New Zealand’s previous privacy legislation, the Privacy Act 1993, was enacted one year after the first ever SMS text message was sent, and one year before Amazon, now the most valuable public company in history, was founded.
Clearly, things have changed, and as of 1 December 2020 (tomorrow), the new Privacy Act 2020 (“the Act”) will come into force. The Act modernises New Zealand’s privacy legislation and addresses some of the novel problems that have arisen over the past 27 years.
In this article, we outline some of the key changes that individuals and agencies should be aware of, in preparation for tomorrow.
Mandatory breach notification
If a business or organisation (“agency”) identifies a privacy breach that may be reasonably believed to have caused (or is likely to cause) serious harm, it must notify the Office of the Privacy Commissioner (“the OPC”) and affected individuals as soon as practicable. The liability for breach notifications will sit with the agency, and not the individual employees. Failure to inform the OPC may result in a fine of up to $10,000.
“Serious harm” can be assessed by considering the sensitivity of the information lost, actions taken to reduce the risk of harm, the nature of the harm that could arise, and any other relevant matters. Click here to assess whether a breach has met the serious threshold. A breach that does not meet the “serious harm” threshold does not need to be reported to the OPC.
If your business has experienced a potential privacy breach, serious or minor, get in touch with our team to assess your risk.
Introduction of compliance notices
The OPC can issue compliance notices to ensure agencies are compliant with the Act. Compliance notices will describe the steps that the OPC considers are required to remedy non-compliance with the Act and will specify a date by which the agency must make the necessary changes. Failure to adhere to a compliance notice can result a fine of up to $10,000.
The Act introduces two new criminal offences. It will now be an offence to:
- mislead an agency to access, destroy or alter someone else’s personal information (e.g. impersonating someone in order to access information that you are not entitled to see); and
- destroy personal information, knowing that a request has been made for it.
The maximum fine for these offences is $10,000.
Binding Decisions on Access Requests
Where an agency receives an information request, the OPC can now direct the agency to confirm whether it holds the requested information, give the individual concerned access to that information, and make the information available in a particular way. If the agency refuses to provide the requested information, the OPC will have the power to demand release. The agency has 20 working days to appeal the OPC’s decisions to the Human Rights Review Tribunal (“the Tribunal”).
This will allow faster resolution of complaints relating to information access under Privacy Principle 6, as it will no longer be on the individual to pursue their information request through the Tribunal if the agency refuses access.
The Act explicitly states that it has extraterritorial effect, meaning that any overseas entity that is ‘carrying on business’ in New Zealand must comply with the Act regardless of where they, or their servers, are based. They do not need to have a physical presence in New Zealand. This will affect international digital platforms and offshore businesses, such as Google and Facebook.
Cross border application
The Act creates a new Information Privacy Principle to regulate the way personal information can be sent overseas. Under the new Privacy Principle 12, an agency may only disclose personal information to an overseas agency if the recipient agency is subject to similar safeguards to those in the Act or is whitelisted by the OPC (however, no agencies have achieved this status yet).
If the recipient agency does not have similar privacy protections as those under the Act, the individual concerned must be fully informed that their personal information may not be adequately protected, and they must expressly authorise the disclosure.
Privacy Principle 12 will not apply if the recipient agency does not have independent use of the data, such as cloud storage providers, so long as the storage provider does not use that information for its own purposes.
- Unnecessary information – Information Privacy Principle 1 now clarifies that agencies should only collect personal information when necessary.
- Refusing access requests – There are some new exceptions for refusing access to personal information. Such reasons include a serious threat to life or safety, or a threat of serious harassment.
- Evaluative material – Access may also be refused under an evaluative material ground, and the Act has now made clear that performance reviews cannot be withheld under this ground. Under the Act, evaluative material does not include any evaluative or opinion material if it is compiled by an employee of an agency in the ordinary course of their employment or duties.
- Deadline for raising privacy claims – Once the OPC has notified the complainant of the result of their investigation, the complainant has six months to raise their claim in the Tribunal.
How to prepare your business for 1 December 2020 (tomorrow)
- Agencies should ensure that they have a mechanism for capturing and identifying breaches, and to assess whether any breach reaches the “serious harm” threshold.
- If an agency intends to send personal information overseas:
- ensure the recipient agency has similar privacy safeguards as those under the Act; or
- if such safeguards are not in place, obtain the individual’s informed consent.