From 1 December 2020, the new Privacy Act came into force. If your business deals with personal information, then this updated law applies to you, and you need to ensure you comply with it. Personal information is anything that can identify a person, including:
- names;
- photographs;
- financial details;
- email addresses; or
- phone numbers.
If you do not meet your privacy law obligations, you run the risk of financial penalties and losses to your reputation as a privacy-conscious business. Once you know your obligations, you need to ensure you implement practical means within your business to meet them. Therefore, this article will explain how you can comply with the new Privacy Act.
Notify When You Have A Privacy Breach
Under the new Act, you need to report any notifiable privacy breaches to both the Privacy Commissioner and any affected individuals where appropriate. A privacy breach occurs when:
- an unauthorised person has accessed your stored personal information;
- something is preventing you from accessing your personal information, such as a DDOS attack; or
- someone has misused, disclosed, lost, or destroyed personal information without authorisation.
When the harm of a privacy breach goes over a certain threshold, you need to notify these parties. Determining this harm will depend on the situation and context, as well as:
- what you have already done to mitigate the breach;
- the sensitivity of the information lost; and
- the extent of the breach’s fallout.
Dealing with a harmful privacy breach can be stressful, especially when you cannot immediately stop it. Therefore, you should plan ahead with an adequate response plan that identifies criteria for determining when a breach is serious enough to report to the Privacy Commission. You can do this through their NotifyUs tool. Your response to a breach should tailor to the sensitivity of the information you hold and the security measures you have in place.
If you fail to notify the Privacy Commission of a seriously harmful privacy breach, they can fine you up to $10,000.
Look Over Your Overseas Information Sharing
The new Privacy Act also provides additional rules for sharing personal information with overseas entities. When you do so, you need to ensure that this information has privacy protections similar to New Zealand’s own. You can do this by checking that:
- the other party’s country has similar privacy laws;
- your contract has privacy safeguards built-in; or
- New Zealand privacy law applies to the overseas party.
Therefore, look over your contracts with parties in other countries, and ensure that you include model contract clauses to protect your customers’ privacy. Do your research about their privacy laws to see if they have similar rules around protecting personal information. For example, if you use overseas data analytics services, check that your disclosure of personal information meets these requirements.
Note that these rules do not apply to cloud storage services. However, you still need to ensure they handle the personal information they store in accordance with New Zealand law. Do this with privacy clauses in your contract.
Continue reading this article below the formOnly Collect Information When Necessary
The new Privacy Act also sets stricter requirements for when you can collect personal information. You can only do so when necessary for an identifiable legal purpose. For example, you can only collect address details from your customers if you need them, such as for delivery purposes. You cannot collect these details because they would be useful to have.
You also need to implement measures for taking extra care when collecting information from children and young people. This is because these groups are more vulnerable and more susceptible to unintended disclosure. According to the circumstances, you can only collect personal information in a fair and reasonable way. Therefore, review your collection methods to ensure they are in line with these stricter rules.
Honour Access Requests Where Appropriate
Your customers have the right to:
- access any personal information of theirs you hold; and
- correct their personal information.
If you refuse to grant them access without a legitimate reason, the Privacy Commission can now issue an access direction. If you refuse again, they can enforce this direction. They do this through the Human Rights Review Tribunal, which can cost your business quite severely.
Therefore, you need to promptly respond to access requests and do not refuse them without good reason. It would help to have a set procedure for dealing with access requests so that you and your employees have a structure to follow for finding information.
Key Takeaways
The best thing to ensure you comply with the Privacy Act is to audit your business’ privacy process to see where you are lacking. Review your privacy procedures to ensure you handle personal information in accordance with the new Act and your responsibilities as an agency.
If you would like more information or help with complying with the new Privacy Act, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.
Frequently Asked Questions
The Privacy Act sets out New Zealand privacy law. It protects the privacy of New Zealand citizens by setting out regulations for organisations that handle personal information.
Personal information is any data about an identifiable individual. If you can use the information to identify a living individual, whether by itself or in combination with another piece of data, it is personal information.
We appreciate your feedback – your submission has been successfully received.
