The globalisation of technology has necessitated a relook at the way we protect our personal information. The long-anticipated overhaul of New Zealand’s privacy laws will finally come into effect on 1 December 2020, with the Privacy Act 2020.
The new Act will apply to any business or organisation that collects or holds personal information while carrying out business in New Zealand (so overseas-based businesses such as Facebook are not exempt!). The privacy principles of the old Act have largely been carried through – with some updates, and one new principle. But there are now new disclosure obligations, which can attract significant fines if they are not met.
Whether the new Act has gone far enough to protect our personal information remains up for debate, but what we do know is there is going to be significant changes come 1 December 2020. We believe the following changes should be on every business’s radar.
Will I need to report a privacy breach?
Privacy breaches can occur in a multitude of different ways: emails can be sent to the wrong person; client databases can be compromised by a cyber-attack; or physical files can be inadvertently left in public. Accordingly, it is important for employers to understand their obligations when such a breach occurs.
Arguably, the most significant change for businesses is the requirement to disclose privacy breaches where they have caused serious harm to someone (or are likely to do so) – these are now considered notifiable privacy breaches. Failure to disclose is an offence, which is punishable by fine up to $10,000.
You are also expected to notify anyone who has been affected by the breach. But you are exempt when you have a valid reason for not doing so, or you need to delay notification to minimise the impact (e.g. in a cyberattack). But you still need to notify the Privacy Commissioner as soon as possible.
Businesses will therefore need to determine when a privacy breach has reached the threshold of being ‘likely to cause serious harm’. The new Act provides some guidance and directs businesses to consider the following factors in making such a determination:
- Any action it has taken to reduce the risk of harm following the breach;
- Whether the personal information is sensitive in nature;
- The nature of the harm that may be caused to affected individuals;
- Who obtained (or could obtain) the personal information as a result of the breach (if known); and
- Whether the personal information is protected by a security measure.
If you are unsure, there is a self-assessment tool, which can help you decide whether you need to report the breach.
Can I send personal information overseas?
Principle 12 has been added to the Act to regulate cross-border disclosures – this is where personal information is being sent outside of New Zealand. Businesses will now be responsible for ensuring that the country where the personal information is being sent provides comparable safeguards to what we have in New Zealand; otherwise the affected individual must first give permission to send the information overseas.
This principle is noteworthy because many businesses use cloud-based services (e.g. for electronic storage of the client database) that have no physical presence in New Zealand. Fortunately, the Act provides an important exception. Cloud-based services will be defined as ‘agents’, who simply hold the personal information on the business’s behalf. The physical location of the cloud-based service is irrelevant, as it is the business who remains ultimately responsible for any breach.
How will the Act be enforced?
The Privacy Commissioner has been given a whole raft of new powers to enforce the Act. This includes this use of fines (up to $10,000) and the introduction of two new criminal offences. The Privacy Commission can also direct a business to act in a certain way:
Access Directions:The Privacy Commissioner can direct a business to release information that had been previously denied in response to a request from an individual for their own personal information.
Compliance Notices: The Privacy Commissioner will also be able to require a business to do – or stop doing – something, to meet its obligations under the Act.
How should my business prepare?
Now is great time to take stock and review the personal information you currently hold and assess what changes you might need to implement before 1 December 2020. The sorts of things you might want to consider are:
- Where do we store personal information – paper-based, electronic, or both?
- Do we store personal information in a sufficiently secure location?
- Do we need to update our privacy policies?
- Are our staff aware of the new obligations, and know how to detect and report a breach?
- Have we carried out sufficient due diligence of the countries where we send personal information?
- How will we learn from any ‘near misses’?
There is more information available on the Privacy Commissioner’s website, or if you have concerns about what the Act might mean for your business you are welcome to come see us.
