Richard Gordon
Published on

As more and more businesses and organisations place greater reliance on digital and online services, the topic of ‘personal information’ and ‘privacy’ is becoming increasingly important.

Personal information is any information that relates to an identifiable individual. Most businesses and organisations would collect personal information to some extent.

The Privacy Act 1993 currently governs collection, use, and disclosure of personal information. As technology has advanced rapidly, our privacy laws have become outdated and require a refresh. As a result, a new Privacy Act is coming.

The Privacy Act 2020 is scheduled to come into effect on 1 December 2020, and it is important that businesses and organisations are ready.

What is changing?

  • The biggest change is the requirement for entities to report privacy breaches. If an entity believes there has been a privacy breach (e.g. unauthorised disclosure) that has caused (or is likely to cause) serious harm, the entity must report this breach to the Office of the Privacy Commissioner and the affected individuals.
  • Entities which transfer personal information outside of New Zealand will now only be able to do so:
    • if that transfer has been authorised by the relevant individual; or
    • if the transfer is in accordance with the entity’s current privacy policy, and the entity believes on reasonable grounds that the entity receiving the data is either subject to the new Act, or is subject to privacy laws that provide comparable safeguards to the new Act.
There is an exception for entities that simply store their data overseas – but these entities are still responsibly for the safe storage of that data. 
  • The new Act will extend beyond New Zealand in certain scenarios. One example is an entity outside New Zealand that collects or stores personal information from individuals within New Zealand
  • The Office of the Privacy Commissioner may now issue compliance notices to require compliance with the new Act. Failure to follow compliance notices, or to report a privacy breach, may result in fines of up to $10,000.

What should entities do?

Below is a helpful list of questions organisations and businesses can work through to evaluate whether the entity’s “privacy health” is in good shape, or whether some work is required.

  • Does our entity have a thorough understanding of how it collects, uses, and discloses personal information?
  • Is this reflected accurately in our privacy policy?
  • Is our privacy policy easily readable and presented in a way that encourages people to read it?
  • Do we have a Privacy Officer?
  • Do we have a data breach policy to deal with possible data breaches which we may have to report to the Office of the Privacy Commissioner and affected individuals?
  • Are our staff trained to understand the importance of personal information and reporting a data breach?
  • Do we provide personal information overseas? If so, do we have a policy in place or a relevant agreement with the receiving entities regarding storage, use, or disclosure of that information?

If your entity needs to do further work regarding its “privacy health”, or you have any questions regarding your entity’s privacy obligations, please get in touch.