Changes amending the Privacy Act 1993 come into effect on 1 December 2020. The amendment strengthens the existing privacy principles and adds new requirements. The majority of the changes affect only how the laws are enforced. The changes which potentially affect businesses focus on risk management and early intervention. These changes affect businesses in respect to the information they hold on their employees and customers.
The main changes include:
- You will have to report serious harm privacy breaches to the Privacy Commissioner.
- Destroying documents that contain personal information if a request has been made for that information, will now be considered a criminal offence.
- You need to ensure that any overseas provider that holds personal information for you or your customers, meet New Zealand privacy laws.
Serious harm privacy breaches are determined by considering the facts of the case. Consideration would be given to the sensitivity of the information lost, what has been done to reduce the risk of harm, the nature of the harm that could be caused and any other relevant information. The Office of the Privacy Commissioner will have an online privacy breach notification tool to assist with reporting.
The amendment gives greater compliance powers to the Privacy Commissioner to issue compliance notices to do, or not do, something to comply with the Act and, to issue enforceable access directions to direct agencies to provide access to personal information requested by individuals.
For businesses which store customer information electronically it is recommended to create a compliant data breach plan and check with your IT providers what their protections and guarantees are, including overseas companies, particularly if you store your data with a cloud service.
To meet the requirements for information sent or held overseas you must either;
- be reasonably satisfied that the foreign person or entity is subject to laws which provide comparable safeguards as the Act, or has agreed to be bound by comparable safeguards as those found in the Act; or
- have expressly informed the individual that the foreign entity or person may not be required to protect the information in a way that provides comparable safeguards, and you must obtain the individual’s authorisation to the disclosure on that basis.
At this stage, all companies should examine their risk and prepare to be compliant when the changes come into effect in December.