The Privacy Act 2020

THE PRIVACY ACT 2020
 
The Privacy Act 2020 - What does it mean for you?
A new Privacy Act has come into force from 1 December 2020.  The Privacy Act 2020 has repealed and replaced the outdated Privacy Act 1993 to take into account years of review and implement a much needed overhaul of regulations in relation to data protection in our current digital age.

The Act strengthens privacy protections for individuals and promotes risk management and intervention by enhancing the role of the Privacy Commissioner.  This Act applies to all businesses who may collect and/or store personal information about other people, such as employers who may have to collect and hold information on employees or customers. 

What are the key changes?

Notifiable Privacy Breaches
The updated Privacy Act places the requirement on a business or organisation to report any serious privacy breaches.  If a breach has happened and it is likely to cause serious harm to someone then the business or organisation has an obligation to notify both the person affected and the office of the Privacy Commissioner as soon as possible.  It is an offence to fail to make the required notifications, and the business can potentially be fined up to $10,000.00.  This means that businesses or organisations must have robust systems in place to identify and report privacy breaches as soon as one takes place.

Compliance Notices
The new Privacy Act gives the Privacy Commissioner the ability to issue businesses or organisations with compliance notices to require them to do or stop doing something to remedy non-compliance with the Act.  It is an offence to refuse to comply with one of these notices, punishable by a fine of up to $10,000.00.

Binding Decisions on Access Requests
The Privacy Commissioner will be able to make binding decisions on complaints about access to information and will be able to direct a business or organisation to release requested personal data to an individual.  These directions will be enforceable in the Human Rights Review Tribunal and may result in a $10,000.00 fine if employers do not comply.  This power will be far wider than under the previous legislation.

Cross Border Protections
Privacy Principle 12 of the new Act aims to ensure that personal information sent overseas is subject to similar safe guards as it would be under New Zealand law.  A business or organisation may only disclose personal information to an overseas agency if that agency has a similar level of protection to New Zealand or if the individual authorises disclosure, being fully informed of the situation.

New Criminal Offences
The Act introduces new criminal offences for breaches of the Act.  It will now be a criminal offence to mislead a business or organisation in order to gain access to personal information by impersonating someone.  It will also be a criminal offence to destroy a document containing personal information knowing that a request has been made for that information.  The penalty in these cases will be a fine of up to $10,000.00.

What Now?
Any business or organisation that collects and/or stores personal information from other people must review their current systems and processes to ensure that they have robust data collection systems in place.  It is an owner of a business’s responsibility to understand their obligations under the new Act and to ensure that they are followed.  We recommend that you consider whether you really need to collect identifying information and if so, what the best way to store and protect it will be.

Please contact us for advice about how the changes may affect your business.