Are you ready for the new privacy law requirements from December this year??

Posted on July 06, 2020 in Commercial (Tags:)

The new Privacy Act 2020 has finally passed its third reading in Parliament, and will come into effect on 1 December 2020. The new Act will mean changes for businesses and other organisations in relation to how they must handle the personal information which they collect, use or hold about people, including customers and employees.

Below we summarise the key changes in the new Act, and what practical steps your business can take to ensure you are compliant. Failure to comply with the Act could result in a fine of up to $10,000.

You need a privacy breach procedure

The Bill introduces mandatory reporting of “notifiable privacy breaches”. This means that if an organisation has a privacy breach that could cause “serious harm”, they must report it to the Privacy Commissioner and the affected individuals “as soon as practicable” after becoming aware of the breach. Failure to do so could result in a fine of up to $10,000.

A privacy breach includes any unauthorised or accidental access to, disclosure or loss of personal information. The rationale for this requirement is so that affected individuals can take steps to mitigate the harm to themselves (for example, change their passwords).

Businesses therefore need to have a process which raises an internal notification when a breach has occurred and enables an assessment of whether serious harm could be caused. In assessing whether the “serious harm” standard has been met, the organisation must take into account: any steps taken to mitigate the harm, the nature of the potential harm, whether the personal information is sensitive, and any other relevant matters.

There are extra rules around disclosing personal information overseas

If an overseas person or entity has access to personal information collected by your organisation, for example if you use a provider based overseas, there are extra controls around the disclosure of personal information overseas. Before disclosing New Zealanders’ personal information overseas, organisations must take reasonable steps to ensure that the information is protected by acceptable privacy standards in that overseas jurisdiction.

If the overseas jurisdiction does not have comparable standards, the individual can still authorise you to disclose their personal information overseas, but only after being expressly informed that their personal information may not be protected to the same standard as in New Zealand. The new Act’s use of “expressly informed” suggests that businesses will have to do a lot more than simply refer to the overseas disclosure in their privacy policy.

Every business that collects personal information of New Zealanders and then stores, processes or otherwise transfers it overseas will need to turn their mind to this issue. For example, a business which uses a CRM system hosted by an overseas provider, engages an overseas data analytics company, or uses a Facebook-hosted app to interact with customers. Another example would be a New Zealand travel agency which is making travel arrangements for clients who are going on a trip overseas. Such businesses will need to review their information transfer practices and the third parties they are using to process information.

It will be common to see organisations entering into contractual agreements with overseas entities (similar to “data processing agreements” entered into between data controllers and data processors under the EU’s General Data Protection Regulation) whereby the overseas entity agrees to deal with the personal information in certain ways.  The Office of the Privacy Commissioner is in the process of developing a model set of contractual clauses for New Zealand organisations to use.

Bigger fines, and more serious consequences, for breaching the Act

The Privacy Commissioner will now be able to issue compliance notices to require an organisation to do something, or stop doing something, to comply with the Act. If an organisation refuses to make personal information available upon request, the Commissioner will have the power to demand release. Previously, complaints about access to information had to be referred to the Human Rights Review Tribunal.

There are also new criminal offences. It will be an offence to mislead or obstruct the Privacy Commissioner or any other person in a way that affects someone’s personal information, or to destroy personal information if a request has been made for it. The maximum fine for these offences will be $10,000.

Application to overseas businesses

The new Act applies to overseas organisations who are dealing with New Zealanders’ personal information “in the course of carrying on business in New Zealand”. An overseas agency may still be treated as “carrying on business in New Zealand” even if it does not have any physical place of business in New Zealand, and does not charge monetary payment for goods/services or make a profit from its business here.  

Practical steps for businesses

  • When developing new websites, apps, and online products, consider the key principles of ‘privacy by design’.
  • When engaging overseas-based third parties, consider whether they will have access to the personal information of your New Zealand-based customers or employees. If so, you will likely need to put in place extra measures to ensure you are compliant with the new Act.
  • Carry out an assessment of your organisation’s processes around personal information, and consider the following questions:

Do you collect only the minimum necessary to achieve the purpose for which it is collected?

Do you collect any sensitive personal data, such as personal data of children or about people’s health and other sensitive matters?

Do you have information security procedures in place and do you train new employees on these practices?

Do you have a process for deleting personal information when you no longer have a reason to retain it?

  • Review how you deal with personal information of your employees, including when dealing with complaints, investigations and disciplinary procedures.
  • It is a good idea to have a privacy policy. A privacy policy sets out how you will comply with privacy law, by telling people what personal information you are collecting from them, how and why you are doing it, what you will use it for, any third parties that you share the information with, how long you will keep it, and how individuals can exercise their rights to request correction or deletion of their personal information. Businesses will often have a separate website privacy statement, which explains how the website collects and uses personal information, including whether cookies and other tracking technology are used.

 If you would like assistance with drafting a Privacy Policy for your business, or would like to discuss any of the requirements of the new Privacy Act further, please get in touch with us! 

Rachel Laing, Solicitor