Privacy Act 2020 - A whistle stop tour
On 1 December 2020 the Privacy Act 2020 (New Privacy Act) replaces the Privacy Act 1993 (1993 Act), which has been in operation for 25 years. Will your business be ready? We take you on a whistle stop tour of the key changes and let you know what you should be doing now.
Extraterritorial effect
Like Europe’s General Data Protection Regulation (GDPR) and the Australian Privacy Act, the Privacy Act will have extraterritorial effect. This means that an overseas business or organisation that is 'carrying on business' in New Zealand will be subject to the New Privacy Act's privacy obligations, even if it does not have a physical presence in New Zealand.
Mandatory reporting of privacy breaches
The most significant change to our privacy regime is the introduction of mandatory breach reporting (Part 6 of the New Privacy Act). From 1 December 2020 an agency must notify the Privacy Commissioner and affected individuals as soon as practicable after becoming aware that a notifiable privacy breach has occurred. Where this is not reasonably practicable, the agency may give public notice of the breach. A notifiable privacy breach means a privacy breach that it is reasonable to believe has caused serious harm to an affected individual or individuals or is likely to do so. While the New Privacy Act does not define serious harm, it requires an agency to consider the following factors when assessing whether a privacy breach is likely to cause serious harm:
(a) any action taken by the agency to reduce the risk of harm following the breach;
(b) whether the personal information is sensitive in nature;
(c) the nature of the harm that may be caused to affected individuals;
(d) the person or body that has obtained or may obtain personal information as a result of the breach (if known);
(e) whether the personal information is protected by a security measure;
(f) any other relevant matters.
Transferring information overseas
New information privacy principle 12 introduces restrictions on the transfer of personal information to overseas agencies. The broad intention of the new privacy principle is to ensure that the personal information being transferred is subject to similar safeguards as those contained in the New Privacy Act. If you want to disclose personal information to a foreign person or entity you will need to satisfy at least one of the criteria set out in Privacy Principle 12(1). The main criteria are:
- the individual concerned consents to the disclosure after being expressly informed by you that the foreign entity may not be required to protect the information with comparable safeguards to those contained in the New Privacy Act; or
- the foreign person or entity is carrying on business in New Zealand and you believe on reasonable grounds that the foreign person or entity is subject to the New Privacy Act; or
- you believe on reasonable grounds that the foreign person or entity is subject to privacy laws that, overall, provide comparable safeguards to those in the New Privacy Act.
Cloud service providers
The overseas transfer restrictions in privacy principle 12 do not apply to an agency’s use of offshore service providers. This means, for example, if you use an offshore cloud service provider to store personal information on your behalf you will still be treated as holding the personal information and would be liable for any privacy breaches. If a service provider uses personal information it holds on behalf of an organisation for its own purposes, then it too will be held accountable for privacy breaches under the New Privacy Act.Compliance NoticesThe Privacy Commissioner will be authorised to issue compliance notices requiring an agency do something, or stop doing something, to comply with the New Privacy Act (Part 6, subpart 2). The Commissioner may also publish details of a compliance notice being required, including the identity of the agency, where the Commissioner believes it is desirable to do so in the public interest (section 129). Being named and shamed may have greater impact on organisations than being issued a fine under the New Privacy Act. The Human Rights Tribunal will be able to enforce compliance with notices and hear appeals.
New withholding grounds for access requests
The New Privacy Act expands the grounds on which an agency can refuse access. You will be able to refuse access to personal information if the disclosure of the information would:
- be likely to pose a serious threat to public health or safety, or to the life or health of any individual (section 49(1(a)(i)):
- create a significant likelihood of serious harassment of an individual (section 49 (1)(a)(ii)): or
- include disclosure of information about another person who is the victim of an offence or alleged offence and would be caused significant distress, loss of dignity, or injury to feelings by the disclosure of the information (section 49(1)(a)(iii)).
Decisions on access requests
The Privacy Commissioner will be able to make binding decisions on complaints about access to information, rather than the Human Rights Review Tribunal. The Commissioner’s decisions can be appealed to the Tribunal.
Fines and new criminal offences
From 1 December 2020 it will be a criminal offence to mislead an agency in a way that affects someone else’s personal information, or to knowingly destroy documents containing personal information where a request has been made for it. Similarly, there are fines for failure to comply with the Privacy Commissioner’s access request rulings. The fines are at a relatively low level compared to overseas - not exceeding $10,000 – but reputational damage could be significant.
Class actions
Class actions in respect of an action that is alleged to be an interference with the privacy of an individual will be permitted. Aggrieved individuals will be able to commence proceedings in the Human Rights Tribunal as a class, and if successful, each member of the class action may be awarded up to $350,000.
Notable changes to other Information Privacy Principles
- Purpose of collection of personal information – Privacy principle 1(2). An agency will only be able to collect personal information if it is required for a lawful purpose. This data minimisation change has been made to discourage agencies from collecting personal information without considering whether it is necessary to do so.
- Collection of information from subject – Privacy principle 3. An agency will no longer be able to collect personal information from an individual without ensuring that the individual is aware of specified matters. These should be clearly set out in your privacy policy.
- Collecting information from children and young persons – Privacy principle 4(b). An agency must now have particular regard to the circumstances where collecting personal information from children or young persons. This change seeks to protect young people, who may be more willing than adults to disclose their information online, and who may not be aware why an agency wants their information.
- Accuracy of personal information – Privacy Principle 8. Under the 1993 Act an agency was required to ensure that information is accurate, up to date, complete, relevant and not misleading before using that information. This obligation will now also apply before an agency ‘discloses’ personal information.
What should you be doing now?
To ensure that you are ready when the New Privacy Act comes into effect on 1 December 2020 you should:
- consider your collection of personal information practices to ensure that you are only collecting and keeping information that you need for the purpose for which it is collected. Don’t collect or continue to hold it if you don’t need it;
- develop, or update, a data breach reporting policy for your organisation that incorporates the New Privacy Act’s reporting requirements. If you deal with personal information for someone else or they do so for you, work out who would do what if there was a breach;
- review your policies to ensure they reflect the changes to access to information provisions;
- check that you have adequate cyber insurance to cover you in the event of a breach;
- if you are transferring personal information overseas, consider whether you meet one of the criteria in Privacy Principle 12;
- check your contracts with service providers to ensure that they are only permitted to use personal information in accordance with your instructions and that they are obligated to notify you of a privacy breach;
- update your privacy policy to change references from the Act 1993 to the New Privacy Act, check that you have included the specified matters to be disclosed to an individual, as well as informing individual if their personal information will be transferred overseas and the reasons for the transfer (such as storage or processing by a service provider).
Remember also that this only applies to use and dealing with personal information of people in New Zealand. If you are targeting people overseas, you may also need to comply with overseas laws such as the GDPR ort Australian privacy law.For more information, contact Rick Shera.