new criminal offences. It will now be an offence to mislead an agency to access someone else’s personal information – for example, impersonating someone in order to access information that you are not entitled to see. It will also be an offence for an organisation or business to destroy personal information, knowing that a request has been made to access it. The penalty for these offences is a fine of up to $10,000.

What you need to do:

There are number of steps your business can take to prepare itself for the upcoming changes:

  • Train your staff about their obligations and what to do in the event of a serious data breach. The Office of the Privacy Commissioner has online learning modules that you and your staff can go through to become more familiar your legal privacy responsibilities.
  • Review your privacy statement and make sure it’s up to date. If you don’t have one, the Office of the Privacy Commissioner has a free tool to help you create a privacy statement that tells people how you will be collecting, using and disclosing their information.
  • Develop procedures to detect, report and investigate a personal data breach.
  • If a customer or employee requests their information, you are required to respond to that request within 20 working days. Make sure you have a process in place to handle customer requests for information held about them if, and when, they are made.
  • If you use an overseas-based service provider, like cloud software, ask the provider how they’re meeting New Zealand privacy laws.
  • Appoint a privacy officer. Every business should have a privacy officer. This is someone who has a general understanding of the Act and can deal with privacy issues when they arise.

Please contact us if you have any queries or need advice regarding preparing for the upcoming changes.

back to top