After much debate and a lengthy Parliamentary process, the new Privacy Act will come into force on 1 December 2020 to protect and promote individual privacy. Most organisations (referred to as agencies) will be subject to the Act including companies and government departments. The core framework of the Privacy Act 1993 has been retained, including the information privacy principles (although some of these have been updated to ensure they are fit for purpose).
New features in the Privacy Act
There are a number of new features which bring New Zealand more in line with international best practice including:
- mandatory notification of privacy breaches: agencies will be required to notify the Privacy Commissioner and affected individuals of any privacy breach that it is reasonable to believe has caused serious harm to affected individuals, or is likely to do so (see below for more information).
- compliance notices: the Commissioner will be able to issue compliance notices to agencies to remedy a privacy breach. The Human Rights Review Tribunal will be able to enforce these notices and also hear appeals.
- binding decisions on access requests: the Commissioner will be able to make binding decisions on complaints relating to an individual’s access to information. The Commissioner’s decision can be appealed to the Human Rights Review Tribunal. Failure to comply with an access order, without reasonable excuse, can result in a fine of up to $10,000.
- cross-border data flow protections: agencies will be required to take reasonable steps to ensure that personal information disclosed overseas will be subject to acceptable privacy standards
- application to overseas businesses and activities: the Act applies to any action taken and all personal information collected or held by a New Zealand agency whether inside or outside New Zealand; as well as to any overseas agency in the course of carrying on business in New Zealand.
- criminal offences: there are new offences for misleading an agency in a way to obtain access to someone else’s information; and knowingly destroying documents containing personal information where a request has been made for it (with fines up to $10,000).
Mandatory privacy breach notification
One of the most significant changes in the new Act is the introduction of mandatory privacy breach notification. Agencies will be required to notify the Commissioner and affected individuals of a notifiable privacy breach as soon as practicable after becoming aware of it:
- affected individual means the individual to whom the information relates, whether they are inside or outside New Zealand
- notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual, or is likely to do so
- privacy breach includes unauthorised or accidental access to, or disclosure, alteration, loss or destruction of, personal information; or an action that prevents an agency from accessing personal information either temporarily or permanently
- serious harm needs to be assessed by the agency in order to decide whether the breach is a notifiable breach. The agency must consider:
- any action taken by the agency to reduce the risk of harm following the breach
- whether the personal information is sensitive in nature
- the nature of the harm that may be caused to affected individuals
- the person or body that has obtained or may obtain personal information as a result of the breach (if known)
- whether the personal information is protected by a security measure
- any other relevant matters.
Agencies will need to notify the Commissioner and affected individuals of the breach in accordance with a specified form (which is different for the Commissioner and affected individuals). If it is not reasonably practicable to notify affected individuals, then the agency will be required to give public notice of the breach in a specified form. There are exceptions to the obligations to notify affected individuals and to give public notice including if either would be likely to:
- prejudice the security or defence of New Zealand
- prejudice the maintenance of the law by any public sector agency
- endanger the safety of a person or
- reveal a trade secret.
It is an offence for an agency, without reasonable excuse, to fail to notify the Commissioner (with fines of up to $10,000). The Commissioner will also be able to publish the name of an agency that has disclosed a notifiable privacy breach with consent or where it is in the public interest.
Questions for board members
- Does the board regularly discuss the organisation’s privacy practices and risks?
- Does the board receive comprehensive information from management about data breach risks and incidents and other privacy matters?
- Are there appropriate privacy policies, procedures and processes in place to comply with the new Act?
- Have staff received appropriate training including around mandatory privacy breach notifications?
- Have supplier and customer contracts been reviewed to ensure compliance with the new Act?
- Are the organisation’s insurance policies up to date?
- Is there a plan in place to deal with a potential privacy breach? And has it been tested?