Privacy Act 2020

Although it retains the same basic approach as the 1993 Act, the new Privacy Act 2020 introduces some new features and obligations of which all businesses and organisations dealing with personal information need to be aware.

Information Privacy Principles

The privacy regime in New Zealand is governed by a series of information privacy principles, which act as guidelines for all collection, storage, use, and disclosure of personal information.

The new Act leaves these principles largely unchanged against the 1993 Act, however there are a few additions:

• Data minimisation: You can only collect identifying information if it is necessary. If you don’t need it to achieve your purposes, you should not collect it.
• Manner of collection: This must be fair and reasonable (g. not unreasonably intrusive, in the circumstances). The new Act uses the collection of information from children and young people as a particular example of where circumstances need to be carefully considered.
• Unique identifiers: If you are assigning a unique identifier to an individual (which can only be done if necessary to carry out your functions efficiently), you need to take reasonable steps to protect that identifier from being misused. This is designed to minimise the risk of identity theft.
• Overseas disclosure: This is a brand new principle, applying where you disclose personal information overseas. This is discussed further below.

Mandatory Breach Notification

Under the new Act, agencies which hold personal information now have an obligation to notify individuals and the Privacy Commissioner if they have lost control of that information, where that loss has caused or is likely to cause serious harm. This notification must be made as soon as practicable after you become aware of that loss of control, and must contain certain prescribed information. This gives affected individuals a chance to regain control of their information, for example by changing their password or cancelling their credit card.

However not every breach will require disclosure, and care needs to be taken when determining whether disclosure is necessary in a particular situation. When assessing whether or not a breach has or is likely to cause serious harm, organisations must consider a range of factors including the nature of the information, the nature of the harm, who has obtained access to that information as a result of the breach, and any action that has been taken to reduce the risk of harm.  

The Privacy Commission has an online tool called “NotifyUs”, which can be used to determine whether a privacy breach meets the “serious harm” threshold, and needs to be disclosed.

Failure to notify the Commissioner is a criminal offence carrying a potential fine up of to $10,000.00. An affected individual can also make a complaint to the Commissioner, which could result in additional penalties.

Cross-Border Protections

The new Act recognises that an increasingly globalised economy means that disclosure of information across borders has become commonplace, so a new information privacy principle has been introduced. This allows you to disclose information to overseas organisations, if: 

• There is a contract between you and the overseas organisation which includes privacy protection provisions (the Commission has published model clauses which are available to use);
• The overseas organisation carries on business in New Zealand, and is consequently subject to the Act;
• The overseas organisation is covered by comparable privacy laws in its country of origin; or
• The affected person understands the consequences and consents to the disclosure of their information.

Where you give information to an overseas organisation just to hold, and not to use for its own purposes (for example cloud-based storage), you are still responsible for any privacy breach by that organisation. In some situations, the overseas organisation can be responsible as well.

Access

Individuals have the right to access information held about them. If you refuse to provide that access, the individual can make a complaint to the Privacy Commissioner, who will review your decision to refuse.

You don’t have to provide access in all circumstances, and the grounds on which you can refuse have changed slightly with the new Act. In addition to the existing grounds (for example, protection of an individual, evaluative material, trade secrets), you can now refuse to disclose personal information if disclosure would create:

• A serious threat to the health, safety or life of an individual or public health and safety; or
• A significant risk of serious harassment, or would cause significant distress to the victim of an offence.

If the Commissioner disagrees with your decision to refuse, it can issue an access direction requiring you to provide the information.

Compliance Notices

The Privacy Commissioner has a new power to issue compliance notices, requiring you to do or to stop doing something in order to comply with the Act. The intention is that these notices will allow the Commissioner to go beyond just responding to individual complaints focussing on enforcement and individual harm. Instead, the Commissioner can proactively address systemic issues to reduce the aggregate effect of breaches, without the need for serious harm to an individual. 

If the Commission determines that you could be issued with a compliance notice, you have the right to respond to the draft notice and the right to appeal if and when it is issued. Notices may be either privately issued or publicly notified, depending on the nature of the notice and the public interest in its content. Failure to comply with a notice is an offence, with a penalty of up to $10,000.00.

Other Offences

In addition to the offences of refusing to comply with a compliance notice and failing to report a privacy breach, the new Act introduces two more offences, each of which carry a penalty of up to $10,000.00:

• Misleading an organisation to access someone else’s personal information (e.g. impersonating someone else to access their information, or pretending to act with that person’s authority); and
• Destroying someone’s personal information in response to an access request from them.

Evaluation

Although no material changes may be required to your privacy policy as a result of the changes to the Act, now is a good time for every organisation dealing with personal information to review the systems they have in place for collecting and storing personal information to make sure they are fit for purpose, sufficiently secure and able to be accessed and corrected if requested. 

Jessica is an Associate in our Commercial Team and can be contacted on 07 958 7436.