Privacy Act 2020 changes

The Privacy Act 2020 aims to keep people’s personal information safe and secure and applies to all organisations and business types, including sole traders, freelancers and contractors. If you collect, store or use personal information about employees or customers, it’s important to be familiar with the revamped act. The legislative amendments reflect the changes in the wider economy and society and ensure it is fit for the technological world we now live in.

Existing privacy requirements
Business are already required to:
• only gather personal information needed for business reasons;
• tell people what you collect, including if you use cookies on your website;
• store personal information safely and securely;
• only keep information while you need it or are legally allowed to keep it;
• respond to someone’s request for personal information within 20 working days;
• update or correct personal information as required, such as a new phone number or address.

What’s new
From 1 December 2020, changes to the act mean that businesses must:
• not destroy personal information to avoid answering a request made if someone asks for information held about them;
• report serious privacy breaches;
• check that any personal information shared with overseas companies is subject to privacy safeguards similar to those in New Zealand. If not, then the individual must be fully informed and expressly authorise the disclosure.
Businesses and organisations must demonstrate that they have undertaken necessary due diligence before making a crossborder disclosure. The exception to this is in certain urgent circumstances when it is necessary to maintain public health or safety, prevent a serious threat to someone’s life or health, or maintain the law. Overseas businesses operating in New Zealand must meet privacy requirements, including multi-nationals offering cloud software or social media services.

The privacy commissioner
The privacy commissioner frequently investigates complaints about businesses or organisations who fail to give people access to their personal information. The commissioner now has greater powers to ensure that companies and organisations comply with their obligations. These include making decisions on complaints relating to access to information, ordering a business to give a person their personal information in the form of an access direction, which is a written notice issued to a company or organisation, and issuing a compliance notice if a business fails to comply with the act. All access directions will outline the steps or conditions the business or organisation needs to take to comply. This will include what information the company or organisation needs to release, the processes they need to follow and the date by which they must take those steps. If a business or organisation disagrees with an access direction, it can appeal to the Human Rights Review Tribunal. An appeal must be lodged within 20 working days of receiving the notice.

Privacy breaches
A privacy breach is where there has been unauthorised or accidental access to personal information, or disclosure, alteration, loss, or destruction of personal information. It can also include a situation where a business or organisation is stopped from accessing information, either temporarily or permanently. Discuss with your staff what to do if there’s a serious privacy breach by talking through potential scenarios so that they know what steps to take. In particular, you must report serious violations to the Office of the Privacy Commissioner (OPC) by phone, email or using the OPC’s online tool, NotifyUs. If a business or organisation has a privacy breach that has caused serious harm, or is likely to do so, the OPC must be notified as soon as possible, and the business or organisation should also notify the affected people.

Criminal offences
It will now be an offence, punishable by a fine of up to $10,000 to:
• fail to notify the OPC of a notifiable privacy breach;
• refuse to comply with a compliance notice issued by the privacy commissioner;
• mislead a business or organisation by impersonating someone, or pretending to act with that person’s authority, to gain access to their personal information or to have it altered or destroyed;
• destroy documents containing personal information, knowing that a request has been made for that information.

Privacy officer
Consider appointing a privacy officer within your organisation to be responsible for compliance with the act. This role would involve acquiring a general understanding of how the act applies to the business, and checking personal information is collected responsibly and stored safely. The role would also include making sure any issues or requests for personal information can be responded to within the time limit and handling privacy complaints made to your business, including working with the OPC on any escalated matters.