Our current Privacy Act came into force in 1993. When you consider that it was not until the mid-nineties that computer communications started to reach the wider New Zealand community; and the first recognisable social media website was not created until 1997, it is fair to say that our Privacy Act 1993 was drafted a whole world wide web ago.
The new Privacy Act 2020 (Act) seeks to fill gaps that have arisen and strengthen loose ends within the Privacy Act 1993 (Old Act). Whether it will achieve this purpose remains to be seen but, in the meantime, this article discusses the key changes we will see on 1 December 2020.
What does the new legislation mean for my organisation?
- If you haven’t already, you need to appoint and train a privacy officer for your organisation.
- Your staff should be briefed and trained on the changes to the legislation, so they are aware of them and can take care to ensure compliance.
- It may be necessary to consider amending/adding contract clauses in your contracts with third parties (particularly those who hold your information).
This article provides you with advice on the key changes but if you require specific advice on your requirements please contact Jess Mathieson or one of our team.
Privacy Officer Requirement
The Act requires organisations to have at least one person in the role of Privacy Officer.
The Privacy Officer’s role includes:
- Being familiar with the Act, the Information Privacy Principles (IPP) and any other relevant legislation;
- Ensuring the organisation complies with the Act;
- Dealing with complaints regarding possible privacy breaches;
- Dealing with requests for access to personal information, or correction of personal information (Privacy Act Requests);
- Training staff at the organisation in privacy matters; and
- Advising the organisation on compliance and privacy requirements and potential ways to improve.
Notifiable Privacy Breaches
One of the most significant changes for businesses is the introduction of a mandatory privacy breach notification regime.
From 1 December, businesses and organisations must notify the Office of the Privacy Commissioner (PC) and the affected individual/s as soon as possible in the event it considers a privacy breach has occurred that will cause/is likely to cause the individual serious harm (limited exceptions apply).
When do you need to notify a breach?
If there is a privacy breach. A privacy breach occurs:
When there is unauthorised or accidental access to someone’s personal information or disclosure, alteration, loss or destruction of personal information. It can also include situations where businesses or organisations are stopped, either temporarily or permanently, from accessing information.
The breach has or is likely to cause serious harm. We do not yet have a definition of serious harm, however; these factors would likely constitute serious harm:
- has caused (or may cause) loss, damage, or injury;
- has adversely affected (or may adversely affect) the rights and interests of the individual; and
- results in (or may result in) significant humiliation, loss of dignity, or injury to feelings.
How do you notify a privacy breach?
The PC website has helpfully created a tool called “NotifyUs” that will enable you to notify the PC of breaches.
Failure to notify
It is an offence for businesses/organisations to omit to notify the PC of a notifiable privacy breach with a fine of up to $10,000 as a penalty.
Changes to Information Privacy Principles
Privacy Principles guide what confidential information is and how it should be treated. Changes in the Act include:
IPP 1: Purpose of Collection:
The Act has clarified IPP 1, which now states that identifying information can only be collected if it is necessary.
IPP 4: Manner of Collection:
The Act has tightened IPP 4 to state that organisations must take particular care when collecting information from children and young people. Information may only be collected in a manner that is fair and reasonable in the circumstances.
IPP 12: Limits to Overseas Disclosure:
We now have a new IPP 12, pushing the current IPP 12 to number 13. IPP 12 relates to the disclosure of personal information to an overseas entity. It states that organisations who disclose personal information overseas need to make sure the country the information will go to has comparable privacy protections in New Zealand (limited exceptions apply).
How do you know the other country/state in question has comparable privacy laws?
The Government can prescribe regulations that recognise certain countries and binding schemes to be safe. If the recipient organisation is in one of these, you are generally able to disclose personal information to it.
It will be likely you will be required to:
- conduct your own due diligence investigation; and
- obtain legal advice; or
- obtain guidance from the PC.
You may want to include model contract clauses to ensure that the information is protected.
IPP 13 – Unique Identifiers
As above, IPP 13 was IPP 12 in the Old Act and has been bumped down to IPP 13. A further change to IPP 13 is that organisations now need to take reasonable steps to protect unique identifiers from being misused. Unique identifiers include things such as customer numbers.
Access directions are another new tool for the PC in regard to Privacy Act Requests and the refusal of organisations to provide information.
Individuals are entitled to seek access to the personal information held about them (subject to certain exceptions as discussed below) – this is not a new principle and the Old Act also allowed for such requests. However, with the Old Act, individuals who have been refused information after making a Privacy Act request were required to claim in the Human Rights Review Tribunal (Tribunal) which is a lengthy process.
Allowing the PC to make a direction for organisations to disclose/not disclose information makes the process faster and less expensive for those involved.
New Refusal Grounds for Access
Following on from above, organisations may refuse to disclose personal information if releasing it would create:
- A serious risk to the health, safety or life of an individual, or to public health and safety, or
- A significant risk of serious harassment, or that it would cause significant distress to the victim of an offence.
Compliance notices are a new tool for the PC. The PC can now issue a notice that compels a business/organisation to do something, or to stop doing something, in order to comply with the Act.
It is an offence not to comply with a compliance notice with a penalty of up to $10,000.00 for non-compliance.
The Act now explicitly applies to overseas businesses and organisations that conduct business in New Zealand. An overseas organisation can be regarded as doing business in New Zealand even if it does not have an office in New Zealand or make any money from its New Zealand operations.
New Criminal Offences and Penalty Increase
The Act has created various new offences that carry a penalty of up to $10,000.00. The new offences are as follows:
- Refusing to comply with a compliance notice,
- Misleading an agency to get someone else’s personal information,
- Destroying information instead of providing it in response to an access request, and
- Failing to alert the PC about a notifiable privacy breach.
It is also important to note that Tribunal Awards have increased to a maximum of $350,000.00 to each member of a class action.
If you require advice around Privacy Law compliance, contact Jess Mathieson or one of our team for further expert advice.
This article is current as at the date of publication and is only intended to provide general comments about the law. Harkness Henry accepts no responsibility for reliance by any person or organisation on the content of the article. Please contact the author of the article if you require specific advice about how the law applies to you.