Reading time: 5 minutes

From 1 December 2020, the new Privacy Act came into force. If your business deals with personal information, then this updated law applies to you, and you need to ensure you comply with it. Personal information is anything that can identify a person, including:

  • names;
  • photographs;
  • financial details;
  • email addresses; or
  • phone numbers.

If you do not meet your privacy law obligations, you run the risk of financial penalties and losses to your reputation as a privacy-conscious business. Once you know your obligations, you need to ensure you implement practical means within your business to meet them. Therefore, this article will explain how you can comply with the new Privacy Act.

Notify When You Have A Privacy Breach

Under the new Act, you need to report any notifiable privacy breaches to both the Privacy Commissioner and any affected individuals where appropriate. A privacy breach occurs when:

  • an unauthorised person has accessed your stored personal information;
  • something is preventing you from accessing your personal information, such as a DDOS attack; or
  • someone has misused, disclosed, lost, or destroyed personal information without authorisation.

When the harm of a privacy breach goes over a certain threshold, you need to notify these parties. Determining this harm will depend on the situation and context, as well as:

Dealing with a harmful privacy breach can be stressful, especially when you cannot immediately stop it. Therefore, you should plan ahead with an adequate response plan that identifies criteria for determining when a breach is serious enough to report to the Privacy Commission. You can do this through their NotifyUs tool. Your response to a breach should tailor to the sensitivity of the information you hold and the security measures you have in place.

If you fail to notify the Privacy Commission of a seriously harmful privacy breach, they can fine you up to $10,000.

Look Over Your Overseas Information Sharing

The new Privacy Act also provides additional rules for sharing personal information with overseas entities. When you do so, you need to ensure that this information has privacy protections similar to New Zealand’s own. You can do this by checking that:

  • the other party’s country has similar privacy laws;
  • your contract has privacy safeguards built-in; or
  • New Zealand privacy law applies to the overseas party.

Therefore, look over your contracts with parties in other countries, and ensure that you include model contract clauses to protect your customers’ privacy. Do your research about their privacy laws to see if they have similar rules around protecting personal information. For example, if you use overseas data analytics services, check that your disclosure of personal information meets these requirements.

Note that these rules do not apply to cloud storage services. However, you still need to ensure they handle the personal information they store in accordance with New Zealand law. Do this with privacy clauses in your contract.

Only Collect Information When Necessary

The new Privacy Act also sets stricter requirements for when you can collect personal information. You can only do so when necessary for an identifiable legal purpose. For example, you can only collect address details from your customers if you need them, such as for delivery purposes. You cannot collect these details because they would be useful to have.

You also need to implement measures for taking extra care when collecting information from children and young people. This is because these groups are more vulnerable and more susceptible to unintended disclosure. According to the circumstances, you can only collect personal information in a fair and reasonable way. Therefore, review your collection methods to ensure they are in line with these stricter rules.

Honour Access Requests Where Appropriate

Your customers have the right to:

  • access any personal information of theirs you hold; and
  • correct their personal information.

If you refuse to grant them access without a legitimate reason, the Privacy Commission can now issue an access direction. If you refuse again, they can enforce this direction. They do this through the Human Rights Review Tribunal, which can cost your business quite severely.

Therefore, you need to promptly respond to access requests and do not refuse them without good reason. It would help to have a set procedure for dealing with access requests so that you and your employees have a structure to follow for finding information.

Key Takeaways

The best thing to ensure you comply with the Privacy Act is to audit your business’ privacy process to see where you are lacking. Review your privacy procedures to ensure you handle personal information in accordance with the new Act and your responsibilities as an agency.

If you would like more information or help with complying with the new Privacy Act, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questions

What is the Privacy Act?

The Privacy Act sets out New Zealand privacy law. It protects the privacy of New Zealand citizens by setting out regulations for organisations that handle personal information.

What is personal information?

Personal information is any data about an identifiable individual. If you can use the information to identify a living individual, whether by itself or in combination with another piece of data, it is personal information.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards