A new Privacy Act came into force on 1 December 2020 and introduced important changes to privacy law in New Zealand, that all businesses and organisations dealing with personal information should be aware of and comply with. 

What has changed?

The new Act is intended to make sure that personal information is kept safe and secure in line with new technology and ways of doing business. 

The changes are relevant to all businesses and organisations (referred to as “agencies” in the new Act) that collect, store, and use personal information about employees, clients, and customers.  Most agencies will need to make some updates to their current privacy practices to ensure they can meet their obligations under the new Act.

Implement a privacy breach procedure

Under the new Act, agencies need to report serious privacy breaches to the Privacy Commissioner.  A privacy breach is any unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information, or an action that prevents the holder from accessing the information.

If an agency has a privacy breach that it believes has or could cause serious harm, it must notify the Office of the Privacy Commissioner and the affected person or people as soon as possible.  Failing to inform the Privacy Commissioner about a notifiable privacy breach is an offence.

Not all breaches need to be reported, only where there is a likelihood of serious harm.  Determining if a breach has or might cause serious harm will be a case-by-case assessment, taking into account things like disclosure of very sensitive information, or to a large number of recipients, and the nature of the harm that might result. 

The Office of the Privacy Commissioner has provided online guidance about the new requirement to notify privacy breaches, and notification can be made via the “NotifyUs” function on their website.

More information collected now than ever before

The current situation with Covid-19 has resulted in a greater need to obtain information from a wide variety of people, so agencies are dealing with an increasing volume of personal information that needs to be obtained, used, stored, and disclosed correctly. 

Agencies must ensure that they do not obtain, or keep, private information unless it is really necessary.  If your business or organisation is collecting personal information from an employee, client or customer, that information should be collected from them directly wherever possible, and they should be made aware of what is being collected and why.

Using providers based overseas

New Zealand businesses and organisations that use service providers based overseas, for example cloud storage or computer software, must determine whether or not New Zealand privacy law applies to the service provider. 

If New Zealand agencies cannot ensure that New Zealand privacy law applies to their providers or that there are comparable privacy laws in the relevant country, they must take one of the other steps set out in the new Act (such as entering into a privacy contract with the service provider or obtaining the informed consent of the person who owns the personal information). 

The vast majority of businesses and organisations in New Zealand will have some degree of personal information stored, processed, or otherwise transferred overseas in the course of doing their normal business.   Any agency using an overseas-based service provider must ensure that New Zealand’s privacy law applies to that service provider, or if it does not then take the steps prescribed in the Act.  If there is a notifiable privacy breach and the necessary steps have not been taken to protect personal information, both the overseas service provider and the New Zealand agency may be in breach of the new Act. 

It is timely to consider your business or organisation’s information transfer practices, and which third parties are used to process information.  The onus is on the business or organisation using the service provider to ensure compliance, not the other way around.

Time for a review!

With the new Act freshly in force, it is timely to conduct a thorough review of how your business or organisation handles privacy, including:

• Review and update your privacy policies to make sure they align with the new Act, clearly telling clients and customers what personal information you will obtain and how it will be used.
• Make sure your procedures for detecting, reporting, and investigating privacy breaches are robust – how will you know if a breach occurs, and, if it does, what will you do?
• Consider obtaining a privacy audit to have an external review of your privacy systems, processes, and policies.  
• Undertake staff training, and make sure you have a few key people who are really up to speed on the changes (including your privacy officer/s).
• Make sure everybody in your organisation knows who to approach about privacy issues – within each office, and/or at a regional or national level.

Expert legal advisors are helping clients get across the new Act and the changes it brings for businesses and organisations.  At Rainey Collins we have an experienced team who can put you on the right track if you have any questions relating to privacy practice, the new Act, and how it affects you or would like us to undertake an audit of your processes and policies to ensure compliance with the requirements. 

Leading law firms committed to helping clients cost-effectively will have a range of fixed-price Initial Consultations to suit most people’s needs in quickly learning what their options are.  At Rainey Collins we have an experienced team who can answer your questions and put you on the right track.