In NZ we’re lucky to have two things: The Privacy Act which protects the use of our personal information; and Keith Norris, Regulatory Consultant to the NZ Marketing Association. We interviewed Keith about the recent updates to the Privacy Act to find why change was necessary, and we got his advice on the key do’s and don'ts to help you stay within the law.
If you’ve been around the NZ marketing industry for any length of time, Keith Norris is a name you’ll all be familiar with. As the former CEO of the NZ Marketing Association, Keith’s name has become synonymous with all things Privacy. Keith was one of the original advisors to the Privacy Commissioner when the Privacy Act was first formed in 1993 and continues to advise marketers and businesses on privacy compliance today, in his role as Regulatory Consultant to the NZMA.
So when the latest update to the Privacy Act came into force on 1 December 2020, we jumped at the chance to interview Keith. We wanted to explore the history of the Act, what has changed and why, and what we should all be doing as marketers to ensure our Privacy practises are ‘top notch’. Here’s what he had to say…
“In the late 80s to early 1990s direct marketing was flourishing,” said Keith who was then the President of the NZ Direct Marketing Association.
“Around the mid 80s there was a feeling that we should have a national identity card (like a drivers licence). But this was causing a lot of concern, particularly amongst university professors and some radicals, who were nervous about personal privacy. They were concerned about the State having too much control over individuals.”
As momentum was gaining, Keith approached the Privacy Commission to be part of a small group appointed to assist the Commissioner in preparing the 1993 Privacy Act.
“My goal was purely to make sure Direct Marketing was not negatively affected by the Act.”
“The purpose of the Act was very simple. To ensure there was transparency about what information can be collected and how it is used. And that has not changed today.”
Keith went on to explain that the 2020 update to the Act is the first major change to the Act in 27 years, with one additional clause coming into effect in 1998 (principle 11 related to information disclosure).
So it is a testament to the original Privacy Act that it has remained relevant to how we collect, use and manage data today - 27 years on - thanks to Keith and his colleagues.
“Very few have been prosecuted. The only major breaches of the Act have been government departments. Commercial breaches have been very few.”
When asked why that was the case, Keith explained that this is one of the fundamental reasons for the changes to the Act today.
“Up until 1 Dec 2020, the Privacy Commission was not able to act without a complaint. But now they can act with or without a complaint. They now also have more power to investigate breaches by multinational companies operating in New Zealand.”
“Yes. However, taking action may have to go through the Human Rights Tribunal.”
When it comes to the use of cloud-based platforms such as HubSpot, we asked Keith where the responsibility for data protection lies - is it with the software provider, or the organisation using the platform? His response was that under the Act “...there is an assumption that cloud-based data is under the ownership of the organisation that collects and uses the data.” So if you collect it, you’re responsible for it.
“The key reason for this update to the Act is to give the Privacy Commissioner some power to investigate and if necessary, take action when breaches are reported, or suspected,” stated Keith. “The Commissioner now has permission to take offending organisations to court with requests to clean up their act.”
“Under the new Act, the maximum fine is $10,000. However, if a class action for a privacy breach is successful, further penalties may apply depending on the extent of potential ‘harm’ incurred by the breach.”
According to the Privacy Commission blog “The updated Act will allow the Human Rights Review Tribunal to award up to $350,000 to each member of a class action.”
“So a breach that causes harm to a number of people could be really expensive, not to mention the reputational damage,” stated Keith.
An interesting observation Keith shared is how the marketing industry has “...been very well behaved…” when it comes to Privacy compliance. “Marketers are, in general, highly conscious of the need to handle personal data carefully and responsibly. And perhaps because we were there in the very beginning, the industry has encouraged everyone to be fair and transparent.”
Keith explained that there are two key aspects of the new Act that bring us in closer alignment with GDPR:
The reporting of breaches principle now follows GDPR, although the fines in the EU are far greater;
A principle related to the transfer of data overseas requires organisations to make sure that those countries have similar privacy laws and follow similar principles to NZ Privacy Law.
However, the area of 'deemed' consent is still an area open to interpretation in New Zealand. What was Keith’s advice on this?
“You need to follow GDPRs guidelines on explicit consent if you are communicating with individuals in EU countries. But if you’re in doubt, or in an industry dealing with particularly sensitive data (think: harm) then erring on the side of explicit consent is recommended.
In the future, we will probably move closer to GDPR.”
“The reporting of breaches is the key change in that organisations are required to notify the affected people and Privacy Commissioner if a breach that may cause harm has occurred,” explained Keith. “Harm can be seen as intimidation, a breach causing physical harm, or exposing medical or financial records for example.”
On this basis are banks, health services, government departments and local government more at risk? “The legislation covers everybody - and everybody can be prosecuted, unlike in the past,” states Keith.
“If you follow marketing best practices then you’re covered,” Keith stated. “Principle 3 under the Act is the most important one to remember: when you collect info, you must tell people you’re collecting it and how you're going to use it.”
So, in a nutshell:
Keith advises that an important clause to add is to tell people they have the right to complain to the Privacy Commission if they believe there has been a breach of their privacy.
“In addition, if your business communicates or collects data from children, it is wise to have parental permission whenever communicating with young adults under 14 yrs,” Keith says.
“That’s a great question. While it’s not necessary to repeat a request for consent at every point of collection following the first point of collection, there is always the risk of system or management failure. So a short statement with a link to your full privacy statement at all points of collection is advisable.”
So 27 years on, the world has changed dramatically. Yet, the Privacy Act holds fast and stronger than ever to ensure the transparency of data collection for the people of New Zealand. On behalf of the New Zealand Marketing community, we’d like to express our gratitude to Keith Norris for his time during this interview, for sharing his wealth of knowledge on this topic, and for his ongoing commitment to best practices in our industry.
Sign up to receive updates on events, training and more from the MA.