Insights

The Privacy Act 2020 (Act) came into force on 1 December 2020 and applies to any individuals, businesses, or organisations that collect personal information.

If your business collects information from customers, suppliers or others, you should review your policies and internal procedures to ensure they comply with the obligations under the Act.

Is your “privacy health” up to date?

Businesses should review their procedures and policies in light of the new Act. Below are some questions to consider whether you comply with your obligations under the Act.

1. Do you have a privacy statement, and does it correctly reflect the information you collect?
2. Have you reviewed your privacy policy?
3. Do you have a privacy officer? This is now a requirement under the Act. 
4. Do you have sufficient security in place to protect the personal information you collect?
5. Have you reviewed your contracts with suppliers and businesses who process your information? Have you incorporated breach notification obligations?
6. If you provide information overseas, do you have agreements with the organisation receiving the information?
7. Do you have internal procedures and a data breach response plan in place?
8. Do you provide training to your staff on privacy and reporting breaches?

If these questions make you question your privacy policies or you would like advice on the Privacy Act, please contact one of Gibson Sheat’s Privacy experts:

Key changes

The key changes to the Act are:

1. Mandatory privacy breach notification obligations: You have to notify the Privacy Commissioner and any affected individuals if there has been a privacy breach.

What is a privacy breach?

A privacy breach is notifiable if it is reasonable to believe it has caused (or is likely to cause) serious harm to an affected individual. A breach may be:

• A confidentiality breach – unauthorised or accidental access to, disclosure, alteration, loss, or destruction of, personal information. Common examples include sending an email to the wrong person, laptop or paper records with customer’s data being lost or stolen, staff improperly accessing customer information, or disclosing information inappropriately.
• Availability breach – you are prevented from accessing information. This may be a cyber-attack.

What is “serious harm”?

Harm may be specific damage (financial loss, loss of employment, physical injury), loss of benefits (any adverse effect on the rights and interests of an individual), or emotional harm (significant humiliation, damage to dignity, or injury to feelings). Whether it is serious harm will depend on the specific circumstances of the breach.

An assessment of serious harm should take into account the following factors:

• What mitigation actions have been taken to reduce the risk of harm.
• The nature of the information and level of sensitivity
• Whether there are security measure in place to protect the information.
• The nature of harm to the affected individuals.
• Recipient of the information – there is a greater risk of serious harm if the information is in the hands of someone with malicious intent.

The Office of the Privacy Commissioner has a helpful tool to assist in determining whether the “serious harm” threshold has been met and whether a notifiable breach has occurred. - https://privacy.org.nz/privacy-for-agencies/privacy-breaches/notify-us/evaluate.

2. Extra-territorial application: The Act will apply to overseas agencies if they collect and hold personal information in the course of carrying on business in New Zealand.
    
3. Cross-border disclosure: New principle 12 has been introduced whereby you cannot send personal information outside of New Zealand unless:

• The organisation is carrying on business in New Zealand, so it is subject to the Act
• The organisation is subject to privacy laws that provide comparable safeguards to the Act.
• There are contractual obligations that ensure the protection of privacy. Office of the Privacy Commissioner has developed model clauses for agencies to use to comply with this principle. These are available here 
• The individual has authorised disclosure and have been informed that the destination may not have comparable protections.  

4. Criminal offences: Failure to notify the Privacy Commissioner of a privacy breach or failure to follow a compliance notice may result in a fine of up to $10,000.

If the information in this article has raised some questions for you or you would like any advice on the Privacy Act or your current policies, please contact Gibson Sheat’s Privacy experts: