The Privacy Act 2020

The Privacy Act 2020 (Act) comes into force on 1 December 2020.  It modernises current privacy laws as a result of rapid changes in technology since the Privacy Act 1993.

Large parts of our lives are now online, and a lot of information is gathered through our online activity.  As a result, our personal information can very easily be sent overseas to other jurisdictions where New Zealand law may not apply.
 

The new Act addresses these issues by:

• Imposing obligations on agencies sending personal information out of New Zealand to ensure that the personal information will receive the same level of privacy law protection as in New Zealand;

• Extending the application of the Act to overseas agencies who do business in New Zealand;

• Upgrading the Information Privacy Principles (the key ‘rules’ in relation to the collection, storage and use of information under the Act);

• Extending the grounds on which an agency may refuse a request for access to personal information where the agency believes access would create a serious health and safety risk, a risk of harassment or significant distress to an individual;

• Expanding the powers of the Privacy Commissioner to respond to complaints of an interference with privacy and ensure compliance with the Act and the Information Privacy Principles;

• Introducing mandatory breach notification requirements where an agency discovers there has been a notifiable privacy breach;

• Introducing new offences (misleading an agency to obtain access to personal information and destroying personal information knowing that an access request has been made), and increasing the penalties for breaches to $10,000.00.

What do you need to do?

Most of the Information Privacy Principles in the new Act remain largely the same, so your obligations around how you collect, store, use and disclose personal information will not change greatly.  However, you should:

• Appoint a Privacy Officer within your organisation or business who will be responsible for ensuring your organisation or business complies with the Information Privacy Principles and the Act, and will deal with any information access requests or investigations conducted by the Privacy Commissioner.

• Carry out a review of how your agency collects and stores personal information.  Are you only collecting personal information that is necessary for your purposes?  Are you storing it in a way that is secure, including from cyber-attack? Do your staff know how to treat personal information and deal with information access requests?

• Review your current privacy policy to ensure it complies with the new Act and consider introducing procedures for how your agency will deal with a privacy breach if one occurs.  If your business does not have a privacy policy, we recommend that one is implemented.

• Review security and privacy requirements when your business sends personal information to external service providers or outside New Zealand (this includes the storage of information on servers overseas) as your organisation or business remains responsible for personal information that you collect and disclose. If:

  • you are sending personal information out of New Zealand, ensure that the recipient is in a country that has similar privacy protections as New Zealand; or

  • the recipient carries on business in New Zealand, ensure that they are aware of their obligations under the Privacy Act 2020;

You should seek legal advice regarding appropriate clauses to include in any terms of service you have with agencies outside of New Zealand that handle any personal information.

If you wish to know more or get advice about how the changes to the Privacy Act may affect your business please contact us.

Disclaimer

The above information is of a general nature only. The information in this article does in no way constitute legal advice and all readers should contact a law firm for advice relating to your specific circumstances.