It's time to dust off your Privacy Policy

The law is changing- it's time to dust off your Privacy Policy

The Privacy Act 2020 is to come into effect on 1 December 2020 (Act). The new Act reflects the more globalised business environment we live in today. With increasing concerns surrounding data sharing and cybersecurity, the Act will provide greater security to individuals, and place further obligations on businesses when dealing with personal information and data. As such, it is important to understand the changes and how they may affect your business.

Where do I start?

As a start, you should ensure that you:

• are familiar with the 13 privacy principles. Note the new principle 12 which relates to those businesses who share information to overseas entities;
• have a nominated Privacy Officer who is aware of your business' privacy obligations and is responsible for addressing any privacy issues. The Act has changed to allow you to outsource this role;
• have internal procedures in place to respond to requests for information and to deal with any privacy breaches that may arise;
• are aware of your obligation to notify the Privacy Commissioner and the affected individual(s) of any breaches that are likely to cause serious harm. The Office of the Privacy Commissioner has developed a helpful tool to determine what will constitute a notifiable breach; and
• review your privacy policy to make sure it addresses all of the privacy principles and reflects the procedures you have in place.

The rest of this article below, details the changes to the Act and how they may affect your business.

Privacy breaches and mandatory reporting of notifiable privacy breaches 

A privacy breach is any unauthorised or accidental access to, disclosure of, alteration to, or destruction of personal information being held by any entity or individual carrying on business in New Zealand. 

A feature of the new Act is the requirement of agencies to report any notifiable privacy breach, being a privacy breach that has caused, or is likely to cause serious harm. The Office of the Privacy Commissioner must be notified as soon as practicable, and the agency must also notify the affected individual(s) or issue a public notice of the breach. Exceptions do apply in certain instances. While the Act stops short of defining what constitutes "serious harm" it does provide a non-exhaustive list of factors to consider when evaluating the seriousness of a breach. The Office of the Privacy Commissioner has developed a helpful online tool which can assess whether your situation imports an obligation to report (find this here).

Enforcement and Privacy Commissioner powers

Failure to give notification (without an applicable exception), can subject the agency to criminal charge under the Act and can incur a fine of up to $10,000. Unresolved complaints can be taken to the Human Rights Review Tribunal, and now can amount to class actions against the Agency with the potential for awards of up to $350,000 for each member of the class of aggrieved individuals.

The Privacy Commissioner now has the power to issue a compliance notice which either requires an agency to do something, or stop doing something, in order to comply with the provisions of the Act. Whilst there was always a right for an individual to request access to personal information about themselves held by an agency, the Privacy Commissioner may now also make binding decisions on any complaints relating to access of information where the individual was incorrectly refused.

Cross-border disclosure and extraterritoriality

Another feature of the new Act is the introduction of a new information privacy principle. At a high level, the cross-border disclosure principle requires that an agency who discloses information to an overseas agent, can only do so where the recipient agency is subject to privacy laws that overall provide comparable safeguards to those in the Act. If protection is not comparable, the agency is required to obtain the individual's consent before disclosing the information. However, it is to be noted, that it is not considered disclosure if the overseas agent is merely providing storage of data, for example, in the cloud. These changes mean it is increasingly important to understand what your offshore providers do with the information you send them. 

The new Act also makes it clear that the privacy protections (and agencies' obligations) under the Act apply to any overseas agency carrying on business in New Zealand, even if they do not have a physical presence here, or are intending to make a profit from its business in New Zealand.

What does this mean for my business' privacy obligations?

Your business should review its current reporting system. The mandatory notification provision means you are responsible for being aware of all privacy breaches that occur within your business. By doing this you are ensuring timely management of the notification process. As part of this system, it would be an appropriate time to undertake a review of your third-party contract terms to check all appropriate contractual terms are in place.

The Act still requires the appointment of a Privacy Officer whose role would include monitoring ongoing compliance with the Act, enforcement of internal notification procedures and working with the Privacy Commissioner on behalf of your business. The new Act allows agencies to have a Privacy Officer within or outside the agency.

Questions to consider

Should the above make you question whether your business is compliant, we recommend turning your mind to the below:

1. What is your business' current approach to data collection and storage?
2. Are you aware of what information you collect and store about your clients?
3. Do you know where and how this data is stored?
4. Have you considered what privacy and security requirements you are responsible for when you disclose the privacy information you collect?
5. Are you aware of what privacy laws apply to the jurisdictions for whom you are storing data on behalf of and who stores data for you?
6. Do you have a nominated Privacy Officer(s)?
7. Are there procedures in place to enable you to identify, monitor and report any privacy breaches?
8. Is your team trained to identify which information is subject to the Act and how to handle any requests made by customers or other entities under the Act?

Should you feel as if you need to talk to someone about any of the above or wish to seek a review of your current Privacy Policy, our Commercial team is ready to assist you with the changes and how to implement these within your business.