On December 1st, 2020, the Privacy Act 1993 will officially be repealed and replaced by the Privacy Act 2020. The new act will supersede many of the former requirements of the original act[1].

This new law will likely have some quite far reaching implications for many of your organisations and will entail some extra vigilance when it comes to handling personnel and client data to make sure it fully complies with the new act. Whilst the act itself it quite lengthy (at 192 pages) it would be well worth reading it in full at some point to gain a full understanding of its contents and implications going forward.

Outlined below are some of the key implications and requirements of the legislation. We also note that The Office of the Privacy Commissioner has launched a suite of e-learning opportunities on it site: Privacy E-learning.

Key Changes

Data breach reporting

Under the terms of the new Act NZL will move closer to international norms, with it now being a legal requirement to report a data breach, that is likely to cause serious harm to an individual, to the Privacy Commissioner and the person concerned. The act also includes a specific checklist for being able to assess the likelihood of serious harm[2]. Although it does not specify exactly what ‘serious harm’ means and it is thus up to the organisation itself to make that determination, with erring on the side of caution potentially being a sound course of action.

Compliance notices

The Privacy Commissioner will be able to issue compliance notices to compel organisations to stop/start an activity to ensure it is in full compliance with the act.

Enforceable access directions

The Commissioner will be able to instruct organisations to provide individuals with access to their information, this will be enforceable through the Human Rights Review Tribunal.

Extraterritorial effect and disclosing information overseas

The act expressly states that its scope is global in nature and will apply to any organisation that carries out business in New Zealand. This is particularly pertinent given the use of cloud computing and such, where much of our information is stored on foreign domiciled servers. The act also specifies requirements for transferring data to any non-NZ entities by ensuring that they hold similar standards for protecting data[3]. For this requirement it will be particularly important to see that your cloud service providers are compliant under the act.

New criminal offences

The new act has been designed to include criminal liability penalties, up to the tune of $10,000, for misleading an agency in a way that can effect somebodies privacy, or to destroy documents containing personal information if a proper request has been made for them[4].

Preparing for the new Privacy Act

Principle 1 of the Act has been clarified to make certain organisations do not collect identifying information from people unless necessary. Furthermore, there are new withholding grounds for access requests under principle 6 and the codes of practice[5].

Businesses and organisations now have until 1 December 2020 to ensure they are ready for these changes and the new reporting obligations. Among other things, this preparation could include:

  • Review your third-party contractual arrangements, where any other party stores or processes personal information provided by your organisation.
  • Implementing staff training: key people in your organisation should be well versed in the new approach.
  • Updating your organisation’s privacy policies to ensure alignment with the new law, and to ensure that your customers and clients understand how you will use their information.
  • Developing effective procedures to detect, report and investigate a personal data breach: it is important to make sure you have a plan in place so that you can meet your reporting obligations without undue delay if a notifiable breach occurs.
  • Ensuring you have clear internal lines of communication and let your staff know who they can approach within the organisation to discuss privacy issues.

These are but some of the more salient implications of the Act and depending on the nature of the organisation, other changes may well apply. In this instance, it is advisable to seek clarity from the Office of the Privacy Commissioner as well as looking at the attached links which contain more detailed summations on the information presented here.

Further detailed information on the act can be found at the following locations:

[1] Legislation.govt.nz. 2020. Privacy Act 2020 No 31 (As Of 07 August 2020), Public Act Contents – New Zealand Legislation. [online] Available at: <http://www.legislation.govt.nz/act/public/2020/0031/latest/LMS23223.html> [Accessed 19 November 2020].

[2] https://blogs.dlapiper.com/privacymatters/new-zealand-significant-changes-to-nzs-privacy-act-but-where-is-the-bite/

[3] https://duncancotterill.com/publications/the-new-privacy-act-2020-%E2%80%93-what-you-need-to-know

[4] https://www.justice.govt.nz/justice-sector-policy/key-initiatives/privacy/

[5] http://www.legislation.govt.nz/bill/government/2018/0034/latest/LMS23392.html

[6] https://duncancotterill.com/publications/the-new-privacy-act-2020-%E2%80%93-what-you-need-to-know