A new Privacy Act is coming into force on 1 December 2020.  The new Act will introduce some important changes to privacy law in New Zealand that businesses should be aware of.  Some of the changes will require planning and preparation to make sure compliance is achievable when the new Act kicks in.

What’s changing?

Our current privacy regime makes it clear that personal information must only be collected for lawful purposes, that it must be stored and safeguarded correctly, and that people must have reasonable access to review and edit private information that is held about them.  Disclosure of personal information is only permitted in limited circumstances.

The new Act is intended to make sure that personal information is kept safe and secure in line with new technology and ways of doing business.  Most businesses will need to make some updates to their current privacy practices as a result.

The changes will be relevant to all businesses that collect, store, and use personal information about employees, clients, and customers.  Businesses will need to understand their obligations under the new Act, and make sure they can meet them.

Implement a privacy breach procedure

Under the new Act, businesses will need to report serious privacy breaches.  A privacy breach is any unauthorised or accidental access to, disclosure, alteration, loss, or destruction of personal information, or an action that prevents the holder from accessing the information.

If a business has a privacy breach that it believes has or could cause serious harm, it will need to notify the Office of the Privacy Commissioner and the affected person or people as soon as possible.  Failing to inform the Privacy Commissioner about a notifiable privacy breach will be an offence.

Not all breaches will need to be reported, only those that cause serious harm.  Determining if a breach has or might cause serious harm will be a case-by-case assessment, taking into account things like disclosure of very sensitive information, or to a large number of recipients, and the nature of the harm that might result. 

The Office of the Privacy Commissioner will be releasing online guidance about the new requirement to notify privacy breaches.

More information collected now than ever before

The current situation with Covid-19 has resulted in a greater need to obtain information from a wide variety of people, so businesses are dealing with an increasing volume of personal information that needs to be obtained, used, stored, and disclosed correctly. 

Businesses must ensure that they do not obtain, or keep, private information unless it is really necessary.  If your business is collecting personal information from an employee, client or customer, that information should be collected from them directly wherever possible, and they should be made aware of what is being collected and why.

Using providers based overseas

Kiwi businesses that use service providers based overseas, for example cloud storage or computer software, will need to make sure that their providers are meeting New Zealand privacy laws

The vast majority of businesses will have some degree of personal information stored, processed, or otherwise transferred overseas in the course of doing their normal business.   If an overseas-based service provider’s current procedures are not compliant with New Zealand’s privacy law, then any business that uses their services will be in breach of the new Act.

It is timely to consider your business’s information transfer practices, and which third parties are used to process information.  The onus is the business using the service provider to ensure compliance, not the other way around.

Time for a review!

Now is the time to get ready for the new Act, ahead of 1 December 2020.  Here are a few practical things you can start doing to get ready now:

  • Review and update your privacy policies to make sure they align with the new Act, clearly telling clients and customers what personal information you will obtain and how it will be used.

  • Make sure your procedures for detecting, reporting, and investigating privacy breaches are robust – how will you know if a breach occurs, and, if it does, what will you do?

  • Start training staff now, and make sure you have a few key people who are really up to speed on the changes (including your privacy officer/s).

  • Make sure everybody knows who to approach about privacy issues – within each office, and/or at a regional or national level.

Legal advisors are already helping clients get across the new Act and the changes it will bring for businesses.  At Rainey Collins we have an experienced team who can answer your questions and put you on the right track if you have any questions relating to privacy practice and the new Act, or how it might affect you. 

Louisa Gommans