Privacy Law Reform.

New Zealand’s privacy laws are about to change. Our current law has struggled to keep up with the rise of extensive technological advances, which have transformed the way in which we collect and use personal information. Any organisation that gathers customers' details for any reason (e.g., newsletter database, payment purposes, repeat bookings, loyalty programmes) is affected by this long overdue law change.

This update comes in the form of the Privacy Act 2020, which strengthens privacy protections and require ‘agencies’ (which includes any business or organisation) to actively manage their privacy obligations. It will also provide the Privacy Commissioner with increased powers to address privacy law breaches.

 

Some of the changes include:

1. Mandatory notification of a privacy breach

Probably the most significant change is that agencies will be required to notify the Privacy Commissioner, and any affected individuals, of any ‘notifiable privacy breach’ as soon as practicable after becoming aware of the breach. A notifiable privacy breach will occur where it is reasonable to believe that the breach has caused, or is likely to cause, an affected individual serious harm.

When determining whether a breach has or may cause serious harm, agencies must consider the following factors:

  • What action has been taken by the agency to reduce the risk of harm following the privacy breach.
  • Whether the personal information subject to the breach is of a sensitive nature.
  • The nature of the harm that may be caused to the affected individuals.
  • If known, who has obtained, or may obtain, the personal information subject to the breach.
  • Whether the personal information is protected by any security measures.
  • Any other relevant matters.

Failure to notify the Privacy Commissioner of a notifiable breach under the act may result in a fine of up to $10,000. The Privacy Commissioner will also have the power to publish the identity of the agency subject to the breach where the Privacy Commissioner believes it is in the public interest to do so – which could have far-reaching implications for an agency's credibility and reputation.

2. Privacy commissioner can issue and publish compliance notices

The Privacy Commissioner will have the ability to issue a compliance notice to an agency requiring them take action, or stop taking a particular action in order to comply with privacy laws.

If the Privacy Commissioner issues a compliance notice to an agency, the act requires the Privacy Commissioner to publish the following information in relation to the compliance notice:

  • The identity of the agency.
  • Other details about the compliance notice or the breach that the Privacy Commissioner considers should be published.
  • A statement or comment about the breach that the Privacy Commissioner considers is appropriate in the circumstances.

The publication of such notice may only be avoided if an agency can satisfy the Privacy Commissioner that it would suffer undue hardship as a result, and the Privacy Commissioner believes that such hardship outweighs the public interest in the publication.

 

3. Disclosure of personal information outside New Zealand

Additionally, a new principle will be introduced concerning the disclosure of personal information outside of New Zealand. This will put more limits on foreign disclosure by requiring an agency to satisfy one of six requirements before disclosing the personal information overseas.

For example, an agency may disclose the personal information to an overseas person or entity only if that person or entity is subject to privacy laws that provide comparable safeguards to those contained in the New Zealand Privacy Act.

 

4. Identifying information cannot be collected unless required

The new act will also prohibit an agency from obtaining more identifying information from an individual than is necessary for the purpose for which it is collected. This addition is likely to have a significant impact on agencies, as it will require agencies to carefully consider what identifying information they are collecting from an individual and ensure that they can justify why that identifying information is required or necessary for their particular purpose.

Undoubtedly, the Privacy Act 2020 will place an additional compliance burden on all manner of Kiwi businesses. They will need to consider what personal information they have, why it is held and how long to retain it.

 

Organisations of all sizes (including sole traders) should seek advice about how to comply and have their privacy policies and information collecting processes reviewed to ensure that they are appropriate. For more information or to book an appointment, contact one of our commercial team members today or call 09 883 4420.

 

 

ARTICLE 2 OF 154

Meet our PeopleRequest an Appointment