Reading time: 5 minutes

From December 1 2020, the new Privacy Act became binding law. Indeed, this updated law confronts the privacy risks of new and developing technology and handles modern privacy problems. As a result, the change gives the Privacy Commission more power to carry out its duties and imposes stricter obligations on businesses that deal with personal information. Therefore, if your small business handles any of this kind of information, you need to ensure your privacy procedures and policies meet the current privacy law requirements. This article will detail exactly what these privacy changes entail and how they may affect your small business.

What Does Privacy Law Require Now?

The new Privacy Act keeps the same principles as before, with a few updates meant to accommodate the modern privacy environment. If your business deals with personal information, you need to meet the law’s requirements for handling that information. Personal information is any information that can identify a living individual, such as:

  • names;
  • phone numbers;
  • email addresses;
  • physical addresses; or
  • images.

The new law clarifies that when you collect such information, it must be necessary for a legitimate and identifiable business purpose. Therefore, you cannot arbitrarily collect personal information that you do not need. Other specific changes include the following.

Mandatory Data Breach Reporting

Privacy breaches can cover a variety of situations, but they generally mean that the personal information your business holds has been deliberately or accidentally: 

  • accessed, destroyed, or misused by an unauthorised person;
  • leaked into an unsecured environment; or
  • locked from your access, such as through a denial-of-service attack.

The new privacy changes require that when a breach is likely to cause serious harm (or already has), you need to inform the:

  • Privacy Commission; and
  • affected individual.

What qualifies as serious harm will depend on the:

  • sensitivity of the information;
  • severity of the breach’s consequences; and
  • actions you have taken to mitigate breach fallout.

Compliance Notices

The Privacy Commissioner now has the power to issue enforceable compliance notices to businesses or organisations that have breached the Privacy Act. These serve as warnings to correct your behaviour and will include:

  • what you need to do to fix the problem; and 
  • how long you have to comply.

The Privacy Commission can publicly publish these compliance notices, affecting your business’ reputation if the issue is serious enough.

Enforceable Access Directions

Individuals have the right to:

  • access what information your business has about them; and
  • correct their personal information.

You can only refuse such requests if you have a legitimate reason. For example, if access would breach another person’s privacy. Indeed, if the individual thinks the reason you give is not good enough, they can complain to the Privacy Commission.

The new privacy changes give the Privacy Commissioner the power to enforce such an access request if they think it is appropriate, even if you have already refused. This process happens through the Human Rights Review Tribunal.

Global Application

The new law has also changed how the privacy of New Zealand citizens operates overseas. Now when you send personal information to an overseas organisation in order to comply with your privacy obligations you need to ensure the protections are as strong as New Zealand’s own to protect that information. This can be through:

  • the organisation’s country’s own privacy laws;
  • your contract requirements; or
  • New Zealand privacy law applying to that organisation.

Any business that carries out its operations in New Zealand needs to comply with our privacy law, even if they do not have a physical presence here.

New Criminal Offences

The new Act also adds new privacy offences, including:

  • misleading someone to gain access to personal information; and
  • destroying information subject to an access request.

You can receive a fine of up to $10,000 if you engage in either of these offences. Furthermore, if you do not report a harmful data breach or comply with a compliance notice, you may also receive such fines.

How Are These Changes Relevant To My Business?

Privacy law applies to any agency, ranging from your small sole trader startup to multimillion-dollar companies. Indeed, if your business deals with personal information, you need to comply with these new changes. If not, you can face both financial penalties and reputational loss if the Privacy Commission publicly announces that you have breached the Privacy Act.

To ensure you comply with your privacy law obligations, you need to:

  • have a privacy officer that knows their duties and handles privacy concerns in your business;
  • evaluate how you handle privacy issues at your business;
  • update your privacy procedures to keep up with the law;
  • have an incident response plan for privacy breaches that can operate quickly and effectively;
  • review any third-party contracts, particularly when you deal with personal information overseas; and
  • train your staff so they know their new privacy duties.

Key Takeaways

The new Privacy Act has been in effect since 1st December 2020, so you need to ensure your business is complying with its new changes. Indeed, you could face both reputational harm and financial penalties if you breach your privacy obligations. If you would like more information or help with applying the new privacy changes at your business, contact LegalVision’s privacy lawyers on 0800 005 570 or fill out the form on this page.

Frequently Asked Questionsw

What is the Privacy Act?

The Privacy Act outlines New Zealand’s regulations for protecting the privacy of its citizens. It operates on information privacy principles that centre around maintaining privacy rights.

Does the Privacy Act apply to my business?

If your business handles any personal information, then the Privacy Act applies to you, and you must comply with its regulations. Indeed, personal information is any data that can identify any living individual.

When does the new Privacy Act come into force?

The new Privacy Act came into force on December 1st 2020. Therefore, its requirements started applying to organisations in New Zealand from that date.

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2019 Top 25 Startups - LinkedIn
  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2022 Law Firm of the Year Winner 2022 Law Firm of the Year - Australasian Law Awards